Forward Auth with Traefik showing Not Found Page

[Jdplays]

``### Intro
I have been trying to setup Authentik to work with Traefik to authenticate users. I have followed a few guides but seem to keep hitting the same issue. I keep being shown a Not Found page that seems to have no css.

An example is vaultwarden. It works fine in Traefik by itself. However when i add this to its labels:
- "traefik.http.routers.vaultwarden-secure.middleware=authentik@file"
It gives this back

Here is my setup

Traefik version: 2.11.0
Authentik Version: 2024.2.2

Traefik compose

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /nfs/traefik/data/traefik.yml:/traefik.yml:ro
      - /nfs/traefik/data/acme.json:/acme.json
      - /nfs/traefik/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.local.domain.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${BASIC_AUTH_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.local.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[1].main=domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[1].sans=*.domain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true

Traefik config Middlewares

middlewares:
    authentik:
      forwardauth:
        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

Authentik Server compose

server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:latest
    container_name: authentik_server
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - /nfs/authentik/media:/media
      - /nfs/authentik/custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.entrypoints=http"
      - "traefik.http.routers.authentik.rule=Host(`auth.domain.com`)"
      - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
      - "traefik.http.routers.authentik-secure.entrypoints=https"
      - "traefik.http.routers.authentik-secure.rule=Host(`auth.domain.com`)"
      - "traefik.http.routers.authentik-secure.tls=true"
      - "traefik.http.routers.authentik-secure.service=authentik"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
      - "traefik.http.services.authentik-secure.loadbalancer.server.port=9443"
      - "traefik.docker.network=proxy"

Vaultwarden Compose

version: '3.8'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - /nfs/vaultwarden/data:/data
    networks:
      - proxy
    environment:
      WEBSOCKET_ENABLED: 'true'
      SIGNUPS_ALLOWED: 'true'
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.entrypoints=http"
      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.domain.com`)"
      - "traefik.http.middlewares.vaultwarden-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.vaultwarden.middlewares=vaultwarden-https-redirect"
      - "traefik.http.routers.vaultwarden-secure.entrypoints=https"
      - "traefik.http.routers.vaultwarden-secure.rule=Host(`vaultwarden.domain.com`)"
      - "traefik.http.routers.vaultwarden-secure.tls=true"
      - "traefik.http.routers.vaultwarden-secure.service=vaultwarden"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
      - "traefik.http.routers.vaultwarden-secure.middleware=authentik@file"
      - "traefik.docker.network=proxy"
networks:
  proxy:
    external: true

If i go directly to http://auth.domain.com:9000/outpost.goauthentik.io/auth/traefik It also gives a not found page, but with css this time

Authentik web UI setup

Application

Provider

Outpost

I have been trying to fix this for the past few hours and have gotten no where. If someone knows why this is happening, any help would be appreciated.
Thanks in advance, James

[Jdplays]

Update

I think i found the issue. in my docker compose, my worker container and server container where of different versions. After making them the same, it seemed to work

[mpeirone]

Same problem. I checked and the versions are the same (2024.2.2). I'm using traefik and authentik on a kubernates cluster.
Any ideas on how to fix it?

[Jdplays]

Make sure that both your worker and server containers are the same version (as they use the same image). Also i am now using 2024.2 which seems to be working. Hopefully that helps!

[mpeirone]

I am sure the versions are the same, moreover I am using helm to do the installation.
Have you made other changes that may have solved the problem?
Thanks

[CoreyLylyk]

For those that stumble across this, I'm using kubernetes with traefik forwardAuth, I had to go into outposts --> integrations and select Local Kubernetes Cluster. Then add apps in 'applications available' to the 'selected applications' box and then it worked. Assuming you have your traefik middleware setup also of course.