1. The problem I’m having:
After updating Authelia to version v4.38.2 and implementing their new suggested Multi-Domain Protection & Authorization Endpoints i am having issues accessing some of my containers.
Specifically some are working as before but Portainer and Influxdb are refusing to login, they do pass Authelias 2FA just fine which indicates the redirect is working fine but they fail on their own authentication form. If i move the proxy configuration back to “legacy” from “forward-auth” then those two containers do work again.
If i remove “Authorization” and “Proxy-Authorization” from the headers then everything is working but i am not sure if removing them is an ok thing to do.
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
I already opened a bug report on the Authelia github but i do wonder if someone here could have any idea of what might be the issue.
Thanx in advance.
2. Error messages and/or full log output:
Caddy/Portainer do not output any errors in their logs on log level set to info. Below are logs from Influxdb that is complaining during authentication.
ts=2024-03-16T10:56:15.381601Z lvl=info msg=Unauthorized log_id=0nxun9EW000 error="token required"
ts=2024-03-16T10:56:18.744638Z lvl=error msg="api error encountered" log_id=0nxun9EW000 handler=session error="unauthorized access"
ts=2024-03-16T10:56:25.792017Z lvl=error msg="api error encountered" log_id=0nxun9EW000 handler=session error="unauthorized access"
ts=2024-03-16T10:56:33.315416Z lvl=error msg="api error encountered" log_id=0nxun9EW000 handler=session error="unauthorized access"
ts=2024-03-16T10:56:42.326859Z lvl=error msg="api error encountered" log_id=0nxun9EW000 handler=session error="unauthorized access"
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
Docker compose.
a. System environment:
Docker.
b. Service/unit/compose file:
Keep in mind that Portainer is using the old /api/verify to make it work since if i use /api/authz it will not let me login to Portainer.
Grafana is working fine using the new configuration while Portainer and Influxdb fail to login.
name: konvei
services:
caddy:
networks:
konvei:
ipv4_address: 172.18.0.2
ports:
- 443:443
- 443:443/udp
container_name: caddy
restart: always
volumes:
- /home/admin/dockerdata/caddy/data:/data/caddy
- /home/admin/dockerdata/caddy/logs:/var/log/caddy
- /home/admin/dockerdata/caddy/config:/config/caddy
- /home/admin/dockerdata/caddy/config/Caddyfile:/etc/caddy/Caddyfile
environment:
- TZ=Europe/Athens
cap_add:
- NET_ADMIN
image: caddy:latest
portainer:
networks:
konvei:
ipv4_address: 172.18.0.3
container_name: portainer
depends_on:
- authelia
restart: always
volumes:
- /usr/share/zoneinfo/Europe/Athens:/etc/localtime
- /var/run/docker.sock:/var/run/docker.sock
- /home/admin/dockerdata/portainer/data:/data
image: portainer/portainer-ce:latest
grafana:
networks:
konvei:
ipv4_address: 172.18.0.6
container_name: grafana
depends_on:
- authelia
- influxdb
restart: always
user: "0"
volumes:
- /home/admin/dockerdata/grafana/data:/var/lib/grafana
- /home/admin/dockerdata/grafana/config/custom.ini:/etc/grafana/grafana.ini
image: grafana/grafana-oss:latest
authelia:
networks:
konvei:
ipv4_address: 172.18.0.7
container_name: authelia
depends_on:
- caddy
restart: always
volumes:
- /home/admin/dockerdata/authelia/config:/config
- /home/admin/dockerdata/authelia/logs:/var/log/authelia
environment:
- AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/config/secrets/jwt
- AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/config/secrets/storage
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp
- TZ=Europe/Athens
image: authelia/authelia:latest
influxdb:
networks:
konvei:
ipv4_address: 172.18.0.10
container_name: influxdb
depends_on:
- authelia
restart: always
volumes:
- /home/admin/dockerdata/influxdb/config:/etc/influxdb2
- /home/admin/dockerdata/influxdb/data:/var/lib/influxdb2
image: influxdb:latest
networks:
konvei:
external: true
name: konvei
c. My complete Caddy config:
Keep in mind that Portainer is using the old /api/verify to make it work since if i use /api/authz it will not let me login to Portainer.
