Traefik 3.2 redirection issue

Traefik Traefik v3 (latest)
1

Hi all,

I’m experiencing a strange redirection issue with Traefik. I’ve put the complete code in a dedicated repo here.

I log in with my username, password, and 2FA (which works fine according to the logs). However, after logging in, I end up in a redirection loop. It keeps trying to redirect me to the same page as before, even though I’m already logged in, which then redirects me back to the initial site, causing a loop.

It seems that Traefik isn’t detecting that I’m already logged in, so it keeps redirecting me back to the "login page." For example, when I try to access test.myowndomain.com, it redirects me to auth.myowndomain.com. After logging in, it briefly shows test.myowndomain.com (so the main behavior seems to work), but instead of taking me to the actual site, Traefik sends me back to auth.myowndomain.com, creating a loop: test.myowndomain.com --> auth.myowndomain.com --> test.myowndomain.com --> ...

Any insights would be appreciated!

2

Enable Traefik access log in JSON format to see who is sending the redirect (Traefik or target service).

3

thank you for the answer!

i enabled the log and made a test again. i updated the log in the repo. here the important part:

2024-11-08T07:32:36+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:36 +0000] "POST /ui/login/mfa/u2f/verify HTTP/2.0" 302 0 "-" "-" 44 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 268ms
2024-11-08T07:32:37+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:37 +0000] "GET /oauth/v2/authorize/callback?id=292848850601771011 HTTP/2.0" 302 212 "-" "-" 45 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 140ms
2024-11-08T07:32:37+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f20e9e253b0dc7a3
2024-11-08T07:32:37+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:37 +0000] "POST /oauth/v2/token HTTP/2.0" 200 1022 "-" "-" 47 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 164ms
2024-11-08T07:32:37+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:37 +0000] "GET /oidc/v1/userinfo HTTP/2.0" 200 246 "-" "-" 48 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 29ms
83.79.21.142 - - [08/Nov/2024:06:32:37 +0000] "GET /oauth2/callback?code=mm_xLj36H68GtQ_TAadzh0w_4X-Xn2S7BYnYUn7d5_U6DA&state=hvGp1whWPy5MTiGFeLE_RpgV2er7PWT5yJVvYAg5qnw%3Ahttps%3A%2F%2Fcode-server.myowndomain.com%2F HTTP/2.0" 302 55 "-" "-" 46 "oauth2@docker" "http://172.18.254.250:4180" 481ms
2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/forward.go:187 > Remote error http://oauth2-proxy:4180/oauth2/start. StatusCode: 302 middlewareName=oauth2@file middlewareType=ForwardAuth
83.79.21.142 - - [08/Nov/2024:06:32:37 +0000] "GET / HTTP/2.0" 302 448 "-" "-" 49 "code@docker" "-" 2ms
2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:38 +0000] "GET /oauth/v2/authorize?approval_prompt=force&client_id=292156308499529732%40myowndomain&code_challenge=cHPX7hOaCqg_0zQFB26gOQU85XMAwiGwQmX2eRkn6zQ&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fauth.myowndomain.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=ytHyNXwJVsJtaa9xAQxIy3NwiSYq1RzfKwI8XZxzoIA%3Ahttps%3A%2F%2Fcode-server.myowndomain.com%2F HTTP/2.0" 302 71 "-" "-" 50 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 59ms
2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:38 +0000] "GET /ui/login/login?authRequestID=292848919354802179 HTTP/2.0" 302 100 "-" "-" 51 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 207ms
2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:38 +0000] "GET /oauth/v2/authorize/callback?id=292848919354802179 HTTP/2.0" 302 212 "-" "-" 52 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 118ms
2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f20e9e253b0dc7a3
2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:38 +0000] "POST /oauth/v2/token HTTP/2.0" 200 1022 "-" "-" 54 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 125ms
2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:32:38 +0000] "GET /oidc/v1/userinfo HTTP/2.0" 200 246 "-" "-" 55 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 29ms
83.79.21.142 - - [08/Nov/2024:06:32:38 +0000] "GET /oauth2/callback?code=U273DxJGgYXHathfQMAnc81uq5E3BTjcl6CvWo8N9erL3A&state=ytHyNXwJVsJtaa9xAQxIy3NwiSYq1RzfKwI8XZxzoIA%3Ahttps%3A%2F%2Fcode-server.myowndomain.com%2F HTTP/2.0" 302 55 "-" "-" 53 "oauth2@docker" "http://172.18.254.250:4180" 361ms
2024-11-08T07:32:39+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/forward.go:187 > Remote error http://oauth2-proxy:4180/oauth2/start. StatusCode: 302 middlewareName=oauth2@file middlewareType=ForwardAuth
83.79.21.142 - - [08/Nov/2024:06:32:39 +0000] "GET / HTTP/2.0" 302 448 "-" "-" 56 "code@docker" "-" 1ms

i think this is the error?

2024-11-08T07:32:38+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/forward.go:187 > Remote error http://oauth2-proxy:4180/oauth2/start. StatusCode: 302 middlewareName=oauth2@file middlewareType=ForwardAuth

i didnt understand why traefik sees here an error, the callback looks correct to me?

if i define another redirection url than the original url it seems to work:

2024-11-08T07:53:47+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:53:47 +0000] "POST /ui/login/mfa/u2f/verify HTTP/2.0" 302 0 "-" "-" 91 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 251ms
2024-11-08T07:53:48+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:53:48 +0000] "GET /oauth/v2/authorize/callback?id=292851028619952131 HTTP/2.0" 302 201 "-" "-" 92 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 128ms
2024-11-08T07:53:48+01:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2024-11-08T07:53:48+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f20e9e253b0dc7a3
2024-11-08T07:53:48+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:53:48 +0000] "POST /oauth/v2/token HTTP/2.0" 200 1022 "-" "-" 94 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 130ms
2024-11-08T07:53:48+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
83.79.21.142 - - [08/Nov/2024:06:53:48 +0000] "GET /oidc/v1/userinfo HTTP/2.0" 200 246 "-" "-" 95 "zitadel-secure@docker" "h2c://172.18.0.3:8080" 30ms
83.79.21.142 - - [08/Nov/2024:06:53:48 +0000] "GET /oauth2/callback?code=XkNzBAU-NjOkIw5DY84fNy2bV2xyK4uk7vGh-A_4_lA8Yg&state=J46ChNJTt2xbPX0DwzbMQeQIWuRP0B6I8FJOroPuoUQ%3Ahttps%3A%2F%2Fbla.myowndomain.com HTTP/2.0" 302 46 "-" "-" 93 "oauth2@docker" "http://172.18.254.250:4180" 455ms

i have defined bla.myowndomain.com but this site has no forwardAuth configured. to me it still looks that traefik is not able to detect the successful login and becuase of this it loops me back to the auth endpoint...

4

Enable Traefik access log in JSON format to see who is sending the redirect (target service OriginStatus or Traefik DownstreamStatus).

There is a discussion and an issue about Zitadel supporting ForwardAuth directly. That would make live much easier, leave a "like" there or try to push it forward.

5

Thank you for the hint!

Here the logs with the json:

