update Traefik and Authentik configurations to enhance routing and middleware settings

2025-11-29 13:10:54 +01:00 · 2025-11-29 13:10:54 +01:00 · 7b7692ffb7
commit 7b7692ffb7
parent bc8e36d35c
3 changed files with 25 additions and 3 deletions
--- a/docker-stacks/authentik/docker-compose.yml
+++ b/docker-stacks/authentik/docker-compose.yml
@ -24,6 +24,7 @@ services:

  server:
    image: ghcr.io/goauthentik/server:2025.10
+    container_name: authentik-server-1
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
@ -48,6 +49,10 @@ services:
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+      # OPTIONEEL: Redirect voor de Authentik UI (niet strikt nodig voor forwardAuth)
+      - "traefik.http.routers.authentik-http.rule=Host(`authentik.stackbabber.nl`)"
+      - "traefik.http.routers.authentik-http.entrypoints=web"
+      - "traefik.http.routers.authentik-http.middlewares=redirect-to-https@file"
  worker:
    image: ghcr.io/goauthentik/server:2025.10
    command: worker
--- a/docker-stacks/traefik/data/rules/middlewares.yml
+++ b/docker-stacks/traefik/data/rules/middlewares.yml
@ -8,6 +8,11 @@ http:
        address: "http://authentik-server-1:9000/outpost.goauthentik.io/auth/layer"
        
        trustForwardHeader: true
+        # STUUR DE X-Forwarded-Proto HEADER MEE. Dit lost de redirect-lus op.
+        authRequestHeaders:
+          - "X-Forwarded-Proto"
+        
+        # De headers die Authentik terugstuurt na succesvolle authenticatie
        authResponseHeaders:
          - "X-authentik-username"
          - "X-authentik-groups"
@ -21,3 +26,9 @@ http:
          - "X-authentik-meta-app"
          - "X-authentik-meta-version"
          - "Set-Cookie"
+
+    # Optioneel: middleware om HTTP verkeer geforceerd naar HTTPS te sturen
+    redirect-to-https:
+      redirectScheme:
+        scheme: "https"
+        permanent: true
--- a/docker-stacks/traefik/docker-compose.yml
+++ b/docker-stacks/traefik/docker-compose.yml
@ -20,14 +20,20 @@ services:
      - ./data/rules:/rules 
    labels:
      - "traefik.enable=true"
+      
+      # 1. Router voor het Traefik Dashboard (via HTTPS/WebSecure)
      - "traefik.http.routers.traefik.rule=Host(`traefik.stackbabber.nl`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
+      # Gebruik de aangepaste Authentik middleware
      - "traefik.http.routers.traefik.middlewares=authentik@file"
-      - "traefik.http.middlewares.https-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.routers.traefik.middlewares=https-headers,authentik@file"
+
+      # 2. Router voor de HTTP -> HTTPS redirect (Veiligere oplossing)
+      - "traefik.http.routers.traefik-http.rule=Host(`traefik.stackbabber.nl`)"
+      - "traefik.http.routers.traefik-http.entrypoints=web"
+      - "traefik.http.routers.traefik-http.middlewares=redirect-to-https@file"

 networks:
  proxy: