Help with authentik and traefik random drops

Hello self hosters! I am hoping some of you wizards can help me troubleshoot my setup with authentik and traefik.

First about my setup. I have a synology nas that is running a docker compose stack. Synology is notoriously bad at keeping their docker version fresh, but hopefully that isn’t relevant to this issue. I’m running traefik for reverse proxy, and authentik for auth. In authentik land I’ve split the outpost work into its own container, named authentikproxy. Any request to a service with the authentik-basic@file or authentik@file middleware labels applied should be routed through the authentikproxy service for auth. If it detects that one isn’t authed, it will in turn send you to the authentik frontend for SSO.

The issue is that authentik randomly stops working for random routes, or randomly fails to start working for random routes. Every time this happens I need to restart my authentikproxy and traefik containers over and over until it randomly decides to work for all my routes. When this happens I am just sent straight to the app unauthenticated. I’ll have to either input http basic credentials or use the app’s login page, whichever it has. I have found nothing in the logs after months of this going on, neither authentik nor traefik seem to be aware that anything is amiss.

I suspect the issue is to do with the docker networks but that’s honestly just a hunch.

My docker-compose file is hundreds of lines long, so I’ve stripped environment and volume info while preserving traefik labels to try to keep the info more or less concise. It is certainly still too much info but I did not want to accidentally delete something crucial. Here follows my setup.

