!KkOYRJWUONSuNfPsXt:matrix.org

Authelia

102 Members
The Official Authelia HQ - please come chat here, feel free to ask for support! | https://github.com/authelia/authelia | https://buildkite.com/authelia/authelia | https://www.authelia.com | https://opencollective.com/authelia-sponsors24 Servers

Load older messages


SenderMessageTime
13 Jul 2020
@tapnl:matrix.orgtapnl *

Hi Amir,

I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find.
See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container.

docker-compose.yml -> traefik
version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

services:

traefik2:
container_name: traefik2
image: traefik:chevrotin
restart: always
ports:

  • 80:80
  • 443:443
  • 8181:8181
    networks:
  • t2_proxy
    env_file:
  • .env
environment:
  - TZ=$TZ
volumes:
  - ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro
  - ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json
  - ${USERDIR}/docker/traefik2/rules:/rules:ro
  - ${USERDIR}/docker/shared/transip.key:/transip.key:ro
  - ${USERDIR}/docker/shared:/shared
  - /var/run/docker.sock:/var/run/docker.sock
labels:
  - traefik.enable=true
  - traefik.http.routers.api.rule=Host("traefik.example.com")
  - traefik.http.routers.api.entrypoints=https
  - traefik.http.routers.api.tls=true`

docker-compose.yml -> authelia
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:
authelia:
image: authelia/authelia
container_name: authelia
hostname: authelia
restart: unless-stopped
networks:

  • t2_proxy
    env_file:
  • .env
    environment:
  • TZ:$TZ
    volumes:
  • ./configuration.yml:/config/configuration.yml:ro
  • ./users_database.yml:/config/users_database.yml:ro
  • ./data:/etc/authelia/data:rw
    labels:
  • traefik.enable=true
  • traefik.http.routers.authelia.rule=Host("login.example.com")
  • traefik.http.routers.authelia.entrypoints=https
  • traefik.http.routers.authelia.tls=true`

docker-compose.yml -> whoami - the subdomain to be protected
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:

whoami:
image: containous/whoami
container_name: whoami
hostname: whoami
restart: always
env_file:

  • .env
    networks:
  • t2_proxy
    ports:
  • "81:80"
    environment:
  • TZ=$TZ
    labels:
  • traefik.enable=true
  • traefik.http.routers.whoami.rule=Host(whoami.example.com)
  • traefik.http.routers.whoami.entrypoints=https
  • traefik.http.routers.whoami.tls=true
  • traefik.http.routers.whoami.middlewares=authelia@file`

middleware.yml
`http:
middlewares:
redirect:
redirectScheme:
scheme: https
basic_auth:
basicAuth:
realm: "Traefik2 Basic Auth"
usersFile: "/shared/.htpasswd"
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
trustForwardHeader: true
authResponseHeaders:

  • "Remote-User"
  • "Remote-Groups"
    hsts:
    headers:
    sslRedirect: true
    stsPreload: true
    stsSeconds: 315360000
    stsIncludeSubdomains: true
    accessControlMaxAge: 100
    sslRedirect: true
    accessControlAllowMethods:
  • GET
  • OPTIONS
  • PUT
    forceSTSHeader: true

customFrameOptionsValue: "allow-from https:*.example.com"

      contentTypeNosniff: true
      browserXssFilter: true

sslHost: "example.com"

      referrerPolicy: "same-origin`
11:01:15
@tapnl:matrix.orgtapnl *

Hi Amir,

I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find.
See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container.

docker-compose.yml -> traefik

version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

services:

traefik2:
container_name: traefik2
image: traefik:chevrotin
restart: always
ports:
- 80:80
- 443:443
- 8181:8181
networks:
- t2_proxy
env_file:
- .env

environment:

