I had a working docker stack with my home media server using a single docker compose file:
version: "3"
secrets:
authelia_jwt_secret:
file: $SECRETS_PATH/authelia/jwt_secret
authelia_session_secret:
file: $SECRETS_PATH/authelia/session_secret
services:
calibre-web:
image: linuxserver/calibre-web:nightly
container_name: calibre-web
environment:
- PUID=$PUID
- PGID=$PGID
labels:
- traefik.enable=true
- traefik.http.routers.calibre-https.rule=Host(`books.pointerstop.ca`)
- traefik.http.routers.calibre-https.middlewares=authelia@file
- traefik.http.routers.calibre-https.tls=true
- traefik.http.routers.calibre-https.tls.certresolver=letsencrypt
volumes:
- /srv/calibre/config/calibre-web:/config
- /srv/calibre/CalibreLibrary:/Calibre_Library up
restart: unless-stopped
depends_on:
- calibre
expose:
- 8083
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
command:
- --api.insecure=true
- --providers.docker
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencrypt.acme.email=${LE_EMAIL}
- --certificatesresolvers.letsencrypt.acme.storage=/config/acme.json
- --certificatesresolvers.letsencrypt.acme.tlschallenge=true
# - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --log.filePath=/var/log/traefik.log
- --log.level=DEBUG
- --providers.file.directory=/dynamic_config/
- --providers.file.watch=true
ports:
- 8080:8080
- 80:80
- 443:443
labels:
- traefik.enable=true
- traefik.http.routers.traefik.rule=Host(`traefik.local`)
## Services - API
- traefik.http.routers.traefik.service=api@internal
## Global redirect of EXTERNAL domains to HTTPS
- traefik.http.routers.redirs.rule=hostregexp(`{host:.*pointerstop.ca}`)
- traefik.http.routers.redirs.entrypoints=web
- traefik.http.routers.redirs.middlewares=redirect-to-https@file
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/log/media-server:/var/log
- ${CONFIG_PATH}/traefik:/config
- ./dynamic_config:/dynamic_config
Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
authelia:
container_name: authelia
image: authelia/authelia:latest
# image: authelia/authelia:4.21.0
restart: always
expose:
- 9091
volumes:
- $CONFIG_PATH/authelia:/config
environment:
- TZ=${TIME_ZONE}
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
secrets:
- authelia_jwt_secret
- authelia_session_secret
labels:
- traefik.enable=true
## HTTP Routers
- traefik.http.routers.authelia-rtr.entrypoints=websecure
- traefik.http.routers.authelia-rtr.rule=Host(auth.pointerstop.ca)
- traefik.http.routers.authelia-rtr.tls=true
- traefik.http.routers.authelia-rtr.tls.certresolver=letsencrypt
## Middlewares
- traefik.http.routers.authelia-rtr.middlewares=chain-authelia@file
## HTTP Services
- traefik.http.services.authelia-media-server.loadbalancer.server.port=9091
Now, I wanted to split out the proxy into a separate stack, so that I could add my business domains in a third stack, and have everything protected by Authelia.
So, I've created a docker network proxy and everything is using that network, with complete success except that after authenticating with Authelia https://books.pointerstop.ca/ (Calibre-web) wants to authenticate again.
I'm aware that I need to set entrypoints.websecure.forwardedHeaders.trustedIPs in Traefik, without which Traefik removes all the important headers, but I can't figure out what they should be. With everything in the same docker stack, I didn't need trustedIPs at all. Now that they're in different stacks, but on the same network, I don't understand what's changed. I tried setting trustedIPs=172.0.0.0/8 which covers all the docker networks. *.pointerstop.ca are CNAMEs to pointerstop.ddns.net, and the only reported IP at https://books.pointerstop.ca/login is my external IP—but it seems wrong to require that (and it's dynamically assigned, so awkward to use) when it wasn't needed in the single stack setup.