docker-compose.yml


<span style="color:#63a35c;">services</span><span style="color:#323232;">:
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">traefik</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">profiles</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">prod
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">traefik
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">traefik:v2.11
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">command</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"--entrypoints.websecure.http.tls.domains[0].main=${BASE_DOMAIN}"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"--entrypoints.websecure.http.tls.domains[0].sans=*.${BASE_DOMAIN}"
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">volumes</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">/var/run/docker.sock:/var/run/docker.sock:ro
</span><span style="color:#323232;">      - </span><span style="color:#183691;">./traefik/middlewares.yml:/app/myconf/middlewares.yml
</span><span style="color:#323232;">      - </span><span style="color:#183691;">./traefik/traefik.yml:/traefik.yml
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">restart</span><span style="color:#323232;">: </span><span style="color:#183691;">unless-stopped
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">networks</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">default</span><span style="color:#323232;">:
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">aliases</span><span style="color:#323232;">:
</span><span style="color:#323232;">          </span><span style="font-style:italic;color:#969896;"># Allow xcontainernet services to resolve authentik
</span><span style="color:#323232;">          - </span><span style="color:#183691;">"authentik.${BASE_DOMAIN-home}"
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">ports</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">80:80
</span><span style="color:#323232;">      - </span><span style="color:#183691;">443:443
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.middlewares.redirectssl.redirectscheme.scheme=https"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.traefik.rule=Host(`traefik.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.traefik.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.traefiksecure.rule=Host(`traefik.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.traefik.loadbalancer.server.port=8080"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">transmission</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">lscr.io/linuxserver/transmission
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">transmission
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.torrents.rule=Host(`torrents.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.torrents.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.torrentssecure.rule=Host(`torrents.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.torrentssecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.torrentssecure.middlewares=authentik@file"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">sabnzbd</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">lscr.io/linuxserver/sabnzbd
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">sabnzbd
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.nzb.rule=Host(`nzb.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.nzb.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.nzbsecure.rule=Host(`nzb.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.nzbsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.nzbsecure.middlewares=authentik@file"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.nzb.loadbalancer.server.port=8080"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">sonarr</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">ghcr.io/linuxserver/sonarr:latest
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">sonarr
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.sonarr.rule=Host(`sonarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.sonarr.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.sonarrsecure.rule=Host(`sonarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.sonarrsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.sonarrsecure.middlewares=authentik-basic@file"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.sonarr.loadbalancer.server.port=8989"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">radarr</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">ghcr.io/linuxserver/radarr:latest
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">radarr
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.radarr.rule=Host(`radarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.radarr.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.radarrsecure.rule=Host(`radarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.radarrsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.radarrsecure.middlewares=authentik-basic@file"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.radarr.loadbalancer.server.port=7878"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">readarr</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">lscr.io/linuxserver/readarr:nightly
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">readarr
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.readarr.rule=Host(`readarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.readarr.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.readarrsecure.rule=Host(`readarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.readarrsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.readarrsecure.middlewares=authentik-basic@file"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.readarr.loadbalancer.server.port=8787"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">bazarr</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">ghcr.io/linuxserver/bazarr:latest
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">bazarr
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.bazarr.rule=Host(`bazarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.bazarr.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.bazarrsecure.rule=Host(`bazarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.bazarrsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.bazarrsecure.middlewares=authentik-basic@file"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.bazarr.loadbalancer.server.port=6767"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">prowlarr</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">lscr.io/linuxserver/prowlarr:latest
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">prowlarr
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.prowlarr.rule=Host(`prowlarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.prowlarr.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.prowlarrsecure.rule=Host(`prowlarr.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.prowlarrsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.prowlarrsecure.middlewares=authentik-basic@file"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.prowlarr.loadbalancer.server.port=9696"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">jellyfin</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">linuxserver/jellyfin:latest
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">jellyfin
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">networks</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">default</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">xcontainernet</span><span style="color:#323232;">:
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">ipv4_address</span><span style="color:#323232;">: </span><span style="color:#0086b3;">192.168.0.201
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.jellyfin.rule=Host(`tv.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.jellyfin.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.jellyfinsecure.rule=Host(`tv.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.jellyfinsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.jellyfin.loadbalancer.server.port=8096"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">authentikserver</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">ghcr.io/goauthentik/server:2024.2.2
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">command</span><span style="color:#323232;">: </span><span style="color:#183691;">server
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">depends_on</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">postgresql
</span><span style="color:#323232;">      - </span><span style="color:#183691;">redis
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      </span><span style="font-style:italic;color:#969896;">## HTTP Routers
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentik.rule=Host(`authentik.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentik.entrypoints=web"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentik.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentiksecure.rule=Host(`authentik.${BASE_DOMAIN:-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentiksecure.entrypoints=websecure"
</span><span style="color:#323232;">      </span><span style="font-style:italic;color:#969896;">## HTTP Services
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentiksecure.service=authentik-svc"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.authentik-svc.loadbalancer.server.port=9000"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">authentikproxy</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">ghcr.io/goauthentik/proxy:2024.2.2
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentik-proxy-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${BASE_DOMAIN:-home}`) && PathPrefix(`/outpost.goauthentik.io/`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.authentik-proxy-outpost.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.authentik-proxy-outpost.loadbalancer.server.port=9000"
</span><span style="color:#323232;">
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">immich-server</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">container_name</span><span style="color:#323232;">: </span><span style="color:#183691;">immich_server
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">image</span><span style="color:#323232;">: </span><span style="color:#183691;">ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">depends_on</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">redis
</span><span style="color:#323232;">      - </span><span style="color:#183691;">immich-database
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">labels</span><span style="color:#323232;">:
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.enable=true"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.immich.rule=Host(`photos.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.immich.middlewares=redirectssl@docker"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.immichsecure.rule=Host(`photos.${BASE_DOMAIN-home}`)"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.routers.immichsecure.entrypoints=websecure"
</span><span style="color:#323232;">      - </span><span style="color:#183691;">"traefik.http.services.immich.loadbalancer.server.port=3001"
</span><span style="color:#323232;">
</span><span style="color:#63a35c;">networks</span><span style="color:#323232;">:
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">default</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">ipam</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">config</span><span style="color:#323232;">:
</span><span style="color:#323232;">        - </span><span style="color:#63a35c;">subnet</span><span style="color:#323232;">: </span><span style="color:#183691;">172.22.0.0/24
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">xcontainernet</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">name</span><span style="color:#323232;">: </span><span style="color:#183691;">xcontainernet
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">driver</span><span style="color:#323232;">: </span><span style="color:#183691;">macvlan
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">driver_opts</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">parent</span><span style="color:#323232;">: </span><span style="color:#183691;">eth0
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">ipam</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">config</span><span style="color:#323232;">:
</span><span style="color:#323232;">        - </span><span style="color:#63a35c;">subnet</span><span style="color:#323232;">: </span><span style="color:#183691;">"192.168.0.0/24"
</span><span style="color:#323232;">          </span><span style="color:#63a35c;">ip_range</span><span style="color:#323232;">: </span><span style="color:#183691;">"192.168.0.200/29"
</span><span style="color:#323232;">          </span><span style="color:#63a35c;">gateway</span><span style="color:#323232;">: </span><span style="color:#183691;">"192.168.0.1"
</span>

traefik/traefik.yml


<span style="color:#63a35c;">providers</span><span style="color:#323232;">:
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">docker</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">exposedByDefault</span><span style="color:#323232;">: </span><span style="color:#0086b3;">false
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">network</span><span style="color:#323232;">: </span><span style="color:#183691;">homeservices_default
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">file</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">directory</span><span style="color:#323232;">: </span><span style="color:#183691;">/app/myconf
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">watch</span><span style="color:#323232;">: </span><span style="color:#0086b3;">true
</span><span style="color:#323232;">
</span><span style="color:#63a35c;">entryPoints</span><span style="color:#323232;">:
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">web</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">address</span><span style="color:#323232;">: </span><span style="color:#183691;">":80"
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">websecure</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">address</span><span style="color:#323232;">: </span><span style="color:#183691;">":443"
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">http</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">tls</span><span style="color:#323232;">:
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">certResolver</span><span style="color:#323232;">: </span><span style="color:#183691;">dnsresolver
</span>

traefik/middlewares.yml


<span style="color:#63a35c;">http</span><span style="color:#323232;">:
</span><span style="color:#323232;">  </span><span style="color:#63a35c;">middlewares</span><span style="color:#323232;">:
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">https-redirect</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">redirectScheme</span><span style="color:#323232;">:
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">scheme</span><span style="color:#323232;">: </span><span style="color:#183691;">https
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">permanent</span><span style="color:#323232;">: </span><span style="color:#0086b3;">true
</span><span style="color:#323232;">
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">authentik-basic</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">forwardAuth</span><span style="color:#323232;">:
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">address</span><span style="color:#323232;">: </span><span style="color:#183691;">"http://authentikproxy:9000/outpost.goauthentik.io/auth/traefik"
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">trustForwardHeader</span><span style="color:#323232;">: </span><span style="color:#0086b3;">true
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">authResponseHeaders</span><span style="color:#323232;">:
</span><span style="color:#323232;">          - </span><span style="color:#183691;">Authorization
</span><span style="color:#323232;">
</span><span style="color:#323232;">    </span><span style="color:#63a35c;">authentik</span><span style="color:#323232;">:
</span><span style="color:#323232;">      </span><span style="color:#63a35c;">forwardAuth</span><span style="color:#323232;">:
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">address</span><span style="color:#323232;">: </span><span style="color:#183691;">"http://authentikproxy:9000/outpost.goauthentik.io/auth/traefik"
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">trustForwardHeader</span><span style="color:#323232;">: </span><span style="color:#0086b3;">true
</span><span style="color:#323232;">        </span><span style="color:#63a35c;">authResponseHeaders</span><span style="color:#323232;">:
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-email
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-groups
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-jwt
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-meta-app
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-meta-jwks
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-meta-outpost
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-meta-provider
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-meta-version
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-name
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-uid
</span><span style="color:#323232;">          - </span><span style="color:#183691;">X-authentik-username
</span>

Lem453 , 2 months ago

I’ve got multiple apps using LDAP, oauth, and proxy on authentik, I’ve not had this happen.

I also use traefik as reverse proxy.

I didn’t manually create an outpost. Not sure what advantage there is unless you have a huge organization and run multiple redundant containers. Regardless there might be some bug here because I otherwise have the same setup as you.

I would definitely try uploading everything to the latest container version first

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...

bjornsno OP , 2 months ago

I honestly just did it to try to get cleaner logs having the container only be responsible for the proxying.

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...

moontorchy , 2 months ago

Sorry, I couldn’t manage to read the whole post. Anyway, you may want to try authentik 2024.6 or later. They “reworked proxy provider redirect” in that version. I find it much more stable, but still not perfect. OAuth works great though. Note that 2024.6 requires Postgre db upgrade.

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...

bjornsno OP , 2 months ago

I’ll try that, but since I haven’t been able to find any related issues I’m pretty sure it’s a configuration error on my part. Hehe the regretfully long post. Next step will probably be to open an issue on authentik’s GitHub but since I think it’s a pebkac I would prefer not to waste their time.

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...