  • TZ=$TZ
    volumes:
  • ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro
  • ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json
  • ${USERDIR}/docker/traefik2/rules:/rules:ro
  • ${USERDIR}/docker/shared/transip.key:/transip.key:ro
  • ${USERDIR}/docker/shared:/shared
  • /var/run/docker.sock:/var/run/docker.sock
    labels:
  • traefik.enable=true
  • traefik.http.routers.api.rule=Host("traefik.example.com")
  • traefik.http.routers.api.entrypoints=https
  • traefik.http.routers.api.tls=true`

docker-compose.yml -> authelia
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:
authelia:
image: authelia/authelia
container_name: authelia
hostname: authelia
restart: unless-stopped
networks:

  • t2_proxy
    env_file:
  • .env
    environment:
  • TZ:$TZ
    volumes:
  • ./configuration.yml:/config/configuration.yml:ro
  • ./users_database.yml:/config/users_database.yml:ro
  • ./data:/etc/authelia/data:rw
    labels:
  • traefik.enable=true
  • traefik.http.routers.authelia.rule=Host("login.example.com")
  • traefik.http.routers.authelia.entrypoints=https
  • traefik.http.routers.authelia.tls=true`

docker-compose.yml -> whoami - the subdomain to be protected
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:

whoami:
image: containous/whoami
container_name: whoami
hostname: whoami
restart: always
env_file:

  • .env
    networks:
  • t2_proxy
    ports:
  • "81:80"
    environment:
  • TZ=$TZ
    labels:
  • traefik.enable=true
  • traefik.http.routers.whoami.rule=Host(whoami.example.com)
  • traefik.http.routers.whoami.entrypoints=https
  • traefik.http.routers.whoami.tls=true
  • traefik.http.routers.whoami.middlewares=authelia@file`

middleware.yml
`http:
middlewares:
redirect:
redirectScheme:
scheme: https
basic_auth:
basicAuth:
realm: "Traefik2 Basic Auth"
usersFile: "/shared/.htpasswd"
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
trustForwardHeader: true
authResponseHeaders:

  • "Remote-User"
  • "Remote-Groups"
    hsts:
    headers:
    sslRedirect: true
    stsPreload: true
    stsSeconds: 315360000
    stsIncludeSubdomains: true
    accessControlMaxAge: 100
    sslRedirect: true
    accessControlAllowMethods:
  • GET
  • OPTIONS
  • PUT
    forceSTSHeader: true

customFrameOptionsValue: "allow-from https:*.example.com"

      contentTypeNosniff: true
      browserXssFilter: true

sslHost: "example.com"

      referrerPolicy: "same-origin`
11:01:44
@tapnl:matrix.orgtapnl *

Hi Amir,

I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find.
See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container.

docker-compose.yml -> traefik

version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

services:

traefik2:
container_name: traefik2
image: traefik:chevrotin
restart: always
ports:

  • 80:80
  • 443:443
  • 8181:8181
    networks:
  • t2_proxy
    env_file:
  • .env

environment:

  • TZ=$TZ
    volumes:
  • ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro
  • ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json
  • ${USERDIR}/docker/traefik2/rules:/rules:ro
  • ${USERDIR}/docker/shared/transip.key:/transip.key:ro
  • ${USERDIR}/docker/shared:/shared
  • /var/run/docker.sock:/var/run/docker.sock
    labels:
  • traefik.enable=true
  • traefik.http.routers.api.rule=Host("traefik.example.com")
  • traefik.http.routers.api.entrypoints=https
  • traefik.http.routers.api.tls=true`

docker-compose.yml -> authelia
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:
authelia:
image: authelia/authelia
container_name: authelia
hostname: authelia
restart: unless-stopped
networks:

  • t2_proxy
    env_file:
  • .env
    environment:
  • TZ:$TZ
    volumes:
  • ./configuration.yml:/config/configuration.yml:ro
  • ./users_database.yml:/config/users_database.yml:ro
  • ./data:/etc/authelia/data:rw
    labels:
  • traefik.enable=true
  • traefik.http.routers.authelia.rule=Host("login.example.com")
  • traefik.http.routers.authelia.entrypoints=https
  • traefik.http.routers.authelia.tls=true`

docker-compose.yml -> whoami - the subdomain to be protected
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:

whoami:
image: containous/whoami
container_name: whoami
hostname: whoami
restart: always
env_file:

  • .env
    networks:
  • t2_proxy
    ports:
  • "81:80"
    environment:
  • TZ=$TZ
    labels:
  • traefik.enable=true
  • traefik.http.routers.whoami.rule=Host(whoami.example.com)
  • traefik.http.routers.whoami.entrypoints=https
  • traefik.http.routers.whoami.tls=true
  • traefik.http.routers.whoami.middlewares=authelia@file`

middleware.yml
`http:
middlewares:
redirect:
redirectScheme:
scheme: https
basic_auth:
basicAuth:
realm: "Traefik2 Basic Auth"
usersFile: "/shared/.htpasswd"
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
trustForwardHeader: true
authResponseHeaders:

  • "Remote-User"
  • "Remote-Groups"
    hsts:
    headers:
    sslRedirect: true
    stsPreload: true
    stsSeconds: 315360000
    stsIncludeSubdomains: true
    accessControlMaxAge: 100
    sslRedirect: true
    accessControlAllowMethods:
  • GET
  • OPTIONS
  • PUT
    forceSTSHeader: true

customFrameOptionsValue: "allow-from https:*.example.com"

      contentTypeNosniff: true
      browserXssFilter: true

sslHost: "example.com"

      referrerPolicy: "same-origin`
11:02:16
@tapnl:matrix.orgtapnl *

Hi Amir,

I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find.
See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container.

docker-compose.yml -> traefik

version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

services:

traefik2:
container_name: traefik2
image: traefik:chevrotin
restart: always
ports:
- 80:80
- 443:443
- 8181:8181
networks:
- t2_proxy
env_file:
- .env

environment:
- TZ=$TZ
volumes:
- ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro
- ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json
- ${USERDIR}/docker/traefik2/rules:/rules:ro
- ${USERDIR}/docker/shared/transip.key:/transip.key:ro
- ${USERDIR}/docker/shared:/shared
- /var/run/docker.sock:/var/run/docker.sock
labels:
- traefik.enable=true
- traefik.http.routers.api.rule=Host("traefik.example.com")
- traefik.http.routers.api.entrypoints=https
- traefik.http.routers.api.tls=true

docker-compose.yml -> authelia
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:
authelia:
image: authelia/authelia
container_name: authelia
hostname: authelia
restart: unless-stopped
networks:

  • t2_proxy
    env_file:
  • .env
    environment:
  • TZ:$TZ
    volumes:
  • ./configuration.yml:/config/configuration.yml:ro
  • ./users_database.yml:/config/users_database.yml:ro
  • ./data:/etc/authelia/data:rw
    labels:
  • traefik.enable=true
  • traefik.http.routers.authelia.rule=Host("login.example.com")
  • traefik.http.routers.authelia.entrypoints=https
  • traefik.http.routers.authelia.tls=true`

docker-compose.yml -> whoami - the subdomain to be protected
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:

whoami:
image: containous/whoami
container_name: whoami
hostname: whoami
restart: always
env_file:

  • .env
    networks:
  • t2_proxy
    ports:
  • "81:80"
    environment:
  • TZ=$TZ
    labels:
  • traefik.enable=true
  • traefik.http.routers.whoami.rule=Host(whoami.example.com)
  • traefik.http.routers.whoami.entrypoints=https
  • traefik.http.routers.whoami.tls=true
  • traefik.http.routers.whoami.middlewares=authelia@file`

middleware.yml
`http:
middlewares:
redirect:
redirectScheme:
scheme: https
basic_auth:
basicAuth:
realm: "Traefik2 Basic Auth"
usersFile: "/shared/.htpasswd"
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
trustForwardHeader: true
authResponseHeaders:

  • "Remote-User"
  • "Remote-Groups"
    hsts:
    headers:
    sslRedirect: true
    stsPreload: true
    stsSeconds: 315360000
    stsIncludeSubdomains: true
    accessControlMaxAge: 100
    sslRedirect: true
    accessControlAllowMethods:
  • GET
  • OPTIONS
  • PUT
    forceSTSHeader: true

customFrameOptionsValue: "allow-from https:*.example.com"

      contentTypeNosniff: true
      browserXssFilter: true

sslHost: "example.com"

      referrerPolicy: "same-origin`
11:02:43
@tapnl:matrix.orgtapnl *

Hi Amir,

I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find.
See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container.

