Traefik + gluetun + let's encrypt + oauth integration fail

Hi guys!

I have been working on this daily for the past week and finally came to the point that I'll need to ask some help. I have literally tried every guide I could find out there to get oauth up and running, but the more I tinker, the less it seems to work. At first, I was able to get an oauth page running, but there was a Google error on it, now I just keep getting HTTP ERROR 500.

The setup I have in mind is the following: have a number of containers use a gluetun VPN container to route the traffic externally and use traefik to make sure they remain reachable on e.g. sonarr.example.com using a Let's Encrypt issued certificate. After some tinkering, I'm happy to say that all of that worked and I can now access all of it through sonarr.example.com, nzbget.example.com etc.

What I've been completely stuck on however, is getting oauth to work with the traefik + gluetun / let's encrypt stuff. I've literally spent tens of hours on this, going through every guide I could find on the internet, going over all the logs with ChatGPT, etc. Nada. Basically, this forum is my last resort...

Here is my current docker-compose file (keeping in mind I literally tested tens if not hundreds of different solutions, so this is a snapshot of what I tried):

version: "3"
services:

  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    ports:
      - 9443:9443
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.MYDOMAIN`)"
      - "traefik.http.routers.portainer.entrypoints=https"
      - "traefik.http.routers.portainer.tls.certresolver=myresolver"
    volumes:
      - /opt/portainer:/data
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped

  traefik:
    image: traefik:v2.7
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.entrypoints=http"
      - "traefik.http.routers.api.rule=Host(`traefik.MYDOMAIN`)"
      - "traefik.http.routers.api.service=api@internal"

      #define middleware
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"

      - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
      - traefik.http.routers.traefik.middlewares=traefik-https-redirect
      - traefik.http.routers.traefik-secure.entrypoints=https
      - traefik.http.routers.traefik-secure.middlewares=traefik-forward-auth
      - traefik.http.routers.traefik-secure.tls=true
    command:
      - "--log.level=DEBUG"
    ports:
      - 80:80
      - 443:443
      - 8080:8080 # Dashboard
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/traefik/traefik.yml:/traefik.yml:ro
      - /opt/traefik/acme.json:/acme.json

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:latest
    container_name: traefik-forward-auth
    restart: always
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=MYGOOGLECLIENTID
      - PROVIDERS_GOOGLE_CLIENT_SECRET=MYGOOGLESECRET
      - SECRET=d7a02f865k93f80244eaed0102da9ce3
      - AUTH_HOST=oauth.MYDOMAIN
      - COOKIE_DOMAIN=MYDOMAIN
      - WHITELIST=MYGMAIL
      - INSECURE_COOKIE=false
      - LOG_LEVEL=debug
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`oauth.MYDOMAIN`)"
      - "traefik.http.routers.traefik-forward-auth.entrypoints=https"
      - "traefik.http.routers.traefik-forward-auth.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      #Middleware
      - "traefik.http.middlewares.traefik-forward-auth-auth-verify.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth-auth-verify.forwardauth.authResponseHeaders=X-Forwarded-User"

  gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER="private internet access"
      - OPENVPN_USER=MYVPNUSER
      - OPENVPN_PASSWORD=MYPASSWORD
      - PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET=normal
      - SERVER_REGIONS=Belgium
    networks:
      - traefik_proxy
    volumes:
      - gluetun:/gluetun
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 6789:6789 #nzbget
      - 8989:8989 #sonarr
      - 9897:9897 #sonarr internal
      - 7878:7878 #radarr
      - 6767:6767 #bazarr
      - 9117:9117 #jackett
      - 7889:7889
      - 8083:8080 #qbittorrent
      - 3005:3005
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"

      - "traefik.http.routers.nzbget.rule=Host(`nzbget.MYDOMAIN`)"
      - "traefik.http.routers.nzbget.entrypoints=https"
      - "traefik.http.routers.nzbget.tls.certresolver=myresolver"
      - "traefik.http.services.nzbget.loadbalancer.server.port=6789"
      - "traefik.http.routers.nzbget.service=nzbget"

      - "traefik.http.routers.sonarr.rule=Host(`sonarr.MYDOMAIN`)"
      - "traefik.http.routers.sonarr.entrypoints=https"
      - "traefik.http.routers.sonarr.tls.certresolver=myresolver"
      - "traefik.http.services.sonarr.loadbalancer.server.port=8989"
      - "traefik.http.routers.sonarr.service=sonarr"
      #- "traefik.http.routers.sonarr.middlewares=oauth"
      - "traefik.http.routers.sonarr.middlewares=traefik-forward-auth"

      - "traefik.http.routers.radarr.rule=Host(`radarr.MYDOMAIN`)"
      - "traefik.http.routers.radarr.entrypoints=https"
      - "traefik.http.routers.radarr.tls.certresolver=myresolver"
      - "traefik.http.services.radarr.loadbalancer.server.port=7878"
      - "traefik.http.routers.radarr.service=radarr"

      - "traefik.http.routers.bazarr.rule=Host(`bazarr.MYDOMAIN`)"
      - "traefik.http.routers.bazarr.entrypoints=https"
      - "traefik.http.routers.bazarr.tls.certresolver=myresolver"
      - "traefik.http.services.bazarr.loadbalancer.server.port=6767"
      - "traefik.http.routers.bazarr.service=bazarr"

      - "traefik.http.routers.jackett.rule=Host(`jackett.MYDOMAIN`)"
      - "traefik.http.routers.jackett.entrypoints=https"
      - "traefik.http.routers.jackett.tls.certresolver=myresolver"
      - "traefik.http.services.jackett.loadbalancer.server.port=9117"
      - "traefik.http.routers.jackett.service=jackett"

      - "traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.MYDOMAIN`)"
      - "traefik.http.routers.qbittorrent.entrypoints=https"
      - "traefik.http.routers.qbittorrent.tls.certresolver=myresolver"
      - "traefik.http.services.qbittorrent.loadbalancer.server.port=8083"
      - "traefik.http.routers.qbittorrent.service=qbittorrent"

    restart: unless-stopped

  nzbget:
    container_name: nzbget
    image: linuxserver/nzbget
    volumes:
      - /opt/nzbget:/config
      - /mnt:/mnt
      - /media:/media
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    network_mode: 'service:gluetun'
    restart: unless-stopped

  sonarr:
    container_name: sonarr
    image: linuxserver/sonarr:develop
    volumes:
      - /opt/sonarr:/config
      - /mnt:/mnt
      - /media:/media
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    network_mode: 'service:gluetun'
    restart: unless-stopped

  radarr:
    container_name: radarr
    image: linuxserver/radarr:latest
    volumes:
      - /opt/radarr:/config
      - /mnt:/mnt
      - /media:/media
      - /etc/localtime:/etc/localtime:ro
      - /opt/radarr/mp4_automator:/config_mp4_automator
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    network_mode: 'service:gluetun'
    restart: unless-stopped

  bazarr:
    container_name: bazarr
    image: linuxserver/bazarr:latest
    volumes:
      - /opt/bazarr:/config
      - /mnt:/mnt
      - /media:/media
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    network_mode: 'service:gluetun'
    restart: unless-stopped

  jackett:
    container_name: jackett
    image: linuxserver/jackett:latest
    volumes:
      - /opt/jackett:/config
      - /opt/jackett/Jackett:/config/Jackett
      - /mnt:/mnt
      - /media:/media
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    network_mode: 'service:gluetun'
    restart: unless-stopped

  qbittorrent:
    container_name: qbittorrent
    image: linuxserver/qbittorrent:latest
    volumes:
      - /opt/qbittorrent:/config
      - /mnt:/mnt
      - /media:/media
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    network_mode: 'service:gluetun'
    restart: unless-stopped

  plex:
    container_name: plex
    image: plexinc/pms-docker:plexpass
    volumes:
      - /media/plex/transcodes:/transcode
      - /mnt/unionfs:/unionfs
      - /opt/plex/database:/config
      - /mnt:/mnt
      - /dev/shm:/ram_transcode
      - /media/plex/tmp:/tmp
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    ports:
      - 32400:32400
      - 32410:32410
      - 32412:32412
      - 32413:32413
      - 32414:32414
      - 33400:33400
      - 33443:33443
      - 8324:8324
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.plex.rule=Host(`plex.MYDOMAIN`)"
      - "traefik.http.routers.plex.entrypoints=https"
      - "traefik.http.routers.plex.tls.certresolver=myresolver"
    restart: unless-stopped

  ddclient:
    image: lscr.io/linuxserver/ddclient:latest
    container_name: ddclient
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
    volumes:
      - /opt/ddclient:/config
    restart: unless-stopped

networks:
  traefik_proxy:
    external: true

volumes:
  gluetun:

Here is my traefik.yml file:

api:
  insecure: false

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

certificatesResolvers:
  myresolver:
    acme:
      email: MYEMAIL
      storage: acme.json
      httpChallenge:
        entryPoint: http

log:
  level: "DEBUG"

httpChallenge:
  # used during the challenge
  entryPoint: http

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

Side-issue: Plex is not sufficiently exposed to the internet either, but I haven't really looked into that well yet.

I'm using cloudflare and I have: (1) an A record with wildflag * as value, pointing to my server IP, (2) an A record with my domain name as value, pointing to my server IP, and (3) a CNAME record with "oauth" as value, pointing to my domain name.

It's difficult to imagine how grateful I would be for some help here...

After a lot of re-runs, I figured out the issue.

For future reference, in case anyone comes across the same issue in the future:

I used the following labels in traefik:

labels:
      - "traefik.enable=true"

      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authresponseheaders=X-Forwarded-User"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-forward-auth"

      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`monitor.MYDOMAIN`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik-secure.service=api@internal"

I used the following labels in my traefik-forward-auth:

labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.http.routers.forward-auth.entrypoints=https"
      - "traefik.http.routers.forward-auth.rule=Host(`oauth.MYDOMAIN`)"
      - "traefik.http.routers.forward-auth.tls.certresolver=myresolver"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      #Middleware
      - "traefik.http.middlewares.traefik-forward-auth-auth-verify.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth-auth-verify.forwardauth.authResponseHeaders=X-Forwarded-User"

Finally, I used the following labels in gluetun:

labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"

      - "traefik.http.middlewares.sonarr-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.sonarr-forward-auth.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.sonarr-forward-auth.forwardauth.authresponseheaders=X-Forwarded-User"
      - "traefik.http.routers.sonarr.rule=Host(`sonarr.MYDOMAIN`)"
      - "traefik.http.routers.sonarr.entrypoints=https"
      - "traefik.http.routers.sonarr.middlewares=sonarr-forward-auth"
      - "traefik.http.routers.sonarr.tls.certresolver=myresolver"
      - "traefik.http.routers.sonarr.tls=true"
      - "traefik.http.services.sonarr.loadbalancer.server.port=8989"
      - "traefik.http.routers.sonarr.service=sonarr"

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.