starred/authentik_traefik
1
0
Fork 0
mirror of https://github.com/brokenscripts/authentik_traefik.git synced 2026-04-26 19:55:48 +03:00
Code Issues 3 Projects Releases Packages Wiki Activity

[GH-ISSUE #13] Using Forward Auth (single application) #11

New issue
Open
opened 2026-02-26 12:22:05 +03:00 by kerem · 2 comments
kerem commented 2026-02-26 12:22:05 +03:00
Owner
Copy link

Originally created by @jonathan8devs on GitHub (Mar 10, 2025).
Original GitHub issue: https://github.com/brokenscripts/authentik_traefik/issues/13

I see that you have already dealt with the subject in depth. I have a problem that I can't get solved and I haven't gotten any response in my Github ticket yet. Maybe you have a tip for me.

My main problem is that as long as I have forward auth (domain level) active, forward auth (single application) is ignored and I cannot explicitly protect applications.

Describe your question
I’ve tried all the available approaches, including the options described in the documentation. However, I keep getting a “Not Found” page. This page fails to load the CSS files or images and does not redirect to authentication in Authentik.
How can I successfully set up “Forward Auth (single application)” for multiple servers and in general?

Relevant info

  1. Removed “Forward auth (Domain level)” from the Outposts to disable it.
  2. Created a “New provider” -> “Proxy Provider” -> “Forward auth (single application)”.
  3. Added another application and assigned it to the provider.
  4. Added the new provider to the Outposts.

Screenshots

Image

Version and Deployment

  • Authentik via Docker
  • Authentik version (Server/Worker): 2024.12.3
  • Host 01: Authentik + Applications
  • Host 02: Applications

Additional context

services:
  postgresql:
    container_name: authentik_postgres
    environment:
      POSTGRES_DB: authentik
      POSTGRES_PASSWORD: mypostgresspassword
      POSTGRES_USER: authentik
    hostname: authentik-postgres
    healthcheck:
      test:
        - CMD-SHELL
        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
      timeout: 5s
      interval: 30s
      retries: 5
      start_period: 20s
    image: docker.io/library/postgres:16-alpine
    networks:
      default: null
    restart: unless-stopped
    volumes:
      - "./data/database:/var/lib/postgresql/data"
  redis:
    command:
      - --save
      - "60"
      - "1"
      - --loglevel
      - warning
    container_name: authentik_redis
    hostname: authentik-redis
    healthcheck:
      test:
        - CMD-SHELL
        - redis-cli ping | grep PONG
      timeout: 3s
      interval: 30s
      retries: 5
      start_period: 20s
    image: docker.io/library/redis:alpine
    networks:
      default: null
    restart: unless-stopped
    volumes:
      - "./data/redis:/data"
  server:
    command:
      - server
    container_name: authentik_server
    environment:
      AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "false"
      AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true"
      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "false"
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
      AUTHENTIK_LOG_LEVEL: trace
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: mypostgresspassword
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_SECRET_KEY: mysecretkey
      PGID: "0"
      PUID: "0"
      TZ: Europe/Berlin
    hostname: authentik-server
    image: ghcr.io/goauthentik/server:2024.12
    labels:
      traefik.enable: "true"
      traefik.http.routers.authentik.entrypoints: websecure
      traefik.http.routers.authentik.rule: Host(`authentik.mydomain.com`) || HostRegexp(`{subdomain:[a-z0-9.]+}.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`)
      traefik.http.routers.authentik.service: authentik
      traefik.http.routers.authentik.tls: "true"
      traefik.http.routers.authentik.tls.certresolver: tls_resolver
      traefik.http.services.authentik.loadBalancer.server.port: "9000"
    networks:
      default: null
      proxy: null
    restart: unless-stopped
    volumes:
      - "./data/authentik/media:/media"
      - "./data/authentik/custom-templates:/templates"
  worker:
    command:
      - worker
    container_name: authentik_worker
    environment:
      AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "false"
      AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true"
      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "false"
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
      AUTHENTIK_LOG_LEVEL: trace
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: mypostgresspassword
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_SECRET_KEY: mysecretkey
      PGID: "0"
      PUID: "0"
      TZ: Europe/Berlin
    hostname: authentik-worker
    image: ghcr.io/goauthentik/server:2024.12
    networks:
      default: null
    restart: unless-stopped
    user: root
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./data/authentik/media:/media"
      - "./data/authentik/custom-templates:/templates"
networks:
  default:
    name: authentik
    driver: bridge
    attachable: true
  proxy:
    name: proxy
    external: true