docker-compose.yml -> traefik

version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

services:

traefik2:
container_name: traefik2
image: traefik:chevrotin
restart: always
ports:
- 80:80
- 443:443
- 8181:8181
networks:
- t2_proxy
env_file:
- .env

environment:
- TZ=$TZ
volumes:
- ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro
- ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json
- ${USERDIR}/docker/traefik2/rules:/rules:ro
- ${USERDIR}/docker/shared/transip.key:/transip.key:ro
- ${USERDIR}/docker/shared:/shared
- /var/run/docker.sock:/var/run/docker.sock
labels:
- traefik.enable=true
- traefik.http.routers.api.rule=Host("traefik.example.com")
- traefik.http.routers.api.entrypoints=https
- traefik.http.routers.api.tls=true

docker-compose.yml -> authelia`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:
authelia:
image: authelia/authelia
container_name: authelia
hostname: authelia
restart: unless-stopped
networks:

  • t2_proxy
    env_file:
  • .env
    environment:
  • TZ:$TZ
    volumes:
  • ./configuration.yml:/config/configuration.yml:ro
  • ./users_database.yml:/config/users_database.yml:ro
  • ./data:/etc/authelia/data:rw
    labels:
  • traefik.enable=true
  • traefik.http.routers.authelia.rule=Host("login.example.com")
  • traefik.http.routers.authelia.entrypoints=https
  • traefik.http.routers.authelia.tls=true`

docker-compose.yml -> whoami - the subdomain to be protected
`version: "3.7"
########################### NETWORKS
networks:
t2_proxy:
external:
name: t2_proxy
default:
driver: bridge

########################### SERVICES

services:

whoami:
image: containous/whoami
container_name: whoami
hostname: whoami
restart: always
env_file:

  • .env
    networks:
  • t2_proxy
    ports:
  • "81:80"
    environment:
  • TZ=$TZ
    labels:
  • traefik.enable=true
  • traefik.http.routers.whoami.rule=Host(whoami.example.com)
  • traefik.http.routers.whoami.entrypoints=https
  • traefik.http.routers.whoami.tls=true
  • traefik.http.routers.whoami.middlewares=authelia@file`

middleware.yml
`http:
middlewares:
redirect:
redirectScheme:
scheme: https
basic_auth:
basicAuth:
realm: "Traefik2 Basic Auth"
usersFile: "/shared/.htpasswd"
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
trustForwardHeader: true
authResponseHeaders:

  • "Remote-User"
  • "Remote-Groups"
    hsts:
    headers:
    sslRedirect: true
    stsPreload: true
    stsSeconds: 315360000
    stsIncludeSubdomains: true
    accessControlMaxAge: 100
    sslRedirect: true
    accessControlAllowMethods:
  • GET
  • OPTIONS
  • PUT
    forceSTSHeader: true

customFrameOptionsValue: "allow-from https:*.example.com"

      contentTypeNosniff: true
      browserXssFilter: true

sslHost: "example.com"

      referrerPolicy: "same-origin`
11:03:09
@tapnl:matrix.orgtapnl

Hi Amir,

I tried to follow the reference setup as good as possible, tailored to my needs. Most likely it is a config error - but very hard to find.
See the requested files below, I also added my middlewares.yml because I define the middleware in a file not per container.

