search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.06k stars 868 forks source link

Authentik + traefik labels doesn't promt for authentication.  #9825

Open AnisseH opened 4 months ago

AnisseH commented 4 months ago

Describe your question/ I want to put some apps that don't provide authentication, behind the Authentik wall. So I've configured the provider, the app for the proxy traefik, and the outpost. For testing, I've run up a whoami container and put the label on it to route it through Authentik, but it doesn't prompt for login; it's going directly to the webpage. 

Relevant info Authentik: 2024.4.2 Traefik: 2.11.1

Screenshots If applicable, add screenshots to help explain your problem.

Hostname: 1d66117e8bf0
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.7
RemoteAddr: 172.18.0.3:60776
GET / HTTP/1.1
Host: whoami.domain.tld
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: fr,fr-FR;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: no-cache
Pragma: no-cache
Priority: u=0, i
Sec-Ch-Ua: "Microsoft Edge";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 172.18.0.1
X-Forwarded-Host: whoami.domain.tld
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 3ed78c0f5347
X-Real-Ip: 172.18.0.1

my provider setup image my outpost config image

my application setup image

Logs Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      - authentik-internal
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - authentik-internal
    volumes:
      - redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
    container_name: authentik_server
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
    networks:
      - traefik-servicenet
      - authentik-internal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.entrypoints=web"
      - "traefik.http.routers.authentik.rule=Host(`authentik.domain.tld`)"
      - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
      - "traefik.http.routers.authentik-secure.entrypoints=web-secure"
      - "traefik.http.routers.authentik-secure.rule=Host(`authentik.domain.tld`)"
      - "traefik.http.routers.authentik-secure.tls=true"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
      - "traefik.docker.network=traefik-servicenet"
      - "traefik.http.routers.authentik-secure.tls.certresolver=tlschallenge"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
    restart: unless-stopped
    container_name: worker
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}

    user: root
    volumes:
      - /run/user/1000/docker.sock:/var/run/docker.sock 
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
    networks:
      - authentik-internal
volumes:
  database:
    driver: local
  redis:
    driver: local

networks:
  traefik-servicenet:
    external: true 
    name: traefik-servicenet
  authentik-internal:
    external: true

my middleware

http:
  middlewares:
    middlewares-authentik:
      forwardAuth:
        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true

the whoami compose file

services:
  whoami:
    image: traefik/whoami
    networks:
      - traefik-servicenet
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whomai.entrypoints=web"
      - "traefik.http.routers.whomai.rule=Host(`whoami.domain.tld`)"
      - "traefik.http.middlewares.whomai-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.whomai.middlewares=whomai-https-redirect"
      - "traefik.http.routers.whomai-secure.entrypoints=web-secure"
      - "traefik.http.routers.whomai-secure.rule=Host(`whoami.domain.tld`)"
      - "traefik.http.routers.whomai-secure.tls=true"
      - "traefik.http.services.whoami.loadbalancer.server.port=80"
      - "traefik.docker.network=traefik-servicenet"
      - "traefik.http.routers.whomai-secure.tls.certresolver=tlschallenge"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.whoami.middlewares=middlewares-authentik@file"
networks:
  traefik-servicenet:
    external: true

Additional context Add any other context about the problem here.

hanley-development commented 4 months ago

Try changing the name of the service from server to authentik_server. I think that was my issue previously.

AnisseH commented 4 months ago

Try changing the name of the service from server to authentik_server. I think that was my issue previously.

hi, i've tried, but still the same issue

BeryJu commented 2 weeks ago

I don't know enough about traefik to help with this, does the middleware show up correctly in the traefik web interface? Also on the proxy provider, do you have any unauthenticated paths set?