2024-11-09T07:32:52+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":302,"Duration":304960786,"OriginContentSize":0,"OriginDuration":303511110,"OriginStatus":302,"Overhead":1449676,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":1195,"RequestCount":10,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"POST","RequestPath":"/ui/login/mfa/u2f/verify","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:52.429098042+01:00","StartUTC":"2024-11-09T06:32:52.429098042Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:52+01:00"}
2024-11-09T07:32:52+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":209,"DownstreamStatus":302,"Duration":130557909,"OriginContentSize":209,"OriginDuration":129024115,"OriginStatus":302,"Overhead":1533794,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":11,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/oauth/v2/authorize/callback?id=292993861901352963","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:52.871129028+01:00","StartUTC":"2024-11-09T06:32:52.871129028Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:53+01:00"}
2024-11-09T07:32:53+01:00 DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: ""
2024-11-09T07:32:53+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f20e9e253b0dc7a3
2024-11-09T07:32:53+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":1022,"DownstreamStatus":200,"Duration":743922135,"OriginContentSize":1022,"OriginDuration":742741402,"OriginStatus":200,"Overhead":1180733,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":256,"RequestCount":13,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"POST","RequestPath":"/oauth/v2/token","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:53.126182819+01:00","StartUTC":"2024-11-09T06:32:53.126182819Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:53+01:00"}
2024-11-09T07:32:53+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":865,"DownstreamStatus":200,"Duration":11831583,"OriginContentSize":865,"OriginDuration":10770291,"OriginStatus":200,"Overhead":1061292,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":14,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/oauth/v2/keys","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:53.968730998+01:00","StartUTC":"2024-11-09T06:32:53.968730998Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:53+01:00"}
2024-11-09T07:32:54+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":246,"DownstreamStatus":200,"Duration":36874814,"OriginContentSize":246,"OriginDuration":35752502,"OriginStatus":200,"Overhead":1122312,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":15,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/oidc/v1/userinfo","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:54.007011521+01:00","StartUTC":"2024-11-09T06:32:54.007011521Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:54+01:00"}
{"ClientAddr":"172.18.254.252:57356","ClientHost":"83.79.21.142","ClientPort":"57356","ClientUsername":"-","DownstreamContentSize":54,"DownstreamStatus":302,"Duration":970790048,"OriginContentSize":54,"OriginDuration":969724681,"OriginStatus":302,"Overhead":1065367,"RequestAddr":"auth.myowndomain.com","RequestContentSize":0,"RequestCount":12,"RequestHost":"auth.myowndomain.com","RequestMethod":"GET","RequestPath":"/oauth2/callback?code=zi2B5bNzcl434pH3nohzs56iFmnEbiwB6mAGml-dNjJ9Qg\u0026state=w-77MMTcBu1JnoBEMU618tmgj9xVfEeFBgVfOZfzCpQ%3Ahttps%3A%2F%2Fcode-server.myowndomain.com","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"oauth2@docker","ServiceAddr":"172.18.254.250:4180","ServiceName":"oauth2@docker","ServiceURL":"http://172.18.254.250:4180","StartLocal":"2024-11-09T07:32:53.083212456+01:00","StartUTC":"2024-11-09T06:32:53.083212456Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:54+01:00"}
2024-11-09T07:32:54+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/forward.go:187 > Remote error http://oauth2-proxy:4180/oauth2/start?rd=https://code-server.myowndomain.com. StatusCode: 302 middlewareName=oauth2@file middlewareType=ForwardAuth
{"ClientAddr":"172.18.254.252:42626","ClientHost":"83.79.21.142","ClientPort":"42626","ClientUsername":"-","DownstreamContentSize":445,"DownstreamStatus":302,"Duration":1789030,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":1789030,"RequestAddr":"code-server.myowndomain.com","RequestContentSize":0,"RequestCount":16,"RequestHost":"code-server.myowndomain.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"code@docker","StartLocal":"2024-11-09T07:32:54.113402142+01:00","StartUTC":"2024-11-09T06:32:54.113402142Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:54+01:00"}
2024-11-09T07:32:54+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":71,"DownstreamStatus":302,"Duration":47218865,"OriginContentSize":71,"OriginDuration":45858643,"OriginStatus":302,"Overhead":1360222,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":17,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/oauth/v2/authorize?approval_prompt=force\u0026client_id=292156308499529732%40myowndomain\u0026code_challenge=ZX5aggCMGoYybr58rjULqfUOdkrxzT3NH1y7IdW-nPA\u0026code_challenge_method=S256\u0026redirect_uri=https%3A%2F%2Fauth.myowndomain.com%2Foauth2%2Fcallback\u0026response_type=code\u0026scope=openid+email+profile\u0026state=895dWZCzJ06bxselJ_5_xuibvYH2dbT937F74Aa9leo%3Ahttps%3A%2F%2Fcode-server.myowndomain.com","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:54.157756593+01:00","StartUTC":"2024-11-09T06:32:54.157756593Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:54+01:00"}
