Traefik, Authentik forward auth example

README.md

Deploying Traefik using forward proxy mode with Authentik

This is an example guide how to deploy Authentik with Traefik in forward auth proxy mode - that means that any application behind the proxy will be automatically authenticated by Traefik. This allows better reuse of code and completely moves user management to Traefik & Authentik.

In this guide we use custom DNS to make the requests nicer and to show that it works with DNS. So step #1 is to put following records to your /etc/hosts (for example by sudo nano /etc/hosts and adding these values)

# domains needed for traefik & authentik example
127.0.0.1 app.example.com
127.0.0.1 auth.example.com

Now we need to start the applications - it is not completely automated, even thought we set the dependencies, Traefik does not pick the middleware from the beginning, so it's better to start it one by one. Also check the logs per app if it started. First make sure you have correct docker-compose.yml file in the current folder (part of this gist).

1. start databases -> docker compose up -d postgresql redis
2. start worker & authentik server -> docker compose up -d worker server
3. now go to http://localhost:9000/if/flow/initial-setup/ and create new account for authentik (the username is akadmin)
4. setup application http://localhost:9000/if/admin/#/core/applications including provider
5. when setting up provider, choose Forward auth (single application) option
6. setup outpost http://localhost:9000/if/admin/#/outpost/outposts that points to the application
7. click on View Deployment Info and copy token -> this token then put to the docker-compose.yml to authentik-proxy service as environment variable AUTHENTIK_TOKEN=<copied data>
8. start proxy -> docker compose up -d authentik-proxy
9. start our real app -> docker compose up -d whoami
10. if logs look good (especially authentik-proxy needs to be checked), start Traefik -> docker compose up -d traefik
11. now everything should be up & running -> app is accessible from app.example.com and authentik admin interface from auth.example.com
12. go to app and you will be asked to log in, use credentials created in step #3

docker-compose.yml

version: '3.8'

services:
  traefik:
    image: traefik:v2.8
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "80:80"
    depends_on:
      - server
      - whoami
    command:
      - "--api"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entrypoints.web.address=:80"

  server:
    image: ghcr.io/goauthentik/server:2022.7.3
    command: server
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
    ports:
      - "9000:9000"
    depends_on:
      - worker
      - postgresql
      - redis
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.server.rule=Host(`auth.example.com`)"

  worker:
    image: ghcr.io/goauthentik/server:2022.7.3
    command: worker
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  authentik-proxy:
    image: ghcr.io/goauthentik/proxy
    ports:
      - "9091:9000"
    environment:
      - AUTHENTIK_HOST=http://server:9000
      - AUTHENTIK_INSECURE=true
      - AUTHENTIK_TOKEN=setme #generated by authentik when outpost is created
      - AUTHENTIK_HOST_BROWSER=http://auth.example.com
      - AUTHENTIK_DEBUG=true
    depends_on:
      - server
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.authentik-proxy.rule=Host(`app.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"

  whoami:
    image: containous/whoami
    depends_on:
      - authentik-proxy
    labels:
      - "traefik.enable=true"
      - "traefik.port=80"
      - "traefik.http.routers.whoami.rule=Host(`app.example.com`)"
      - "traefik.http.routers.whoami.middlewares=authentik@docker"

  postgresql:
    image: postgres:12-alpine
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=authentik
      - POSTGRES_USER=authentik
      - POSTGRES_DB=authentik

  redis:
    image: redis:alpine
    healthcheck:
      test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s

volumes:
  database:

My confusion comes from app.example.com.
It doesn't make sense to specify app.example.com within authentik-proxy:. I have multiple apps that need to be redirected from Authentik. And in the other examples I've seen, the traefik host redirecting outpost is placed in the authentik-server, not the proxy.