Traefik can redirect services to authelia,but will not redirect to the right pages after successful 1FA authentication.The only working thing is only authelia page can be redirected to default_redirection_url.
I can go to services by ip:port,so services are working fine.I don't know where goes wrong.
traefik docker compose
Summary
version: "3"
services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
networks:
- "traefik_proxy"
ports:
- 80:80
- 443:443
environment:
- 'DUCKDNS_TOKEN=token'
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
- /home/me/docker/traefik:/etc/traefik
- /home/me/docker/traefik/config.yml:/config.yml
- /home/me/docker/traefik/logs:/etc/traefik/logs
networks:
traefik_proxy:
external: true
traefik.yml
Summary
global:
checkNewVersion: true
sendAnonymousUsage: false
log:
level: DEBUG
filePath: /etc/traefik/logs/traefik.log
accessLog:
filePath: /etc/traefik/logs/traefik-access.log
api:
dashboard: true
debug: true
serversTransport:
insecureSkipVerify: true
entryPoints:
web:
address: :80
websecure:
address: :443
certificatesResolvers:
staging:
acme:
email: myemail
storage: /etc/traefik/certs/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: duckdns
production:
acme:
email: myemail
storage: /etc/traefik/certs/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: duckdns
providers:
docker:
exposedByDefault: false
network: traefik_proxy
watch: true
file:
filename: /config.yml
directory: /etc/traefik
watch: true
config.yml
Summary
http:
routers:
traefik:
entryPoints:
- "web"
rule: "Host(`subdomain1.duckdns.org`)"
middlewares:
- https-redirectscheme
service: api@internal
traefik-secure:
entryPoints:
- "websecure"
rule: "Host(`subdomain1.duckdns.org`)"
tls:
certResolver: production
service: api@internal
authelia:
entryPoints:
- web
rule: "Host(`subdomain2.duckdns.org`)"
middlewares:
- https-redirectscheme
service: authelia
authelia-secure:
entryPoints:
- websecure
rule: "Host(`subdomain2.duckdns.org`)"
tls:
certResolver: production
service: authelia
app:
entryPoints:
- web
rule: "Host(`subdomain3.duckdns.org`)"
middlewares:
- https-redirectscheme
service: app
app-secure:
entryPoints:
- websecure
rule: "Host(`subdomain3.duckdns.org`)"
middlewares:
- authelia-auth
- default-headers
tls:
certResolver: production
service: app
services:
authelia:
loadBalancer:
servers:
- url: "http://192.168.0.130:9091"
app:
loadBalancer:
servers:
- url: "http://192.168.0.130:180"
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
authelia-auth:
forwardAuth:
address: https://authelia:9091/api/verify?rd=https%3A%2F%2Fsubdomain2.duckdns.org%2F
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
authelia docker compose
Summary
version: '3'
services:
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- /home/me/docker/authelia/config:/config
networks:
- "traefik_proxy"
ports:
- "9091:9091"
restart: unless-stopped
configuration.yml
Summary
###############################################################################
# Authelia Configuration #
###############################################################################
theme: dark
jwt_secret: ""
default_redirection_url: https://subdomain1.duckdns.org/
server:
host: 0.0.0.0
port: 9091
path: ""
read_buffer_size: 4096
write_buffer_size: 4096
enable_pprof: false
enable_expvars: false
disable_healthcheck: true
log:
level: trace
format: json
file_path: /config/authelia.log
keep_stdout: true
totp:
issuer: subdomain2.duckdns.org
period: 30
skew: 1
authentication_backend:
disable_reset_password: true
refresh_interval: 5m
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
networks:
- name: internal
networks:
- 192.168.0.0/18
rules:
## bypass rule
- domain:
- "subdomain1.duckdns.org"
- "subdomain2.duckdns.org"
policy: bypass
## catch-all
- domain:
- "subdomain3.duckdns.org"
policy: one_factor
session:
name: authelia_session
domain: duckdns.org
same_site: lax
secret: ""
expiration: 1h
inactivity: 5m
remember_me_duration: 2M
regulation:
max_retries: 5
find_time: 10m
ban_time: 15m
storage:
encryption_key: ""
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt