[Solved] Forward Auth in Traefik / Docker environment not working #2180
Comments
|
+1 for this. |
|
I'm having the same issue. It's seems like the outpost has problem with the connection through traefik. When I directly connect to the outpost it doesn't have any issue. |
|
Hi! Thanks for the feedback. Don't know when the intergration was last used / tested successfully, but there is a slight chance that a recent update of Traefik might have caused this. @winterolym and @Jafner , can you state the versions of Traefik and Authentik as well as the type of installation (assuming docker) you are running, to help someone more knowledgeable than us to find a clue? In order to help debugging the Traefik side, I have set up another Nginx/PHP-fpm container as a fake forward auth proxy / traefik middleware. That container simply returns the 200 code (authenticated), but logs all the headers received from traefik. Traefik contacts that host on the internal docker network via http://172.128.0.x/handler.php. Here are the relevant headers when I call /_phpinfo.php on the target host: Next step would be to debug how the Authentik proxy uses that data, and whether there is something wrong with this initial data it gets from Traefik in the first place. Hope that help. I'd be willing to dig deeper into this, but without help, I haven't been able to figure out the exact workflow that follows in the Authentik Forward Auth proxy. |
|
@agrimpelhuber I'm running both traefik 2.6.0 and authentik 2022.1.3 with docker compose. |
…h_domain Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #2180
|
@agrimpelhuber @Jafner @winterolym could you try out the latest build, which should fix this issue See https://goauthentik.io/docs/installation/beta, just replace gh-next with gh-master |
|
Sorry, no change, neither in the result nor in the log output. Here's the output from the forward proxy: What can I do? |
|
Which error do you get with that? From the logs it seems all right, application is found based on cookie domain, it's detected the traefik params, and is redirecting you to login, which should carry forward to your browser |
|
Sorry, I implied that - the same as above: |
|
If I connect to the https://app.mydomain.com it will redirect me to https://auth.mydomain.com/akprox/start and it gives me this error. However when I bypass traefik and go to http://auth.mydomain.com:9000/akprox/start it redirects me to this url If I change the url to this After I login I get redirected to this url |
|
@BeryJu , I tried to follow your code in order to provide more information, but got lost between the redirect to The more I look at it, the more I get the feeling that we need some more log output between those stages. For example, is the function handleRedirect still involved in the whole thing? What is written into which cookie, and is something lost, due to Traefik? The findings of @winterolym suggest this. |
|
I'm pretty sure I actually know whats causing this; from the looks of it both of you are running authentik on auth.domain.tld, and then also using auth.domain.tld as external host for an outpost. This leads to requests to app.domain.tld going internally to the outpost, but since thats configured for auth.domain.tld, it redirects to that, however on that domain the embedded outpost seems to have a higher routing priority, and since the embedded outpost does not have the application selected, it errors. Can both of you try using the embedded outpost instead of a separate outpost? |
|
After giving the outpost the higher priority in traefik everything works now. Thank you so much. |
|
@BeryJu , you are a genius! Thanks ever so much! @winterolym has beaten me by 2 hours. Maybe because I was running the integrated outpost, and had to figure out how to set the priority there, and to what values:
What I wasn't aware of was not only the fact that the priority was part of the problem, but that traefik actually calculates the priority based on the actual number of characters in the router's rule. Thus, "50" didn't work for the proxy without setting "1" for Authentik itself, because the rule of he authentic docker was way longer. Which again was another problem I had caused by accident: When you'd normally think that the rule with "/akprox" would be naturally longer than the one without, ... ... it fell on my feet because in order to debug far more basic stuff, I had configured 2 subdomains for Authentic - doh I hope this helps other people to avoid similar mistakes. @BeryJu, I didn't succeed to use variables like %(name)s in the docker_labels configuration to avoid writing "b650b531e5384d3ba8e8e605eac1938d" time and time again. But that would be luxury - at least it's working now! |
|
I'll add something to the docs for this setup, is there any reason you aren't using the embedded outpost? That shouldn't cause any of these issues. For the labels @agrimpelhuber I'm gonna change it so labels aren't based on the UUID and instead follow the same naming template as the container itself |
|
I'm using the embedded outpost, so I guess the question applies to @winterolym. In hindsight, my problem was the long traefik rule itself. To be positive, we would never have found the cause without my initial mistake in the first place. Thanks for the labels! Looking forward (-auth - pun intended) to put all my apps behind authentik now! |
agrimpelhuber
changed the title
agrimpelhuber
changed the title
|
@BeryJu I couldn't get the embedded outpost to redirect properly after the authentication. It redirected me to https://auth.domain.tld/if/user/#/library instead of the application. |
