Hi guys!
I have been working on this daily for the past week and finally came to the point that I'll need to ask some help. I have literally tried every guide I could find out there to get oauth up and running, but the more I tinker, the less it seems to work. At first, I was able to get an oauth page running, but there was a Google error on it, now I just keep getting HTTP ERROR 500.
The setup I have in mind is the following: have a number of containers use a gluetun VPN container to route the traffic externally and use traefik to make sure they remain reachable on e.g. sonarr.example.com using a Let's Encrypt issued certificate. After some tinkering, I'm happy to say that all of that worked and I can now access all of it through sonarr.example.com, nzbget.example.com etc.
What I've been completely stuck on however, is getting oauth to work with the traefik + gluetun / let's encrypt stuff. I've literally spent tens of hours on this, going through every guide I could find on the internet, going over all the logs with ChatGPT, etc. Nada. Basically, this forum is my last resort...
Here is my current docker-compose file (keeping in mind I literally tested tens if not hundreds of different solutions, so this is a snapshot of what I tried):
version: "3"
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
ports:
- 9443:9443
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.MYDOMAIN`)"
- "traefik.http.routers.portainer.entrypoints=https"
- "traefik.http.routers.portainer.tls.certresolver=myresolver"
volumes:
- /opt/portainer:/data
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
traefik:
image: traefik:v2.7
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.entrypoints=http"
- "traefik.http.routers.api.rule=Host(`traefik.MYDOMAIN`)"
- "traefik.http.routers.api.service=api@internal"
#define middleware
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.middlewares=traefik-forward-auth
- traefik.http.routers.traefik-secure.tls=true
command:
- "--log.level=DEBUG"
ports:
- 80:80
- 443:443
- 8080:8080 # Dashboard
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /opt/traefik/traefik.yml:/traefik.yml:ro
- /opt/traefik/acme.json:/acme.json
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:latest
container_name: traefik-forward-auth
restart: always
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=MYGOOGLECLIENTID
- PROVIDERS_GOOGLE_CLIENT_SECRET=MYGOOGLESECRET
- SECRET=d7a02f865k93f80244eaed0102da9ce3
- AUTH_HOST=oauth.MYDOMAIN
- COOKIE_DOMAIN=MYDOMAIN
- WHITELIST=MYGMAIL
- INSECURE_COOKIE=false
- LOG_LEVEL=debug
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-forward-auth.rule=Host(`oauth.MYDOMAIN`)"
- "traefik.http.routers.traefik-forward-auth.entrypoints=https"
- "traefik.http.routers.traefik-forward-auth.tls.certresolver=myresolver"
- "traefik.http.routers.traefik-forward-auth.tls=true"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
#Middleware
- "traefik.http.middlewares.traefik-forward-auth-auth-verify.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth-auth-verify.forwardauth.authResponseHeaders=X-Forwarded-User"
gluetun:
container_name: gluetun
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER="private internet access"
- OPENVPN_USER=MYVPNUSER
- OPENVPN_PASSWORD=MYPASSWORD
- PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET=normal
- SERVER_REGIONS=Belgium
networks:
- traefik_proxy
volumes:
- gluetun:/gluetun
- /etc/localtime:/etc/localtime:ro
ports:
- 6789:6789 #nzbget
- 8989:8989 #sonarr
- 9897:9897 #sonarr internal
- 7878:7878 #radarr
- 6767:6767 #bazarr
- 9117:9117 #jackett
- 7889:7889
- 8083:8080 #qbittorrent
- 3005:3005
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_proxy"
- "traefik.http.routers.nzbget.rule=Host(`nzbget.MYDOMAIN`)"
- "traefik.http.routers.nzbget.entrypoints=https"
- "traefik.http.routers.nzbget.tls.certresolver=myresolver"
- "traefik.http.services.nzbget.loadbalancer.server.port=6789"
- "traefik.http.routers.nzbget.service=nzbget"
- "traefik.http.routers.sonarr.rule=Host(`sonarr.MYDOMAIN`)"
- "traefik.http.routers.sonarr.entrypoints=https"
- "traefik.http.routers.sonarr.tls.certresolver=myresolver"
- "traefik.http.services.sonarr.loadbalancer.server.port=8989"
- "traefik.http.routers.sonarr.service=sonarr"
#- "traefik.http.routers.sonarr.middlewares=oauth"
- "traefik.http.routers.sonarr.middlewares=traefik-forward-auth"
- "traefik.http.routers.radarr.rule=Host(`radarr.MYDOMAIN`)"
- "traefik.http.routers.radarr.entrypoints=https"
- "traefik.http.routers.radarr.tls.certresolver=myresolver"
- "traefik.http.services.radarr.loadbalancer.server.port=7878"
- "traefik.http.routers.radarr.service=radarr"
- "traefik.http.routers.bazarr.rule=Host(`bazarr.MYDOMAIN`)"
- "traefik.http.routers.bazarr.entrypoints=https"
- "traefik.http.routers.bazarr.tls.certresolver=myresolver"
- "traefik.http.services.bazarr.loadbalancer.server.port=6767"
- "traefik.http.routers.bazarr.service=bazarr"
- "traefik.http.routers.jackett.rule=Host(`jackett.MYDOMAIN`)"
- "traefik.http.routers.jackett.entrypoints=https"
- "traefik.http.routers.jackett.tls.certresolver=myresolver"
- "traefik.http.services.jackett.loadbalancer.server.port=9117"
- "traefik.http.routers.jackett.service=jackett"
- "traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.MYDOMAIN`)"
- "traefik.http.routers.qbittorrent.entrypoints=https"
- "traefik.http.routers.qbittorrent.tls.certresolver=myresolver"
- "traefik.http.services.qbittorrent.loadbalancer.server.port=8083"
- "traefik.http.routers.qbittorrent.service=qbittorrent"
restart: unless-stopped
nzbget:
container_name: nzbget
image: linuxserver/nzbget
volumes:
- /opt/nzbget:/config
- /mnt:/mnt
- /media:/media
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
network_mode: 'service:gluetun'
restart: unless-stopped
sonarr:
container_name: sonarr
image: linuxserver/sonarr:develop
volumes:
- /opt/sonarr:/config
- /mnt:/mnt
- /media:/media
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
network_mode: 'service:gluetun'
restart: unless-stopped
radarr:
container_name: radarr
image: linuxserver/radarr:latest
volumes:
- /opt/radarr:/config
- /mnt:/mnt
- /media:/media
- /etc/localtime:/etc/localtime:ro
- /opt/radarr/mp4_automator:/config_mp4_automator
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
network_mode: 'service:gluetun'
restart: unless-stopped
bazarr:
container_name: bazarr
image: linuxserver/bazarr:latest
volumes:
- /opt/bazarr:/config
- /mnt:/mnt
- /media:/media
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
network_mode: 'service:gluetun'
restart: unless-stopped
jackett:
container_name: jackett
image: linuxserver/jackett:latest
volumes:
- /opt/jackett:/config
- /opt/jackett/Jackett:/config/Jackett
- /mnt:/mnt
- /media:/media
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
network_mode: 'service:gluetun'
restart: unless-stopped
qbittorrent:
container_name: qbittorrent
image: linuxserver/qbittorrent:latest
volumes:
- /opt/qbittorrent:/config
- /mnt:/mnt
- /media:/media
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
network_mode: 'service:gluetun'
restart: unless-stopped
plex:
container_name: plex
image: plexinc/pms-docker:plexpass
volumes:
- /media/plex/transcodes:/transcode
- /mnt/unionfs:/unionfs
- /opt/plex/database:/config
- /mnt:/mnt
- /dev/shm:/ram_transcode
- /media/plex/tmp:/tmp
- /etc/localtime:/etc/localtime:ro
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
ports:
- 32400:32400
- 32410:32410
- 32412:32412
- 32413:32413
- 32414:32414
- 33400:33400
- 33443:33443
- 8324:8324
networks:
- traefik_proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.plex.rule=Host(`plex.MYDOMAIN`)"
- "traefik.http.routers.plex.entrypoints=https"
- "traefik.http.routers.plex.tls.certresolver=myresolver"
restart: unless-stopped
ddclient:
image: lscr.io/linuxserver/ddclient:latest
container_name: ddclient
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
volumes:
- /opt/ddclient:/config
restart: unless-stopped
networks:
traefik_proxy:
external: true
volumes:
gluetun:
Here is my traefik.yml file:
api:
insecure: false
entryPoints:
http:
address: ":80"
https:
address: ":443"
certificatesResolvers:
myresolver:
acme:
email: MYEMAIL
storage: acme.json
httpChallenge:
entryPoint: http
log:
level: "DEBUG"
httpChallenge:
# used during the challenge
entryPoint: http
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
Side-issue: Plex is not sufficiently exposed to the internet either, but I haven't really looked into that well yet.
I'm using cloudflare and I have: (1) an A record with wildflag * as value, pointing to my server IP, (2) an A record with my domain name as value, pointing to my server IP, and (3) a CNAME record with "oauth" as value, pointing to my domain name.
It's difficult to imagine how grateful I would be for some help here...