2024-11-09T07:32:54+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":100,"DownstreamStatus":302,"Duration":173544749,"OriginContentSize":100,"OriginDuration":172244429,"OriginStatus":302,"Overhead":1300320,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":18,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/ui/login/login?authRequestID=292993901478805507","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:54.253703498+01:00","StartUTC":"2024-11-09T06:32:54.253703498Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:54+01:00"}
2024-11-09T07:32:54+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":209,"DownstreamStatus":302,"Duration":112056352,"OriginContentSize":209,"OriginDuration":110906355,"OriginStatus":302,"Overhead":1149997,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":19,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/oauth/v2/authorize/callback?id=292993901478805507","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:54.573778886+01:00","StartUTC":"2024-11-09T06:32:54.573778886Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:54+01:00"}
2024-11-09T07:32:54+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: f20e9e253b0dc7a3
2024-11-09T07:32:54+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":1022,"DownstreamStatus":200,"Duration":115550754,"OriginContentSize":1022,"OriginDuration":114387065,"OriginStatus":200,"Overhead":1163689,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":256,"RequestCount":21,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"POST","RequestPath":"/oauth/v2/token","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:54.91515117+01:00","StartUTC":"2024-11-09T06:32:54.91515117Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:55+01:00"}
2024-11-09T07:32:55+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":246,"DownstreamStatus":200,"Duration":25397524,"OriginContentSize":246,"OriginDuration":24192136,"OriginStatus":200,"Overhead":1205388,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":22,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/oidc/v1/userinfo","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:55.135030424+01:00","StartUTC":"2024-11-09T06:32:55.135030424Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:55+01:00"}
{"ClientAddr":"172.18.254.252:57356","ClientHost":"83.79.21.142","ClientPort":"57356","ClientUsername":"-","DownstreamContentSize":54,"DownstreamStatus":302,"Duration":358695116,"OriginContentSize":54,"OriginDuration":357430529,"OriginStatus":302,"Overhead":1264587,"RequestAddr":"auth.myowndomain.com","RequestContentSize":0,"RequestCount":20,"RequestHost":"auth.myowndomain.com","RequestMethod":"GET","RequestPath":"/oauth2/callback?code=hoXmpTiUbxETUyUEcOUf9XkTFVs3nQSQZ8rjD6nBC1uR_w\u0026state=895dWZCzJ06bxselJ_5_xuibvYH2dbT937F74Aa9leo%3Ahttps%3A%2F%2Fcode-server.myowndomain.com","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"oauth2@docker","ServiceAddr":"172.18.254.250:4180","ServiceName":"oauth2@docker","ServiceURL":"http://172.18.254.250:4180","StartLocal":"2024-11-09T07:32:54.850451153+01:00","StartUTC":"2024-11-09T06:32:54.850451153Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:55+01:00"}
2024-11-09T07:32:55+01:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/forward.go:187 > Remote error http://oauth2-proxy:4180/oauth2/start?rd=https://code-server.myowndomain.com. StatusCode: 302 middlewareName=oauth2@file middlewareType=ForwardAuth
{"ClientAddr":"172.18.254.252:42626","ClientHost":"83.79.21.142","ClientPort":"42626","ClientUsername":"-","DownstreamContentSize":445,"DownstreamStatus":302,"Duration":2030140,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":2030140,"RequestAddr":"code-server.myowndomain.com","RequestContentSize":0,"RequestCount":23,"RequestHost":"code-server.myowndomain.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"code@docker","StartLocal":"2024-11-09T07:32:55.324523995+01:00","StartUTC":"2024-11-09T06:32:55.324523995Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:55+01:00"}
2024-11-09T07:32:55+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":71,"DownstreamStatus":302,"Duration":55808513,"OriginContentSize":71,"OriginDuration":54312773,"OriginStatus":302,"Overhead":1495740,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":24,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/oauth/v2/authorize?approval_prompt=force\u0026client_id=292156308499529732%40myowndomain\u0026code_challenge=XcSNtMHj5-PJCj16pna0Mx-gn-2uGNGukreubILh2TY\u0026code_challenge_method=S256\u0026redirect_uri=https%3A%2F%2Fauth.myowndomain.com%2Foauth2%2Fcallback\u0026response_type=code\u0026scope=openid+email+profile\u0026state=U-rfKWFgmmPfkCoueJrahaduW3DiRXwxrEGg8R72YPY%3Ahttps%3A%2F%2Fcode-server.myowndomain.com","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:55.49044346+01:00","StartUTC":"2024-11-09T06:32:55.49044346Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:55+01:00"}
2024-11-09T07:32:55+01:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 065b04bde70ab86a
{"ClientAddr":"172.18.254.252:34950","ClientHost":"83.79.21.142","ClientPort":"34950","ClientUsername":"-","DownstreamContentSize":100,"DownstreamStatus":302,"Duration":173251291,"OriginContentSize":100,"OriginDuration":171920017,"OriginStatus":302,"Overhead":1331274,"RequestAddr":"zitadel.myowndomain.com","RequestContentSize":0,"RequestCount":25,"RequestHost":"zitadel.myowndomain.com","RequestMethod":"GET","RequestPath":"/ui/login/login?authRequestID=292993903726952451","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"zitadel-secure@docker","ServiceAddr":"172.18.0.3:8080","ServiceName":"zitadel@docker","ServiceURL":"h2c://172.18.0.3:8080","StartLocal":"2024-11-09T07:32:55.645574874+01:00","StartUTC":"2024-11-09T06:32:55.645574874Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-11-09T07:32:55+01:00"}

I’m already following these topics. I know it doesn’t seem possible to use Zitadel directly with Traefik, which is why I’m using the OAuth2 proxy, according to the documentation, it should work...