I am using the embedded proxy and I am encountering these issues. I'm getting a little lost in all the configuration changes I've been making, so I'll post here where I'm starting from: Authentik compose file:version: '3.2'
services:
postgresql:
image: postgres:12-alpine
restart: unless-stopped
networks:
- authentik
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
env_file:
- .env
redis:
image: redis:alpine
networks:
- authentik
restart: unless-stopped
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.1.3}
networks:
authentik:
web:
aliases:
- authentik-server
#ports:
# - 9000:9000
restart: unless-stopped
command: server
environment:
AUTHENTIK_HOST: https://auth.jafner.net
#AUTHENTIK_HOST: http://authentik-server:9000
AUTHENTIK_HOST_BROWSER: https://auth.jafner.net
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ${DOCKER_DATA}/media:/media
- ${DOCKER_DATA}/custom-templates:/templates
env_file:
- .env
labels:
traefik.http.routers.authentik.rule: Host(`auth.mydomain.com`)
traefik.http.routers.authentik.entrypoints: websecure
traefik.http.routers.authentik-auth.rule: Host(`app.mydomain.dev`) && PathPrefix(`/akprox/`)
traefik.http.routers.authentik-auth.entrypoints: websecure
traefik.http.routers.authentik.tls.certresolver: lets-encrypt
traefik.http.services.authentik.loadbalancer.server.port: 9000
traefik.http.middlewares.authentik.forwardauth.address: https://auth.mydomain.com/akprox/auth/traefik
#traefik.http.middlewares.authentik.forwardauth.address: http://authentik-server:9000/akprox/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.1.3}
restart: unless-stopped
networks:
- authentik
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
user: root
volumes:
- ${DOCKER_DATA}/backups:/backups
- ${DOCKER_DATA}/media:/media
- ${DOCKER_DATA}/certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- ${DOCKER_DATA}/custom-templates:/templates
env_file:
- .env
volumes:
database:
driver: local
networks:
authentik:
web:
external: trueAuthentik Compose .env fileApplication labelslabels:
- traefik.http.routers.app.rule=Host(`app.mydomain.com`)
- traefik.http.routers.app.tls.certresolver=lets-encrypt
- traefik.http.routers.app.middlewares=authentik@dockerAuthentik Embedded Outpost configurationAuthentik Provider configurationAuthentik Application configurationWith this configuration, going to https://app.mydomain.com returns: {
"Message": "no app for hostname",
"Host": "auth.mydomain.com",
"Detail": "Check the outpost settings and make sure 'auth.mydomain.com' is included."
} |
|
If I switch the values of |
@winterolym Can you share what your config looks like now? Particularly the compose for Authentik |
|
@Jafner , I'll try to help you to clean this up a much as I can. Let's see how far we get. I'll start from the top: Compose FileAs far as I can tell, you are mixing up the Authentic Server and the Forward Proxy. Not a goo idea, no matter whether you want to use the embedded one, or a manual setup. The Forward Auth Proxy needs a separate container, separate image etc. So IMHO, remove those lines: Next, fix your middleware. Don't use the FQDN, but the internal docker hostname on the common network to communicate. Not But something like For an embedded proxy, the server name is generated from the naming scheme. "ak-outpost-" is the standard prefix, "forward-auth" is, in my example, generated from my Outpost's name "Forward Auth". Since you might have a problem (mis-)using the "authentik Embedded Outpost" (see below), that's something to consider once your proxy container is running, and has an internal hostname on the docker network. .env fileScrap the Dev-Server / -image lines, the config should work with the current version. Get rid of ApplicationJust a question: Without the middleware enabled, your application runs OK? Authentik Application / Provider / OutpostThat looks a bit like a mess-up. Provider and application look OK for me, even though I have no experience with single application forward auth (yet). My main point, however: Did you really modify the "authentik Embedded Outpost" that was already there? And then build an extra proxy outpost, enable your application in its configuration, and tweak the rest of the parameters. When you save the configuration, Authentik should bring up a separate forward auth proxy container in docker. I don't expect forward auth to be working at that time. I guess one of the mayor steps will be the configuration of the docker network, so Traefik, Authentik, the forward proxy and your application can communicate. But that's something for tomorrow, after you have cleaned up a bit. |
|
I won't be able to get back to my homelab until tomorrow, but I really appreciate the guidance. I'll be implementing your recommendations and reporting back |
|
@Jafner Sorry for the late reply just woke up. I'm using local docker intergration in outpost to make a dedicated docker container. Docker ComposeMy authentik container docker compose file is these labels added to the server container. I've set the priority to 1 so the automatically created outpost could have a higher priority at all times. (Becasue traefik calculates priority with rules length) ProviderI'm using Forward auth (domain level) OutpostI didn't change much in outpost. I created a new outpost with Changed configurations: MiddlewareI'm using a config.yml. |
|
@winterolym 👍 : Funny, it turns out that the source of your problem was exactly the same as mine - Authentik core server/host running under two subdomains, and the long rule messing up Traefik's priorities. @BeryJu, as a suggestion, could the "normal" Authentik server, when generating the message right at the top of my inital post, identify itself? That way, we might have spotted the confusion between the two hosts earlier. I'm wondering why the core host answers requests to /akprox/start at all - backwards compatibility? |
|
I think the core-host.tld/akprox/start is linked to the embedded outpost. Also, I think you should go to the discussions tab for further discussion. |
|
@winterolym, good point. Should have suggested it myself when I closed the issue and marked it solved. Sorry! |
|
Is that one of those who finally found a solution could update the project: https://github.com/goauthentik/testing-setups |
|
@zizounetgit , I can only speak for my setup, but the example you linked (I refer specifically to the docker-compose file) explicitly pulls up the proxy as a separate docker container / service. That is not how my setup works: In my setup, I have only configured Authentik (with authentik, -worker, -redis and -db) in my docker-compose file. The whole runs behind a dockerized Traefik installation. Then, when I configure the forward auth provider in Authentik's GUI, Authentik is intelligent enough (actually WOW!) to automatically (automagically) pull up a separate Forward Auth proxy container in docker, AND register it with Traefik. That's what this whole ticket here was about: The automatic setup didn't work properly, routes' priorities in Traefik got mixed up, but that should be fixed by now. Actually: There seems to be an option where you configure the Forward Auth proxy manually. However, I wouldn't know how to keep Authentik from automatically creating its own proxy container automatically. |
Can you walk me through your whole set up if you don't mind? Me and some friends are having issues setting up authentik(domain level forward auth) with traefik. Tried using the setups above to no luck. |
|
Hi @steRnbear87 , sorry for the late reply, my notifications don't work reliably. Before I go into too much detail, do you know these 2 sources?
This whole issue developed out of the fact that I configured my Forward Auth according to the documentation, but it didn't work as expected. From my view, the most important step was #2180 (comment) about the priorities. Since then, my Forward Auth has been running flawlessly, so I expect my original configuration, plus #2180 (comment), minus the improvements Authentik may have received during the meantime, should do the trick. If it doesn't and you get stuck, open a new "question" issue and mention me, before this one gets to clogged with off-topic stuff. Cheers! |
|
I was able to find a solution to this, at least in kubernetes. I had to modify the middleware url in the traefik config to point directly to the outpost service instead of the generic authentik one. So the correct value was this for me: Check exactly what your service name is, as it might be different depending on what you named your outpost, what helm chart you're using, etc. So my whole middleware config is: And my service being like so: |
|
To prevent some of you from getting mad over configuring the forward auth, I'd like to share an insight with you. {
"Message": "no app for hostname",
"Host": "auth.mydomain.com",
"Detail": "Check the outpost settings and make sure 'auth.mydomain.com' is included."
}The reason for it is, because Traefik doesn't trust itself regarding forwarded headers. But if you add the ip of the host (neither 127.0.0.1 nor it's internal docker ip) which runs Traefik, to Traefiks static config under trusted ips the error is gone and authentication/authorization works. e.g. entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs:
- "192.168.0.100" |
|
to resolve the issue you need to add you need to add http://ip-address:9000/outpost.goauthentik.io/auth/traefik instead of http://authentik_server:9000/outpost.goauthentik.io/auth/traefik. the issue will be resolved |
Describe your question
Trying to set up Forward Auth in front of a simple web application (Nginx+php-fpm in a container, for testing purposes) within a Docker / Traefik environment, description below. Whatever I try, no matter how much documentation or code I read, I end up with 2 different scenarios, depending on the setup.
Single Application setup: At best an infinite loop on Authentik's login form
Domain Application setup: HTTP code 400 and
EDIT: The most likely cause for this problem is the routing in Traefik. The above message does not come from the Forward Auth proxy outpost, but rather from Authentik itself, running under the same domain auth.mydomain.com as the proxy does . It's very likely you need to adjust route priorities in Traefic. Specifics in the comments.
---- Original post ----
Assuming that I'm doing something wrong, I give as much information as possible below for someone smart to spot the probably simple / stupid / obvious mistake I'm making. If it's not that obvious, I'll provide more info straight away.
Relevant infos
Setup I'm starting with:
app.mydomain.comauth.mydomain.comfrom the internetTrying to set up Forward Auth with the following steps / configuration:
Host(`auth.mydomain.com`) && PathPrefix(`/akprox`)However, when I call https://app.mydomain.com, I'm automatically redirected (even when not authorized) to https://auth.mydomain.com/akprox/start with the "no app for hostname" output.
Screenshots
n/a
Logs
Output of container "authentik-outpost-forward-auth" (trace):
What is weird: The call to https://app.mydomain.com/handler.php does not even seem to reach the authentic core.
Version and Deployment (please complete the following information):
Additional context
n/a
The text was updated successfully, but these errors were encountered: