Cannot login behind Traefik, but ip:port works fine

[joshoram80]

Have you read the documentation?

• [x ] Yes, but it does not include related information regarding my question.
• [ ] Yes, but the steps described in the documentation do not work on my machine.
• [ ] Yes, but I am having difficulty understanding it and wants clarification.

You are setting up gotify in

• [x ] Docker
• [ ] Linux native platform
• [ ] Windows native platform

Describe your problem

Cannot login when accessing Gotify via Traefik, but login via IP:Port Works fine. Obviously this is not ideal

2024-03-15T19:43:15+11:00 | 401 | 24.478µs | 202.179.131.174 | POST "/client" Error #01: you need to provide a valid access token or user credentials to access this api

Ex: docker-compose.yml, nginx.conf, android logcat, browser requests, etc.

Compose Snippet

gotify:
    image: ghcr.io/gotify/server:latest
    container_name: gotify
    restart: unless-stopped
    networks:
      - t2_proxy
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=$TZ
    volumes:
      - $DOCKERDIR/appdata/gotify/data:/app/data
    ports:
      - 8044:80 #optional
    labels:
      - "traefik.enable=true"
      ## HTTP Local Auth Bypass
      - "traefik.http.routers.gotify-rtr-local.entrypoints=https"
      - "traefik.http.routers.gotify-rtr-local.rule=Host(`gotify.$DOMAINNAME`) && ClientIP(`192.168.0.0/24`)"
      - "traefik.http.routers.gotify-rtr-local.priority=100"
      - "traefik.http.routers.gotify-rtr-local.middlewares=middlewares-authentik@file"
      - "traefik.http.routers.gotify-rtr-local.service=gotify-svc"
      ## HTTP Routers
      - "traefik.http.routers.gotify-rtr.entrypoints=https"
      - "traefik.http.routers.gotify-rtr.rule=Host(`gotify.$DOMAINNAME`)"
      - "traefik.http.routers.gotify-rtr.priority=99"
      ## Middlewares
      - "traefik.http.routers.gotify-rtr.middlewares=middlewares-authentik@file"
      ## HTTP Services
      - "traefik.http.routers.gotify-rtr.service=gotify-svc"
      - "traefik.http.services.gotify-svc.loadbalancer.server.port=80"

The middleware in the snippet is just auth response headers for Authentik, nothing touches Basic Auth

[jmattheis]

show your middlewares-authentik@file.

[joshoram80]

middlewares-authentik: forwardAuth: address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders:

• X-authentik-username
• X-authentik-groups
• X-authentik-email
• X-authentik-name
• X-authentik-uid
• X-authentik-jwt
• X-authentik-meta-jwks
• X-authentik-meta-outpost
• X-authentik-meta-provider
• X-authentik-meta-app
• X-authentik-meta-version
• authorization

[jmattheis]

You've listed authorization in the authResponseHeaders. Basic auth uses this header.

[joshoram80]

Excellent! I Completely overlooked that. Thanks :D