Traefik Forward Auth - Single Applications

This guide will take you through setting up Forward Auth on Unraid for a single application using Authentik and Traefik.

Traefik Config

Before protecting your sites/applications with Authentik using its Forward Auth protection (Similar to how Authelia works) there are changes to your Traefik dynamic config file (fileConfig.yml) which are needed.

The below snippet should be added under the middlewares section.

PLEASE NOTE

If you already have the http and middlewares section in your dynamic config you only need to add the authentik portion

http:
  middlewares:
    authentik:
      forwardauth:
        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

Authentik Container Labels

In addition to the standard container labels that are used to set up a container with Traefik, there is one additional label that is needed to support Forward Auth.

NOTE

This label is placed on your Authentik server container only.

Label:

traefik.http.routers.authentik.rule

Value:

Host(`auth.domain.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)

Replace auth.yourdomain.TLD with the subdomain/domain you wish to use with Authentik and HostRegexp({subdomain:[a-z0-9]+}.yourdomain.TLD with only your domain

DO NOT PUT YOUR SUBDOMAIN IN PLACE OF:{subdomain:[a-z0-9]+})

This rule does 2 things:

Sets the standard subdomain where you will be able to access your Authentik login page
Creates a regex host rule which will redirect any subdomain URL which ends with /outpost.goauthentik.io/to Authenik auth page. This is key or forward auth will not function as expected.

Here's what the full list of labels on your Authentik server container will look like:

    labels:
      traefik.enable: true
      traefik.http.routers.authentik.entryPoints: https
      traefik.http.routers.authentik.rule: Host(`auth.domain.com`) || HostRegexp(`{subdomain:[a-z0-9]+}.ibrahome.com`) && PathPrefix(`/outpost.goauthentik.io/`)

Authentik Config

Head into your Authentik GUI which should be accessible at authentik.yourdomain.tld or whatever subdomain you configured in the previous steps

In the top-right corner, select Admin Interface
Once in the admin interface, Select Applications --> Applications from the menu on the right
Create a new Application by selecting Create at the top of the page
On the Create Application window which opens enter in the Application Name (This will be used as the display name on the Authentik User Interface) and Slug (this is used when referencing the application within some Authentik flow authentication flows/other configs. It will not be used for forward auth)

Select Create Provider to create a new provider and select Proxy Provider on the page which opens

Hit next and select Forward Auth (Single Application) then fill in the New Provider page with the information for the application you are looking to protect.

There are 2 different Authorization flows that can be selected for a provider Explicit or Implicit.

Explicit will ask the user after logging in if they want to continue to the application
Implicit will automatically redirect the user to the application after authenticating with Authentik

On this page, you can set up bypass rules as well by using the Unauthenticated Paths section. This can be used to bypass forward authentication for Mobile apps which may not support it

Refer to the Authelia bypass rules for some examples. The syntax may differ slightly between the two applications. Here's a list of the most common ones:

Use at your own discretion. Using these paths unauthenticated may help with API-related queries passing through (such as Radarr, Sonarr, etc.) however, you may not need all of the below.

^/api/.*
^/api2/.*
^/identity/.*
^/triggers/.*
^/meshagents.*
^/meshsettings.*
^/agent.*
^/control.*
^/meshrelay.*
^/ui.*

Once you are happy with the provider configuration, hit create. This should bring you back to the Create Application screen, select the newly created provider from the Provider dropdown.

Optionally, add in the Launch URL. This tells authentik where to navigate when selecting the application from the user interface. if not set it will use the URL specified in the Provider.

Create the application and then navigate to the Outposts page under the Application menu

On the Outpost page, Edit the authentik Embedded Outpost. and select the application you just configured from the list (note, when setting up additional applications with forward auth you will need to select all the applications you are protecting this this list

Additionally edit the authentik_host: line and replace the URL with the subdomain.yourdomain.tld you use to access authentik externally

Click Update and the forward authentications setup for the Application is complete. You can now open a private/incognito browser and test the setup to ensure it is working correctly.

PreviousUnraid Install NextExample Traefik fileConfig.yml

Last updated 1 year ago