transmission via authentik only secures transmission-proxy

[TiiFuchs]

When enabling expose_to_public and authentik via container_map.yml for transmission, only the transmission-proxy.[domain] get's "secured". But via transmission.[domain] transmission itself is accessible without any authentication or whitelist.

What is the desired configuration to make transmission accessible under transmission.[domain] via authentik and nothing else?

[TiiFuchs]

The service proxy-hms@docker has the configured transmission.[domain] route and an additional transmission-proxy.[domain] route in traefik configured. I didn't figure out where the transmission-proxy route comes from. It's not configured in any default or custom vars yml.

[TiiFuchs]

Looks like this in traefik:

The transmission-proxy route has the authentik-proxy-hms-transmission-midware@docker middleware, but the transmission route has not.

I'm confused because traefik says the transmission-proxy route comes from Docker provider. But in the docker-compose.yml this route is not even once mentioned in a traefik label. docker inspect on the transmission-proxy container does not show any label either.

[ahembree]

What is the desired configuration to make transmission accessible under transmission.[domain] via authentik and nothing else?

Enable Authentik and then in the container_map.yml for transmission (change expose_to_public if you need):

...
  transmission:
    enabled: yes
    proxy_host_rule: transmission
    directory: yes
    traefik: yes
    authentik: yes
    authentik_provider_type: proxy
    expose_to_public: no
    homepage: yes
    homepage_stats: yes
...

After this, you will need to configure the Authentik Outpost by following https://github.com/ahembree/ansible-hms-docker/blob/master/docs/Authentik.md#important-note

I'm not sure why you're seeing the transmission-proxy as a rule since the proxy container is what actually has the traefik rule for transmission, I haven't been able to replicate this. Traefik also has exposedByDefault disabled, so there shouldn't be any sort of auto-detection doing this.

[TiiFuchs]

This tells me I configured everything correctly. Nonetheless the transmission route ist not secured by authentik, the transmission-proxy route is. I configured basic auth on transmission via the environment variables in the corresponding vars file as a workaround.

If I can help to figure this out, I'm happy to do so.

[ahembree]

Finally got some time to do a little more troubleshooting and I was able to get Transmission accessible and protected by Traefik outside my home network by doing the following:

• Set expose_to_public to yes for both authentik and transmission in the container_map.yml
• Created public DNS record for transmission.{domain}
• Created public DNS record for authentik.{domain}

I'm still unable to replicate the issue with having the transmission-proxy route as well. Have you been able to run updates by chance to see if a newer version happened to fix anything? It may be an issue with the Traefik config file (default location is /opt/hms-docker/apps/traefik/config/traefik.yml) since exposedByDefault defaults to true which would cause this behavior.

[ahembree]

Closing due to inactivity