I wanted to add Authelia to my secure services a little better but something is not wright in my config. Traefik works great. Authelia by itself works (I can access and login going directly to login.domain.xyz) but something is missing with redirection/middlewares process when I try to access Authelia protected services. Everything is on docker swarm. What am I missing here?
Traefik config looks like this. I don't have anything is dynamic.ymal or in the Traefik.ymal
version: "3.8"
services:
traefik:
image: "traefik:latest"
command:
# - --log.level=DEBUG
- --api.insecure=true
- --api.dashboard=true
- --api.debug=true
- --providers.docker=true
- --providers.docker.swarmMode=true
- --providers.docker.exposedbydefault=false
- --providers.file.filename=/dynamic.yaml
- --providers.docker.network=web
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.irc.address=:6502
- --certificatesresolvers.letsencrypt.acme.dnschallenge=true
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.email=<user>@gmail.com
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
- --entrypoints.websecure.http.tls.certResolver=letsencrypt
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.domains[0].main=domain.xyz
- --entrypoints.websecure.http.tls.domains[0].sans=*.domain.xyz
# --- redirect to https ---
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
deploy:
placement:
constraints: [node.labels.srv1 == web]
restart_policy:
condition: on-failure
delay: 30s
max_attempts: 3
window: 180s
labels:
- traefik.enable=true
- traefik.http.routers.api.entrypoints=websecure
- traefik.http.routers.api.rule=Host(`traefik.domain.xyz`)
- traefik.http.routers.api.service=api@internal
- traefik.http.services.api.loadbalancer.server.port=8080
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.domain.xyz/
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email
ports:
- "80:80"
# - "8080:8080"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/usbdisk/data/appdata/traefik-rp/traefik.ymal:/etc/traefik/traefik.ymal
- /mnt/usbdisk/data/appdata/traefik-rp/letsencrypt:/letsencrypt
- /mnt/usbdisk/data/appdata/traefik-rp/dynamic.yaml:/dynamic.yaml
environment:
- CLOUDFLARE_EMAIL=/run/secrets/cloudflare_email_address
- CLOUDFLARE_DNS_API_TOKEN=/run/secrets/cloudflare_dns_api_token
networks:
- traefik
secrets:
- cloudflare_email_address
- cloudflare_dns_api_token
networks:
traefik:
attachable: true
name: traefik
secrets:
cloudflare_email_address:
file: /mnt/usbdisk/data/secrets/cloudflare_email_address
cloudflare_dns_api_token:
file: /mnt/usbdisk/data/secrets/cloudflare_dns_api_token
Authelia config
version: "3.8"
services:
portainer:
image: authelia/authelia
volumes:
- /mnt/usbdisk/data/appdata/authelia-rp:/config
environment:
- TZ=Europe/Berlin
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
- AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
deploy:
placement:
constraints: [node.labels.srv1 == web]
restart_policy:
condition: on-failure
delay: 30s
max_attempts: 2
window: 120s
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.entrypoints=websecure'
- 'traefik.http.routers.authelia.rule=Host(`login.domain.xyz`)'
- 'traefik.http.services.authelia.loadbalancer.server.port=9091'
- 'traefik.http.routers.authelia.tls=true'
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.domain.xyz/'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
networks:
- traefik
secrets:
- authelia_jwt_secret
- authelia_session_secret
- authelia_notifier_smtp_password
# - authelia_duo_api_secret_key
- authelia_storage_mysql_password
networks:
traefik:
external: true
secrets:
authelia_jwt_secret:
file: /mnt/usbdisk/data/secrets/authelia_jwt_secret
authelia_session_secret:
file: /mnt/usbdisk/data/secrets/authelia_session_secret
authelia_storage_mysql_password:
file: /mnt/usbdisk/data/secrets/authelia_storage_mysql_password
authelia_notifier_smtp_password:
file: /mnt/usbdisk/data/secrets/authelia_notifier_smtp_password
# authelia_duo_api_secret_key:
# file: $SECRETSDIR/authelia_duo_api_secret_key
authelia_storage_mysql_password:
file: /mnt/usbdisk/data/secrets/authelia_storage_mysql_password
and here is Lidarr config that I'm testing on
version: "3.8"
services:
lidarr:
image: ghcr.io/linuxserver/lidarr
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- /mnt/usbdisk/data/appdata/lidarr-ub:/config
- /mnt/srv1/data/media/music:/music
- /mnt/srv1/data/download:/downloads
deploy:
restart_policy:
condition: on-failure
delay: 30s
max_attempts: 2
window: 120s
placement:
constraints: [node.labels.srv2 == web]
labels:
- traefik.enable=true
- traefik.http.routers.lidarr.entrypoints=websecure
- traefik.http.routers.lidarr.rule=Host(`lidarr.domain.xyz`)
- traefik.http.routers.lidarr.tls=true
- traefik.http.routers.lidarr.middlewares=authelia@docker
- traefik.http.services.lidarr.loadbalancer.server.port=8686
networks:
- traefik
networks:
traefik:
external: true
I know that I'm doing something wrong but can't figure out what it is.