Using Forward Auth (single application) #13
Description
I see that you have already dealt with the subject in depth. I have a problem that I can't get solved and I haven't gotten any response in my Github ticket yet. Maybe you have a tip for me.
My main problem is that as long as I have forward auth (domain level) active, forward auth (single application) is ignored and I cannot explicitly protect applications.
Describe your question
I’ve tried all the available approaches, including the options described in the documentation. However, I keep getting a “Not Found” page. This page fails to load the CSS files or images and does not redirect to authentication in Authentik.
How can I successfully set up “Forward Auth (single application)” for multiple servers and in general?
Relevant info
- Removed “Forward auth (Domain level)” from the Outposts to disable it.
- Created a “New provider” -> “Proxy Provider” -> “Forward auth (single application)”.
- Added another application and assigned it to the provider.
- Added the new provider to the Outposts.
Screenshots
Version and Deployment
- Authentik via Docker
- Authentik version (Server/Worker): 2024.12.3
- Host 01: Authentik + Applications
- Host 02: Applications
Additional context
services:
postgresql:
container_name: authentik_postgres
environment:
POSTGRES_DB: authentik
POSTGRES_PASSWORD: mypostgresspassword
POSTGRES_USER: authentik
hostname: authentik-postgres
healthcheck:
test:
- CMD-SHELL
- pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
timeout: 5s
interval: 30s
retries: 5
start_period: 20s
image: docker.io/library/postgres:16-alpine
networks:
default: null
restart: unless-stopped
volumes:
- "./data/database:/var/lib/postgresql/data"
redis:
command:
- --save
- "60"
- "1"
- --loglevel
- warning
container_name: authentik_redis
hostname: authentik-redis
healthcheck:
test:
- CMD-SHELL
- redis-cli ping | grep PONG
timeout: 3s
interval: 30s
retries: 5
start_period: 20s
image: docker.io/library/redis:alpine
networks:
default: null
restart: unless-stopped
volumes:
- "./data/redis:/data"
server:
command:
- server
container_name: authentik_server
environment:
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "false"
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true"
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "false"
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
AUTHENTIK_LOG_LEVEL: trace
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: mypostgresspassword
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_SECRET_KEY: mysecretkey
PGID: "0"
PUID: "0"
TZ: Europe/Berlin
hostname: authentik-server
image: ghcr.io/goauthentik/server:2024.12
labels:
traefik.enable: "true"
traefik.http.routers.authentik.entrypoints: websecure
traefik.http.routers.authentik.rule: Host(`authentik.mydomain.com`) || HostRegexp(`{subdomain:[a-z0-9.]+}.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`)
traefik.http.routers.authentik.service: authentik
traefik.http.routers.authentik.tls: "true"
traefik.http.routers.authentik.tls.certresolver: tls_resolver
traefik.http.services.authentik.loadBalancer.server.port: "9000"
networks:
default: null
proxy: null
restart: unless-stopped
volumes:
- "./data/authentik/media:/media"
- "./data/authentik/custom-templates:/templates"
worker:
command:
- worker
container_name: authentik_worker
environment:
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: "false"
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: "true"
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: "false"
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
AUTHENTIK_LOG_LEVEL: trace
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: mypostgresspassword
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_SECRET_KEY: mysecretkey
PGID: "0"
PUID: "0"
TZ: Europe/Berlin
hostname: authentik-worker
image: ghcr.io/goauthentik/server:2024.12
networks:
default: null
restart: unless-stopped
user: root
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./data/authentik/media:/media"
- "./data/authentik/custom-templates:/templates"
networks:
default:
name: authentik
driver: bridge
attachable: true
proxy:
name: proxy
external: truedynamic conf of Traefik
http:
middlewares:
authentik:
forwardAuth:
address: "https://authentik.8devs.com/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
App konfiguration
labels:
traefik.docker.network: proxy
traefik.enable: "true"
traefik.http.routers.myprojec.entrypoints: websecure
traefik.http.routers.myprojec.rule: Host(`app1.mydomain.com`)
traefik.http.routers.myprojec.priority: 10
traefik.http.routers.myprojec.middlewares: authentik@file
traefik.http.routers.myprojec.tls: true
traefik.http.routers.myprojec.tls.certresolver: http_resolver
traefik.http.routers.myprojec.service: myprojec
traefik.http.services.myprojec.loadbalancer.server.port: "8080"
traefik.http.routers.myprojec-auth.rule: Host(`app1.mydomain.com`) && PathPrefix(`/outpost.goauthentik.io/`)
traefik.http.routers.myprojec-auth.priority: 15
traefik.http.routers.myprojec-auth.service: myprojec-auth
traefik.http.services.myprojec-auth.loadbalancer.server.url: https://authentik.mydomain.com/outpost.goauthentik.io/