I’m currently beating my head up against Authentik. What I’m trying to do is to use Authentik to secure an unsecured service, like VS-Code server. Supposedly I can do this by pointing the domain to the Authentik server and then Authentik’s proxy points to the Code Server, but everything that I try either redirects back to Authentik or just gives me a blank screen.
Authentik and VS-Code are both running on the same system in docker, with my reverse proxy on another system.
The DNS (pihole) for both code.test and auth.test point to my reverse proxy running Caddy, and all of this is running local network only.
Any ideas what I am missing? Any help would be appreciated.
Caddyfile:
code.test.example.com {
tls internal
reverse_proxy auth.test.example.com
}
auth.test.example.com {
tls internal
reverse_proxy 192.168.1.110:9000
}
Authentik Proxy Provider:
External host: https://code.test.example.com
Internal host: http://192.168.1.110:8443
Internal host SSL Validation = false
VS-Code Server docker-compose.yaml:
version: "2.1"
services:
code-server:
image: lscr.io/linuxserver/code-server:latest
container_name: code-server
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
#- PASSWORD= #optional
#- HASHED_PASSWORD= #optional
- SUDO_PASSWORD=Password #optional
#- SUDO_PASSWORD_HASH= #optional
- PROXY_DOMAIN=code.test.example.com #optional
- DEFAULT_WORKSPACE=/config/workspace #optional
volumes:
- ./config:/config
ports:
- 8443:8443
restart: unless-stopped
Authentik docker-compose.yaml:
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
depends_on:
- postgresql
- redis
volumes:
database:
driver: local
redis:
driver: local
This looks about right, I have a similar setup for unauthenticated services here, with the difference that I’m using NGINX Proxy Manager instead of Caddy. The things I would try/check are:
- Make sure you’ve enabled the proxy provider in the local outpost config in Authentik.
- Declare a common network between the two containers, so that they can communicate without having to go out through the host’s IP. This way you can reference the VS Code container directly by its service name in Authentik.
- I’m not familiar with Caddy, but I would also try changing the
code.test.example.com
entry to point directly to Authentik’s IP and port (in other words, both entries would look the same). In the config your posted, it seems like Caddy is redirecting through itself.