Skip to content

Instantly share code, notes, and snippets.

@LukasForst

LukasForst/README.md

Last active March 5, 2025 06:01
Show Gist options
  • Save LukasForst/9898e08b6290821d6ccfcd0b6ad4f376 to your computer and use it in GitHub Desktop.
Save LukasForst/9898e08b6290821d6ccfcd0b6ad4f376 to your computer and use it in GitHub Desktop.
Download ZIP
Traefik, Authentik forward auth example
Raw
README.md

Deploying Traefik using forward proxy mode with Authentik

This is an example guide how to deploy Authentik with Traefik in forward auth proxy mode - that means that any application behind the proxy will be automatically authenticated by Traefik. This allows better reuse of code and completely moves user management to Traefik & Authentik.

In this guide we use custom DNS to make the requests nicer and to show that it works with DNS. So step #1 is to put following records to your /etc/hosts (for example by sudo nano /etc/hosts and adding these values)

# domains needed for traefik & authentik example
127.0.0.1 app.example.com
127.0.0.1 auth.example.com

Now we need to start the applications - it is not completely automated, even thought we set the dependencies, Traefik does not pick the middleware from the beginning, so it's better to start it one by one. Also check the logs per app if it started. First make sure you have correct docker-compose.yml file in the current folder (part of this gist).

  1. start databases -> docker compose up -d postgresql redis
  2. start worker & authentik server -> docker compose up -d worker server
  3. now go to http://localhost:9000/if/flow/initial-setup/ and create new account for authentik (the username is akadmin)
  4. setup application http://localhost:9000/if/admin/#/core/applications including provider
  5. when setting up provider, choose Forward auth (single application) option
  6. setup outpost http://localhost:9000/if/admin/#/outpost/outposts that points to the application
  7. click on View Deployment Info and copy token -> this token then put to the docker-compose.yml to authentik-proxy service as environment variable AUTHENTIK_TOKEN=<copied data>
  8. start proxy -> docker compose up -d authentik-proxy
  9. start our real app -> docker compose up -d whoami
  10. if logs look good (especially authentik-proxy needs to be checked), start Traefik -> docker compose up -d traefik
  11. now everything should be up & running -> app is accessible from app.example.com and authentik admin interface from auth.example.com
  12. go to app and you will be asked to log in, use credentials created in step #3
Raw
docker-compose.yml
version: '3.8'
services:
traefik:
image: traefik:v2.8
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- "80:80"
depends_on:
- server
- whoami
command:
- "--api"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
server:
image: ghcr.io/goauthentik/server:2022.7.3
command: server
environment:
- AUTHENTIK_REDIS__HOST=redis
- AUTHENTIK_POSTGRESQL__HOST=postgresql
- AUTHENTIK_POSTGRESQL__USER=authentik
- AUTHENTIK_POSTGRESQL__NAME=authentik
- AUTHENTIK_POSTGRESQL__PASSWORD=authentik
- AUTHENTIK_ERROR_REPORTING__ENABLED=true
- AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
ports:
- "9000:9000"
depends_on:
- worker
- postgresql
- redis
labels:
- "traefik.enable=true"
- "traefik.port=9000"
- "traefik.http.routers.server.rule=Host(`auth.example.com`)"
worker:
image: ghcr.io/goauthentik/server:2022.7.3
command: worker
environment:
- AUTHENTIK_REDIS__HOST=redis
- AUTHENTIK_POSTGRESQL__HOST=postgresql
- AUTHENTIK_POSTGRESQL__USER=authentik
- AUTHENTIK_POSTGRESQL__NAME=authentik
- AUTHENTIK_POSTGRESQL__PASSWORD=authentik
- AUTHENTIK_ERROR_REPORTING__ENABLED=true
- AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
authentik-proxy:
image: ghcr.io/goauthentik/proxy
ports:
- "9091:9000"
environment:
- AUTHENTIK_HOST=http://server:9000
- AUTHENTIK_INSECURE=true
- AUTHENTIK_TOKEN=setme #generated by authentik when outpost is created
- AUTHENTIK_HOST_BROWSER=http://auth.example.com
- AUTHENTIK_DEBUG=true
depends_on:
- server
labels:
- "traefik.enable=true"
- "traefik.port=9000"
- "traefik.http.routers.authentik-proxy.rule=Host(`app.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
- "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik"
- "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
whoami:
image: containous/whoami
depends_on:
- authentik-proxy
labels:
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.http.routers.whoami.rule=Host(`app.example.com`)"
- "traefik.http.routers.whoami.middlewares=authentik@docker"
postgresql:
image: postgres:12-alpine
healthcheck:
test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=authentik
- POSTGRES_USER=authentik
- POSTGRES_DB=authentik
redis:
image: redis:alpine
healthcheck:
test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
database:
@airbornetrooper82573
Copy link

Can you expand a bit on creating the app and provider? For the provider I don't see the option Forward Auth. I see
LDAP Provider
Allow applications to authenticate against authentik's users using LDAP.

OAuth2/OpenID Provider
OAuth2 Provider for generic OAuth and OpenID Connect Applications.

Proxy Provider
Protect applications that don't support any of the other Protocols by using a Reverse-Proxy.

SAML Provider
SAML 2.0 Endpoint for applications which support SAML.

SAML Provider from Metadata
Create a SAML Provider by importing its Metadata.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment