Using Traefik with Authelia as middleware/authenticator, I get no login screen

Hi, I'm not sure if I can ask questions like this here. Please close it if it's inappropiate.

The setup is this:

  • One dockerhost, running dockers for Kibana/Elasticsearch, Traefik and Authelia
  • Configuration is without labels (because I want to use this reverse proxy configuration (when it finally works) for other setups that don't run on dockers)
  • Two dockerfiles (one for Kibana/Elasticsearch and one for Traefik/Authelia). Kibana is accessible to Traefik on the docker network. I only include the dockerfile for Traefik/Authelia because I don't suspect the accessibilty of Kibana to be an issue, and to keep focus on what I think is the problem (Traefik configuration).

I want the following to happen:

What happens:

If I enable the middleware so that Authelia should jump in when I go to, I get an 401 unauthorized in the browser.

  • Log in Traefik:
    Remote error ``http://authelia:9091/api/verify``. StatusCode: 401" middlewareName=auth@file middlewareType=ForwardedAuthType

  • Log in Authelia:
    "Access to ```` (method GET) is not authorized to user <anonymous>, responding with status code 401" method=GET path=/api/verify remote_ip=

It makes sense that the user 'anonymous' is not authorized, but I don't get a login prompt to authenticate in the first place.

What I tried for troubleshooting:

  • Kibana is accessible through Traefik if I disable the middleware

  • Authelia works and is able to authenticate if I access it directly

I've been trying to get this to work for the last week, but I can't figure out what goes wrong.
What am I missing? Anyone know what's wrong in this config?

Dockerfile for Traefik/Authelia:

version: '3.8'

    image: traefik
    container_name: kibana_traefik
      - "--api=true"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--entrypoints.kibana-entrypoint.address=:5601"
      - "--providers.file.filename=/traefik-config/dynamic.toml"
      - ""
      - "--log.level=DEBUG"
      - "8080:8080"
      - "5601:5601"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./traefik-config:/traefik-config
      - ods_dev_bridge_network
      - authelia
    restart: unless-stopped
    container_name: kibana_authelia
    image: authelia/authelia:latest
      - ./authelia-config:/config
      - "9091:9091"
      - ods_dev_bridge_network
    restart: unless-stopped

      external: true

Authelia configuration.yml

server.port: 9091
log.level: debug
jwt_secret: insecure_secret
    implementation: activedirectory
    url: ldap://
    timeout: 5s
    start_tls: false
    base_dn: DC=company,DC=local
#    additional_users_dn: OU=Users,OU=COMPANY
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))
    username_attribute: sAMAccountName
    mail_attribute: mail
    display_name_attribute: displayName
    groups_filter: (&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))
    group_name_attribute: cn
    permit_referrals: false
    permit_unauthenticated_bind: false
    user: CN=dockeruser_sa,OU=ServiceAccounts,OU=Users,OU=COMPANY,DC=company,DC=local
    password: <password>
  disable: true
  name: authelia_session
  domain: company.local
  same_site: lax
  secret: unsecure_session_secret
  expiration: 1h
  inactivity: 5m
  remember_me_duration:  1M
  encryption_key: a_very_important_secret
    path: /config/db.sqlite3
  default_policy: one_factor
    - domain:
      policy: one_factor
    filename: /var/lib/authelia/emails.txt

Traefik dynamic.toml:

    entryPoints = ["kibana-entrypoint"]
    rule = "Host(``)"
    service = "kibana-service"
    middlewares = ["auth@file"]

      url = "http://kibana:5601/"

    address = "http://authelia:9091/api/verify"
    trustForwardHeader = true
    authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]

To answer my own question, after help from the guy who maintains Authelia I've been able to figure out what I was missing. The thing that I didn't get was the URL used in the middleware part. First of all it needs an rd parameter, but I got stuck on the content of that parameter. Turns out it should refer to itself, like so:

address = "http://authelia:9091/api/verify?rd="

Both URLs point to Authelia, first one is internal, second is external. Because of the external URL, Authelia needs a router+service as well.

This is the end result regarding the Traefik dynamic config:

    entryPoints = ["kibana-entrypoint"]
    rule = "Host(``)"
    service = "kibana-service"
    middlewares = "auth"
    entryPoints = ["authelia-entrypoint"]
    rule = "Host(``)"
    service = "authelia-service"

      url = "http://kibana:5601/"
      url = "http://authelia:9091/"

    address = "http://authelia:9091/api/verify?rd="
    trustForwardHeader = true
    authResponseHeaders = ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]

With this config Traefik calls Authelia for authentication, and after success authentication it returns to the original url and serves Kibana.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.