docker-compose.yml -> traefik

version: "3.7"
########################### NETWORKS
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

services:

  traefik2:
    container_name: traefik2
    image: traefik:chevrotin
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8181:8181
    networks:
      - t2_proxy
    env_file:
      - .env
    environment:
      - TZ=$TZ
    volumes:
      - ${USERDIR}/docker/traefik2/traefik2.yml:/etc/traefik/traefik.yml:ro
      - ${USERDIR}/docker/traefik2/acme/acme.json:/acme.json
      - ${USERDIR}/docker/traefik2/rules:/rules:ro
      - ${USERDIR}/docker/shared/transip.key:/transip.key:ro
      - ${USERDIR}/docker/shared:/shared
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - traefik.enable=true
      - traefik.http.routers.api.rule=Host("traefik.example.com")
      - traefik.http.routers.api.entrypoints=https
      - traefik.http.routers.api.tls=true

docker-compose.yml -> authelia

version: "3.7"
########################### NETWORKS
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

########################### SERVICES

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    hostname: authelia
    restart: unless-stopped
    networks:
      - t2_proxy
    env_file:
      - .env
    environment:
      - TZ:$TZ
    volumes:
      - ./configuration.yml:/config/configuration.yml:ro
      - ./users_database.yml:/config/users_database.yml:ro
      - ./data:/etc/authelia/data:rw
    labels:
      - traefik.enable=true
      - traefik.http.routers.authelia.rule=Host("login.example.com")
      - traefik.http.routers.authelia.entrypoints=https
      - traefik.http.routers.authelia.tls=true

docker-compose.yml -> whoami - the subdomain to be protected

version: "3.7"
########################### NETWORKS
networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge

########################### SERVICES

services:

  whoami:
    image: containous/whoami
    container_name: whoami
    hostname: whoami
    restart: always
    env_file:
      - .env
    networks:
      - t2_proxy
    ports:
      - "81:80"
    environment:
      - TZ=$TZ
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
      - traefik.http.routers.whoami.entrypoints=https
      - traefik.http.routers.whoami.tls=true
      - traefik.http.routers.whoami.middlewares=authelia@file

middleware.yml

http:
    middlewares:
      redirect:
        redirectScheme:
          scheme: https
      basic_auth:
        basicAuth:
          realm: "Traefik2 Basic Auth"
          usersFile: "/shared/.htpasswd"
      authelia:
        forwardAuth:
          address: "http://authelia:9091/api/verify?rd=https://login.example.com/"
          trustForwardHeader: true
          authResponseHeaders:
            - "Remote-User"
            - "Remote-Groups"
      hsts:
        headers:
          sslRedirect: true
          stsPreload: true
          stsSeconds: 315360000
          stsIncludeSubdomains: true
          accessControlMaxAge: 100
          sslRedirect: true
          accessControlAllowMethods:
            - GET
            - OPTIONS
            - PUT
          forceSTSHeader: true
#          customFrameOptionsValue: "allow-from https:*.example.com"
          contentTypeNosniff: true
          browserXssFilter: true
#          sslHost: "example.com"
          referrerPolicy: "same-origin"
11:04:34
@nightah:nerv.com.auAmir So when you goto whoami.example.com it does redirect you to the portal to authenticate? 11:06:51
@nightah:nerv.com.auAmirOr better yet if you could just detail your actual workflow, what happens and provide me the authelia logs for that workflow too.11:07:53
@nightah:nerv.com.auAmir Also just to be clear, I see your middleware.yml but no references in the compose, so I assume that's referenced in your traefik.yml? 11:09:17
@tapnl:matrix.orgtapnl
In reply to @nightah:nerv.com.au
Also just to be clear, I see your middleware.yml but no references in the compose, so I assume that's referenced in your traefik.yml?

Hi Amir,

When I directly go to whoami.example.com it does not show me the login page. See below for details. Middleware is not defined in traefik.yml but it does load. Because the basic_auth also defined there works well. Also I don't see any errors that the actual middleware is not being found.

See below my workflow in steps, with the different logs per step

Step 1 - go to whoami.example.com

In browser:
address field:

https://login.example.com/?rd=https%3A%2F%2Fwhoami.example.com%2F

In screen:
404 page not found

Traefik log:

today at 14:35 time="2020-07-13T14:35:34+02:00" level=debug msg="Remote error http://authelia:9091/api/verify?rd=https://login.example.com/. StatusCode: 302" middlewareName=authelia@file middlewareType=ForwardedAuthType

Authelia log

today at 14:35 time="2020-07-13T14:35:34+02:00" level=info msg="Access to https://whoami.example.com/ is not authorized to user , redirecting to https://login.example.com/?rd=https%3A%2F%2Fwhoami.example.com%2F" method=GET path=/api/verify remote_ip=192.168.1.1

Step 2 - going to login.example.com

When going in the same session to login.example.com - nothings happens in the browser. 404 report is there.
Logs for both Authelia and Traefik show no entries

Appreciated that you are looking into this.

Cheers, Tap.

12:44:15
@tapnl:matrix.orgtapnl

Additional workflow

Step 1: go to login.example.com

Login screen is being displayed

Step 2: enter credentials

Authelia log:

today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="Credentials validation of user admin is ok" method=POST path=/api/firstfactor remote_ip=192.168.1.1
today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="Mark authentication attempt made by user admin" method=POST path=/api/firstfactor remote_ip=192.168.1.1

Traefik log:

today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"POST\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/firstfactor\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"application/json, text/plain, */*\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Content-Length\":[\"93\"],\"Content-Type\":[\"application/json;charset=utf-8\"],\"Dnt\":[\"1\"],\"Origin\":[\"https://login.example.com\"],\"Referer\":[\"https://login.example.com/\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"login.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":93,\"TransferEncoding\":null,\"Host\":\"login.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:57530\",\"RequestURI\":\"/api/firstfactor\",\"TLS\":null}"
today at 14:48 time="2020-07-13T14:48:05+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" ForwardURL="http://172.18.0.3:9091" Request="{\"Method\":\"POST\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/firstfactor\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"application/json, text/plain, */*\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Content-Length\":[\"93\"],\"Content-Type\":[\"application/json;charset=utf-8\"],\"Dnt\":[\"1\"],\"Origin\":[\"https://login.example.com\"],\"Referer\":[\"https://login.example.com/\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"login.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":93,\"TransferEncoding\":null,\"Host\":\"login.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:57530\",\"RequestURI\":\"/api/firstfactor\",\"TLS\":null}"
today at 14:48 time="2020-07-13T14:48:06+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"POST\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/firstfactor\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"application/json, text/plain, */*\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Content-Length\":[\"93\"],\"Content-Type\":[\"application/json;charset=utf-8\"],\"Dnt\":[\"1\"],\"Origin\":[\"https://login.example.com\"],\"Referer\":[\"https://login.example.com/\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"login.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":93,\"TransferEncoding\":null,\"Host\":\"login.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:57530\",\"RequestURI\":\"/api/firstfactor\",\"TLS\":null}"

Browser:
In screen:

404 page not found

In addreess field:

login.example.com

And no ssl connection

Step 3: go to whoami.example.com

Brower:
Loads normal - no credentials needed

Authelia log:
No entries

Traefik log:

today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/\",\"TLS\":null}"
today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" ForwardURL="http://172.18.0.5:80" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/\",\"TLS\":null}"
today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/\",\"TLS\":null}"
today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,*/*\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"
today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,*/*\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}" ForwardURL="http://172.18.0.5:80"
today at 14:51 time="2020-07-13T14:51:56+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/favicon.ico\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,*/*\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.5\"],\"Cookie\":[\"authelia_session=rMMChZfrAoiTLwXdvjeYcbSGwAEImtst\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"admin\"],\"Te\":[\"trailers\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"whoami.example.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"a1836832e66b\"],\"X-Real-Ip\":[\"192.168.1.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"whoami.example.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.1:42264\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"

