mirror of
https://github.com/brokenscripts/authentik_traefik.git
synced 2026-04-26 19:55:48 +03:00
[GH-ISSUE #14] Issues with access #13
Labels
No labels
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/authentik_traefik#13
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @EBS-DarkD on GitHub (May 10, 2025).
Original GitHub issue: https://github.com/brokenscripts/authentik_traefik/issues/14
I'm running Portainer BE (2.27.6 LTS) stacks with a stack for the reverse proxy and a stack for each of my apps (i've lots). I was running authelia but want to try setup SSO for my various apps and have been having shits 'n' giggles with openLDAP!
traefik 3.4.0 stack
`
traefik:
<<: common-keys-core
container_name: traefik
image: traefik:latest
command:
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false
## Logging
- --log=true
- --log.level=INFO
- --accessLog=true
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
## API
- --api=true
- --api.dashboard=true
- --api.insecure=true
## Basic Entry Points
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.traefik.address=:8080
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
## Basic Providers
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.file.directory=/rules
- --providers.file.watch=true
## Adv Entry Points
- --entrypoints.https.http.tls.options=tls-opts@file
- --entrypoints.https.http.tls.certresolver=dns-cloudflare
- --entrypoints.https.http.tls.domains[0].main=am-baker.com
- --entrypoints.https.http.tls.domains[0].sans=.am-baker.com
## Cert Resolution
#- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=chief@window-lickers.com
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90
- --serversTransport.insecureSkipVerify=true
## Metrics
- --metrics.prometheus=true
- --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
`
This is working ok under authelia. I've also added a middleware into the traefik
middleware-authentik: forwardAuth: address: "http://window-lickers.com:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders:For the authentik, i've got the following set with a whole list of items in the stack.env
authentik: <<: [*common-keys-apps, *common-keys-dep] image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0} container_name: authentik command: server environment: AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} AUTHENTIK_REDIS__HOST: ${REDIS_HOST} AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST} AUTHENTIK_POSTGRESQL__USER: ${PG_USER} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} volumes: - /opt/docker/appdata/authentik/app/media:/media - /opt/docker/appdata/authentik/app/templates:/templates env_file: - stack.env networks: t2_proxy: ipv4_address: 192.168.92.23 socket_proxy: ipv4_address: 192.168.90.23 ports: - 9000:9000 - 9443:9443 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.authentik-rtr.entrypoints=https" - "traefik.http.routers.authentik-rtr.rule=Host(authentik.${DOMAINNAME})" ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth) - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp({subdomain:[a-z0-9-]+}.${DOMAINNAME}) && PathPrefix(/outpost.goauthentik.io/`)"## HTTP Services
- "traefik.http.routers.authentik-rtr.service=authentik-svc"
- "traefik.http.services.authentik-svc.loadBalancer.server.port=9443"
#Worker
authworker:
<<: [*common-keys-apps, *common-keys-dep]
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
command: worker
container_name: auth-worker
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_REDIS__HOST: ${REDIS_HOST}
AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /docker/appdata/authentik/app/media:/media
- /docker/appdata/authentik/app/certs:/certs
- /docker/appdata/authentik/app/templates:/templates
env_file:
- stack.env
networks:
t2_proxy:
socket_proxy:
`
Having gone through all the steps of your setup (I think), I get to the point when I try access the authentik interface to login and administer it.
It works on http://window-lickers.com:9000 but I can't access it via https://window-lickers.com:9443.
How have your got your https working?
I went through you catch-all steps using the wizard and got it so I could access one of the running containers, but the login page was http, not https!
Hope you can give me some clues as to what I need to tweak/ hit with a baseball bat to get this damn thing working!