{
admin off
email redacted@gmail.com
}
auth.redacted.pro {
encode gzip
reverse_proxy http://authelia:9091
log {
output file /var/log/caddy/authelia.log
}
}
redacted.pro www.redacted.pro {
encode gzip
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy http://homepage:3000 {
}
log {
output file /var/log/caddy/homepage.log
}
}
port.redacted.pro {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.redacted.pro/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy http://portainer:9000 {
}
log {
output file /var/log/caddy/portainer.log
}
}
info.redacted.pro {
encode gzip
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy http://grafana:3080 {
}
log {
output file /var/log/caddy/grafana.log
}
}
vpn.redacted.pro {
encode gzip
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy http://wireguard:51821 {
}
log {
output file /var/log/caddy/wireguard.log
}
}
remote.redacted.pro {
encode gzip
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy http://meshcentral:444 {
}
log {
output file /var/log/caddy/meshcentral.log
}
}
db.redacted.pro {
encode gzip
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Authorization Proxy-Authorization Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy http://influxdb:8088
log {
output file /var/log/caddy/influxdb.log
}
}
d. My complete Authelia config:
Authelia configuration is done to comply with their new suggested changes in v4.38.2.
Notice that i have both “Legacy” and “ForwardAuth” active in the config, this is done to allow Portainer work for now until i find what is wrong.
###############################################################
Authelia configuration
###############################################################
server:
address: ‘tcp://0.0.0.0:9091/’
endpoints:
authz:
forward-auth:
implementation: ‘ForwardAuth’
legacy:
implementation: ‘Legacy’
log:
level: ‘info’
format: ‘json’
file_path: ‘/var/log/authelia/authelia.log’
keep_stdout: true
totp:
disable: false
issuer: ‘redacted’
algorithm: ‘sha1’
digits: 6
period: 30
skew: 1
webauthn:
disable: true
authentication_backend:
password_reset:
disable: true
file:
path: ‘/config/users_database.yml’
password:
algorithm: ‘argon2id’
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: ‘deny’
rules:
- domain:
- ‘auth.redacted.pro’
policy: ‘bypass’
- domain:
- ‘remote.redacted.pro’
policy: ‘bypass’
resources:
- ‘^/meshagents.$’
- '^/meshsettings.$’
- ‘^/agent.$’
- '^/control.$’
- ‘^/meshrelay.$’
- '^/sharing.$’
- ‘^/scripts.$’
- '^/styles.$’
- ‘^/images.$’
- '^/favicon.$’
- domain:
- ‘redacted.pro’
- ‘www.redacted.pro’
policy: ‘one_factor’
- domain:
- ‘remote.redacted.pro’
- ‘port.redacted.pro’
- ‘vpn.redacted.pro’
- ‘info.redacted.pro’
- ‘db.redacted.pro’
policy: ‘two_factor’
session:
name: ‘authelia_session’
same_site: ‘lax’
expiration: ‘2h’
inactivity: ‘1h’
remember_me: -1
cookies:
- domain: ‘redacted.pro’
authelia_url: ‘https://auth.redacted.pro’
default_redirection_url: ‘https://redacted.pro’
regulation:
max_retries: 4
find_time: ‘2m’
ban_time: ‘4h’
theme: dark
storage:
local:
path: ‘/config/db.sqlite3’
notifier:
smtp:
address: ‘smtp://mail.smtp2go.com:587’
username: ‘redacted.pro’
sender: “redacted support@redacted.pro”
subject: “[redacted] {title}”
startup_check_address: ‘redacted@gmail.com’
disable_require_tls: false
disable_html_emails: false
tls:
server_name: ‘mail.smtp2go.com’
skip_verify: false
minimum_version: ‘TLS1.2’