Step 4: Going back to login.example.com

Browser:
address field:

https://login.example.com/

With ssl connection

Authelia log:
No entries

Traefik log:
No entries

12:57:14
@nightah:nerv.com.auAmir tapnl: Step 4 in your additional workflow, do you still get a 404? 13:09:08
@tapnl:matrix.orgtapnl
In reply to @nightah:nerv.com.au
tapnl: Step 4 in your additional workflow, do you still get a 404?
When I am trying to replicate the second workflow - I am not able to visit whoami.example.com.
I get a 404 on whoami.example.com with ssl connection.
Then going back to login.example.com shows that I am authenticated.
13:59:19
@nightah:nerv.com.auAmir right, can I see your configuration.yml too? 14:00:36
@nightah:nerv.com.auAmir and do you see anything in the browser console when you try and visit whoami.example.com? 14:02:36
@nightah:nerv.com.auAmirby all accounts everything looks setup properly and your logs seem to indicate as much as well14:05:11
@tapnl:matrix.orgtapnl
In reply to @nightah:nerv.com.au
and do you see anything in the browser console when you try and visit whoami.example.com?
###############################################################
#                   Authelia configuration                    #
###############################################################

# The host and port to listen on
host: 0.0.0.0
port: 9091

# Configuration options specific to the internal http server
server:
  # Buffers usually should be configured to be the same value.
  # Explanation at https://docs.authelia.com/configuration/server.html
  # Read buffer size configures the http server's maximum incoming request size in bytes.
  read_buffer_size: 4096
  # Write buffer size configures the http server's maximum outgoing response size in bytes.
  write_buffer_size: 4096
  # Set the single level path Authelia listens on, must be alphanumeric chars and should not contain any slashes.
  path: ""

# Level of verbosity for logs: info, debug, trace
log_level: debug
## File path where the logs will be written. If not set logs are written to stdout.
# log_file_path: /config/authelia.log

# The secret used to generate JWT tokens when validating user identity by
# email confirmation.
# JWT Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
jwt_secret: <SECRECT>

# Default redirection URL
#
# If user tries to authenticate without any referer, Authelia
# does not know where to redirect the user to at the end of the
# authentication process.
# This parameter allows you to specify the default redirection
# URL Authelia will use in such a case.
#
# Note: this parameter is optional. If not provided, user won't
# be redirected upon successful authentication.
default_redirection_url: http://login.example.com

# TOTP Settings
#
# Parameters used for TOTP generation
totp:
  # The issuer name displayed in the Authenticator application of your choice
  # See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
  issuer: authelia.com
  # The period in seconds a one-time password is current for. Changing this will require all users to register
  # their TOTP applications again.
  # Warning: before changing period read the docs link below.
  period: 30
  # The skew controls number of one-time passwords either side of the current one that are valid.
  # Warning: before changing skew read the docs link below.
  skew: 1
  #  See: https://docs.authelia.com/configuration/one-time-password.html#period-and-skew to read the documentation.

# Duo Push API
#
# Parameters used to contact the Duo API. Those are generated when you protect an application
# of type "Partner Auth API" in the management panel.
duo_api:
  hostname: <SECRET>
  integration_key: <SECRET>
  secret_key: <SECRET>

# The authentication backend to use for verifying user passwords
# and retrieve information such as email address and groups
# users belong to.
#
# There are two supported backends: 'ldap' and 'file'.
authentication_backend:
  # Disable both the HTML element and the API for reset password functionality
  disable_reset_password: false

  # The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
  # To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users
  # will always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
  # To force update on every request you can set this to '0' or 'always', this will increase processor demand.
  # See the below documentation for more information.
  # Duration Notation docs:  https://docs.authelia.com/configuration/index.html#duration-notation-format
  # Refresh Interval docs: https://docs.authelia.com/configuration/authentication/ldap.html#refresh-interval
  refresh_interval: 5m

  # File backend configuration.
  #
  # With this backend, the users database is stored in a file
  # which is updated when users reset their passwords.
  # Therefore, this backend is meant to be used in a dev environment
  # and not in production since it prevents Authelia to be scaled to
  # more than one instance. The options under 'password' have sane
  # defaults, and as it has security implications it is highly recommended
  # you leave the default values. Before considering changing these settings
  # please read the docs page below:
  # https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning
  #
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      salt_length: 16
      parallelism: 8
      memory: 1024

