Authentik Forward Authentication Middleware
Traefik enables you to secure your applications with authentication by using a Proxy Provider. This allows you to protect your services with Single Sign-On (SSO).
Configure an Authentik Application and Proxy Provider
The first step is to deploy the Authentik service and then configure the required components:
- Create a Proxy Provider with forward authentication.
- Create an application and assign the Proxy Provider you created.
- In the "Cookie Domain" field, add the domain of the services.
Create the Traefik Configuration
The next step is to add the Traefik middleware configuration to your instance's dynamic configuration.
Replace AUTHENTIK_SERVER_HOST with your instance name, e.g., authentik-server-ncoc0ooog0ckwc0gwgoocgs8.
http:
middlewares:
authentik-auth:
forwardAuth:
address: 'http://AUTHENTIK_SERVER_HOST:9000/outpost.goauthentik.io/auth/traefik'
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-versionProtecting Services
To protect a service, the Traefik middleware label must be added to the container's Docker Compose configuration:
services:
privatebin:
image: privatebin/nginx-fpm-alpine
environment:
- SERVICE_URL_PRIVATEBIN_8080
volumes:
- 'privatebin_data:/srv/data'
healthcheck:
test:
- CMD-SHELL
- 'wget -qO- http://127.0.0.1:8080/'
interval: 5s
timeout: 20s
retries: 10
labels:
- traefik.http.middlewares.authentik-auth@fileWildcard SSL Certificates
Issue a single Let's Encrypt wildcard SSL certificate (*.example.com) with Traefik to cover every subdomain without per-resource certificate generation.
Caddy Overview
Use Caddy reverse proxy with Coolify for automatic SSL certificates, simple configuration, and HTTP/2 support as an alternative to Traefik.