Authentik as a reverse proxy for VS-Code server? How
I'm currently beating my head up against Authentik. What I'm trying to do is to use Authentik to secure an unsecured service, like VS-Code server. Supposedly I can do this by pointing the domain to the Authentik server and then Authentik's proxy points to the Code Server, but everything that I try either redirects back to Authentik or just gives me a blank screen.
Authentik and VS-Code are both running on the same system in docker, with my reverse proxy on another system.
The DNS (pihole) for both code.test and auth.test point to my reverse proxy running Caddy, and all of this is running local network only.
Any ideas what I am missing? Any help would be appreciated.
Caddyfile:
code.test.example.com {
tls internal
reverse_proxy auth.test.example.com
}
auth.test.example.com {
tls internal
reverse_proxy 192.168.1.110:9000
}
Authentik Proxy Provider:
External host: https://code.test.example.com
Internal host: http://192.168.1.110:8443
Internal host SSL Validation = false
VS-Code Server docker-compose.yaml:
version: "2.1"
services:
code-server:
image: lscr.io/linuxserver/code-server:latest
container_name: code-server
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
#- PASSWORD= #optional
#- HASHED_PASSWORD= #optional
- SUDO_PASSWORD=Password #optional
#- SUDO_PASSWORD_HASH= #optional
- PROXY_DOMAIN=code.test.example.com #optional
- DEFAULT_WORKSPACE=/config/workspace #optional
volumes:
- ./config:/config
ports:
- 8443:8443
restart: unless-stopped
Authentik docker-compose.yaml:
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.8.3}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
depends_on:
- postgresql
- redis
volumes:
database:
driver: local
redis:
driver: local
This looks about right, I have a similar setup for unauthenticated services here, with the difference that I'm using NGINX Proxy Manager instead of Caddy. The things I would try/check are:
code.test.example.comentry to point directly to Authentik's IP and port (in other words, both entries would look the same). In the config your posted, it seems like Caddy is redirecting through itself.If you're trying to use pihole as a local DNS, you'll still have to add your application port to the end of the URL if you're not doing that already. So like if you've assigned server.local to your host server in pihole, to get to your app you would have to do http://server.local:1234, where 1234 is your app port number.
Otherwise, I have this all working with a code-server instance behind SWAG reverse proxy and Authelia authentication over the internet, if you need further help with that.
In the reverse proxy?
WHOOPS!! 8-)
I’ll fix my caddy file and see if that fixes the problem. Thanks!
And in general :) hopefully that helps. Can you hit the site directly (without caddy etc) after setting up the DNS name in pihole?
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #242 for this sub, first seen 26th Oct 2023, 05:35] [FAQ] [Full list] [Contact] [Source code]