# Access Control
#
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# If 'access_control' is not defined, ACL rules are disabled and the 'bypass'
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntactically correct.
#
# Definition: A 'rule' is an object with the following keys: 'domain', 'subject',
# 'policy' and 'resources'.
#
# - 'domain' defines which domain or set of domains the rule applies to.
#
# - 'subject' defines the subject to apply authorizations to. This parameter is
#    optional and matching any user if not provided. If provided, the parameter
#    represents either a user or a group. It should be of the form 'user:<username>'
#    or 'group:<groupname>'.
#
# - 'policy' is the policy to apply to resources. It must be either 'bypass',
#   'one_factor', 'two_factor' or 'deny'.
#
# - 'resources' is a list of regular expressions that matches a set of resources to
#    apply the policy to. This parameter is optional and matches any resource if not
#    provided.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
access_control:
  # Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
  # It is the policy applied to any resource if there is no policy to be applied
  # to the user.
  default_policy: deny
  rules:
    - domain: "whoami.example.com"
      policy: one_factor

# Configuration of session cookies
#
# The session cookies identify the user once logged in.
session:
  # The name of the session cookie. (default: authelia_session).
  name: authelia_session

  # The secret to encrypt the session data. This is only used with Redis.
  # Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
  secret: <SECRET>

  # The time in seconds before the cookie expires and session is reset.
  expiration: 1h

  # The inactivity time in seconds before the session is reset.
  inactivity: 5m

  # The remember me duration.
  # Value of 0 disables remember me.
  # Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
  # Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
  # or attack. Currently the default is 1M or 1 month.
  remember_me_duration: 1M

  # The domain to protect.
  # Note: the authenticator must also be in that domain. If empty, the cookie
  # is restricted to the subdomain of the issuer.
  domain: example.com

# Configuration of the authentication regulation mechanism.
#
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of
# time.
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# Configuration of the storage backend used to store data and secrets.
#
# You must use only an available configuration: local, mysql, postgres
storage:
    local:
      path: /config/db.sqlite3

notifier:
    filesystem:
      filename: /config/data/notification.txt

No doing it the second time did not show anyting in whoami

14:05:20
@nightah:nerv.com.auAmir does https://whoami.example.com/health also give you a 404? 14:07:05
@nightah:nerv.com.auAmir or https://whoami.example.com/api 14:07:59
@nightah:nerv.com.auAmiranyway it's past midnight I'll have a look at your response when I get back up, but the 404 suggests there's either an issue with the cookie/redirect or the whoami container/traefik14:17:42
@nightah:nerv.com.auAmirthe former you would see logs for though14:17:56
@nightah:nerv.com.auAmirso it's more likely to be the latter14:18:00
@tapnl:matrix.orgtapnlBoth give a 404. For me it feels that the redirect is not going correctly. I expect the issue in Traefik - but not sure where to look.20:41:36
14 Jul 2020
@nightah:nerv.com.auAmir tapnl: looks like some of the guys figured it out on one the issues 04:58:53
@nightah:nerv.com.auAmirhttps://github.com/containous/traefik/issues/7020 and https://github.com/authelia/authelia/issues/1195#issuecomment-657949217 for reference04:59:42
@nightah:nerv.com.auAmirrelated specifically to the following change in Traefik: https://github.com/containous/traefik/pull/700805:00:59
@nightah:nerv.com.auAmirhttps://github.com/containous/traefik/issues/7020#issuecomment-656753476 explains the actual issue in further detail too05:04:45
@tapnl:matrix.orgtapnl
In reply to @nightah:nerv.com.au
https://github.com/containous/traefik/issues/7020 and https://github.com/authelia/authelia/issues/1195#issuecomment-657949217 for reference

Hi Amir,

I can confirm that this is the issue! Thx very much for pointing out - I noticed that my docker had updated before this behaviour started - but was not able to find something on github - so I circled back to my configs - because during the automated updated, I was playing with my config quite a lot.

Thanks again for looing into this and pointing out the solution!

Cheers, M.

06:46:20
@natalie:tchncs.denatalie 06:48:14
@nightah:nerv.com.auAmirNo problems, glad it's sorted now.07:50:33

There are no newer messages yet.


Back to Room List