Traefik + Authelia with TLS passthrough

Hello,

I am having trouble setting up traefik with authelia authentication middleware and TLS passthrough. I got the TLS passthrough part right (I think) with these labels on the authelia docker container:

traefik.enable: "true"
traefik.tcp.routers.authelia.rule: HostSNI(`authelia.domain.internal`)
traefik.tcp.routers.authelia.tls.passthrough: "true"
traefik.tcp.routers.authelia.entrypoints: "websecure"
traefik.tcp.services.authelia.loadbalancer.server.port: 9091

Using this setup I am able to access the authelia sign in page but obviously I need to setup some middleware for redirection to authelia to check if the user is verified. I added the middleware configuration to authelia container so now it looks like this:

traefik.enable: "true"
traefik.tcp.routers.authelia.rule: HostSNI(`authelia.domain.internal`)
traefik.tcp.routers.authelia.tls.passthrough: "true"
traefik.tcp.routers.authelia.entrypoints: "websecure"
traefik.tcp.services.authelia.loadbalancer.server.port: 9091

traefik.http.middlewares.authelia.forwardauth.address: "https://authelia.domain.internal/api/verify?rd=https%3A%2F%2Fauthelia.domain.internal"
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true"
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"
traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify: "true" # otherwise does not work (using self-signed certs)

the other container I want to protect with auth has the following configuration

traefik.enable: "true"
traefik.http.routers.someservice.entrypoints: "websecure"
traefik.http.routers.someservice.rule: Host(`someservice.domain.internal`)
traefik.http.routers.someservice.tls: "true"
traefik.http.routers.someservice.middlewares: "authelia@docker"
traefik.http.services.someservice.loadbalancer.server.port: 12345

Now when I deploy it like this it seems to work, I get correctly redirected to the authelia sign in page, but for some reason this also creates http routers and services called "authelia-containers". I did not find a way to explicitly disable the creation of them, but I tried to set them to some bogus values like so:

traefik.http.routers.authelia.entrypoints: "websecure"
#traefik.http.routers.authelia.rule: Host(`authelia.domain.internal`) # uncommenting this line breakes everything for some reason
traefik.http.routers.authelia.tls: "true"
traefik.http.routers.authelia.service: "noop@internal"
traefik.http.services.authelia.loadbalancer.server.port: 33333 # nonexisting port

So my assumption is they are just not needed for anything.
Finally, my question are:

  • Is the TLS passthrough really configured correctly?
    * How to get rid of the (presumably) unneded http services & routers which were automatically created with the middleware?
    Edit: well of course I found answer to this one right after posting. Defining the middleware in the yaml config file solves the issue of redundand routers/services.
http:
  middlewares:
    authelia:
      forwardAuth:
        address: "https://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.domain.internal"
        trustForwardHeader: true
        authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"
        tls:
          insecureSkipVerify: true