dynamic conf of Traefik

http:
  middlewares:
    authentik:
      forwardAuth:
        address: "https://authentik.8devs.com/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

App konfiguration

    labels:
      traefik.docker.network: proxy
      traefik.enable: "true"
      traefik.http.routers.myprojec.entrypoints: websecure
      traefik.http.routers.myprojec.rule: Host(`app1.mydomain.com`)
      traefik.http.routers.myprojec.priority: 10
      traefik.http.routers.myprojec.middlewares: authentik@file
      traefik.http.routers.myprojec.tls: true
      traefik.http.routers.myprojec.tls.certresolver: http_resolver
      traefik.http.routers.myprojec.service: myprojec
      traefik.http.services.myprojec.loadbalancer.server.port: "8080"
      traefik.http.routers.myprojec-auth.rule: Host(`app1.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`)
      traefik.http.routers.myprojec-auth.priority: 15
      traefik.http.routers.myprojec-auth.service: myprojec-auth
      traefik.http.services.myprojec-auth.loadbalancer.server.url: https://authentik.mydomain.com/outpost.goauthentik.io/
Originally created by @jonathan8devs on GitHub (Mar 10, 2025). Original GitHub issue: https://github.com/brokenscripts/authentik_traefik/issues/13 I see that you have already dealt with the subject in depth. I have a problem that I can't get solved and I haven't gotten any response in my Github ticket yet. Maybe you have a tip for me. My main problem is that as long as I have forward auth (domain level) active, forward auth (single application) is ignored and I cannot explicitly protect applications. **Describe your question** I’ve tried all the available approaches, including the options described in the documentation. However, I keep getting a “Not Found” page. This page fails to load the CSS files or images and does not redirect to authentication in Authentik. How can I successfully set up “Forward Auth (single application)” for multiple servers and in general? **Relevant info** 1. Removed “Forward auth (Domain level)” from the Outposts to disable it. 2. Created a “New provider” -> “Proxy Provider” -> “Forward auth (single application)”. 3. Added another application and assigned it to the provider. 4. Added the new provider to the Outposts. **Screenshots** <img width="508" alt="Image" src="https://github.com/user-attachments/assets/a36532b5-0375-4c9a-b364-efe0fd703b02" /> **Version and Deployment** - Authentik via Docker - Authentik version (Server/Worker): 2024.12.3 - Host 01: Authentik + Applications - Host 02: Applications **Additional context** ```yaml services: postgresql: container_name: authentik_postgres environment: POSTGRES_DB: authentik POSTGRES_PASSWORD: mypostgresspassword POSTGRES_USER: authentik hostname: authentik-postgres healthcheck: test: - CMD-SHELL - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER} timeout: 5s interval: 30s retries: 5 start_period: 20s image: docker.io/library/postgres:16-alpine networks: default: null restart: unless-stopped volumes: - "./data/database:/var/lib/postgresql/data" redis: command: - --save - "60" - "1" - --loglevel - warning container_name: authentik_redis hostname: authentik-redis healthcheck: test: - CMD-SHELL - redis-cli ping | grep PONG timeout: 3s interval: 30s retries: 5 start_period: 20s image: docker.io/library/redis:alpine networks: default: null restart: unless-stopped volumes: - "./data/redis:/data" server: command: - server container_name: authentik_server environment: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "false" AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true" AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "false" AUTHENTIK_ERROR_REPORTING__ENABLED: "false" AUTHENTIK_LOG_LEVEL: trace AUTHENTIK_POSTGRESQL__HOST: authentik-postgres AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: mypostgresspassword AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_REDIS__HOST: authentik-redis AUTHENTIK_SECRET_KEY: mysecretkey PGID: "0" PUID: "0" TZ: Europe/Berlin hostname: authentik-server image: ghcr.io/goauthentik/server:2024.12 labels: traefik.enable: "true" traefik.http.routers.authentik.entrypoints: websecure traefik.http.routers.authentik.rule: Host(`authentik.mydomain.com`) || HostRegexp(`{subdomain:[a-z0-9.]+}.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`) traefik.http.routers.authentik.service: authentik traefik.http.routers.authentik.tls: "true" traefik.http.routers.authentik.tls.certresolver: tls_resolver traefik.http.services.authentik.loadBalancer.server.port: "9000" networks: default: null proxy: null restart: unless-stopped volumes: - "./data/authentik/media:/media" - "./data/authentik/custom-templates:/templates" worker: command: - worker container_name: authentik_worker environment: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "false" AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true" AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "false" AUTHENTIK_ERROR_REPORTING__ENABLED: "false" AUTHENTIK_LOG_LEVEL: trace AUTHENTIK_POSTGRESQL__HOST: authentik-postgres AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: mypostgresspassword AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_REDIS__HOST: authentik-redis AUTHENTIK_SECRET_KEY: mysecretkey PGID: "0" PUID: "0" TZ: Europe/Berlin hostname: authentik-worker image: ghcr.io/goauthentik/server:2024.12 networks: default: null restart: unless-stopped user: root volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "./data/authentik/media:/media" - "./data/authentik/custom-templates:/templates" networks: default: name: authentik driver: bridge attachable: true proxy: name: proxy external: true ``` ### dynamic conf of Traefik ``` http: middlewares: authentik: forwardAuth: address: "https://authentik.8devs.com/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders: - X-authentik-username - X-authentik-groups - X-authentik-email - X-authentik-name - X-authentik-uid - X-authentik-jwt - X-authentik-meta-jwks - X-authentik-meta-outpost - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version ``` ### App konfiguration ```yaml labels: traefik.docker.network: proxy traefik.enable: "true" traefik.http.routers.myprojec.entrypoints: websecure traefik.http.routers.myprojec.rule: Host(`app1.mydomain.com`) traefik.http.routers.myprojec.priority: 10 traefik.http.routers.myprojec.middlewares: authentik@file traefik.http.routers.myprojec.tls: true traefik.http.routers.myprojec.tls.certresolver: http_resolver traefik.http.routers.myprojec.service: myprojec traefik.http.services.myprojec.loadbalancer.server.port: "8080" traefik.http.routers.myprojec-auth.rule: Host(`app1.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`) traefik.http.routers.myprojec-auth.priority: 15 traefik.http.routers.myprojec-auth.service: myprojec-auth traefik.http.services.myprojec-auth.loadbalancer.server.url: https://authentik.mydomain.com/outpost.goauthentik.io/ ```
kerem commented 2026-02-26 12:22:06 +03:00
Author
Owner
Copy link

@e-o-j commented on GitHub (Apr 24, 2025):

I have the exact same problem

<!-- gh-comment-id:2828356430 --> @e-o-j commented on GitHub (Apr 24, 2025): I have the exact same problem
kerem commented 2026-02-26 12:22:06 +03:00
Author
Owner
Copy link

@jonathan8devs commented on GitHub (Apr 25, 2025):

@e-o-j
I've now got it working. I'll write how I solved it when I get a chance.

<!-- gh-comment-id:2831014136 --> @jonathan8devs commented on GitHub (Apr 25, 2025): @e-o-j I've now got it working. I'll write how I solved it when I get a chance.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
traefik3
traefik2
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/authentik_traefik#11
No description provided.