Topics

ElfHosted / Funky Penguin•13mo ago

dex deploy - array items must be unique?

Hi there @Darth-Penguini and friends! I'm encountering a strange error when attempting to deploy dex, after following instructions here: https://geek-cookbook.funkypenguin.co.nz/docker-swarm/traefik-forward-auth/dex-static/ Running the following: docker stack deploy dex -c /var/data/dex/dex.yml Gives me the following error: services.whoami.deploy.labels array items[3,9] must be unique My labels, from /var/data/dex/dex.yml, are as follows (domain.tld being replaced by my actual domain):

# This simply validates that traefik forward authentication is working
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        # traefik
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_public"

        # traefikv1
        - "traefik.frontend.rule=Host:whoami.domain.tld"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
        - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
        - "traefik.frontend.auth.forward.trustForwardHeader=true"

        # traefikv2
        - "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami.entrypoints=https"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
  traefik_public:
    external: true

# This simply validates that traefik forward authentication is working
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        # traefik
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_public"

        # traefikv1
        - "traefik.frontend.rule=Host:whoami.domain.tld"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
        - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
        - "traefik.frontend.auth.forward.trustForwardHeader=true"

        # traefikv2
        - "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami.entrypoints=https"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
  traefik_public:
    external: true

I've double checked spelling and searched for hours but I'm stuck and unable to progress past this point. Any help on figuring this out would be greatly appreciated.

SSO with traefik forward auth and Dex - Funky Penguin's Geek Cookbook

Traefik forward auth needs an authentication backend, but if you don't want to use a cloud provider, you can setup your own simple OIDC backend, using Dex.

44 Replies

funkypenguin | ElfHosted•13mo ago

👋 @ryanjolliffe weird, I sure don't see any duplicate labels there are you using traefik v2?

RyanJ•13mo ago

I am, yes It's very strange

funkypenguin | ElfHosted•13mo ago

so what if you comment out the v1 labels in case?

RyanJ•13mo ago

Then I get: poorly formatted environment: variable 'DEFAULT_PROVIDER: oidc' contains whitespaces

funkypenguin | ElfHosted•13mo ago

gah what does your .env look like?

RyanJ•13mo ago

/var/data/config/traefik-forward-auth/traefik-forward-auth.env is as follows:

DEFAULT_PROVIDER: oidc
PROVIDERS_OIDC_CLIENT_ID: ryan                             # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET: authsecret                   # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL: https://dex.domain.tld    # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET: noneofthisreallymatters                            # Make this up. It's not configured anywhere else
AUTH_HOST: auth.domain.tld                           # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN: domain.tld                            # This should match your base domain

DEFAULT_PROVIDER: oidc
PROVIDERS_OIDC_CLIENT_ID: ryan                             # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET: authsecret                   # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL: https://dex.domain.tld    # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET: noneofthisreallymatters                            # Make this up. It's not configured anywhere else
AUTH_HOST: auth.domain.tld                           # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN: domain.tld                            # This should match your base domain

Apologies, the formatting is slightly incorrect compared to what I see The comments (#) are all aligned when viewing in nano

funkypenguin | ElfHosted•13mo ago

I think your env syntax is wrong try something like this: DEFAULT_PROVIDER=oidc

RyanJ•13mo ago

should I do that for all values?

funkypenguin | ElfHosted•13mo ago

yep and then you should rightly complain that the docs show it differently

RyanJ•13mo ago

lol I didn't want to say it Okay, so with v1 still commented out it appears to run:

root@olympus:/home/ryan# docker stack deploy dex -c /var/data/dex/dex.yml
Creating service dex_whoami
Creating service dex_traefik-forward-auth

root@olympus:/home/ryan# docker stack deploy dex -c /var/data/dex/dex.yml
Creating service dex_whoami
Creating service dex_traefik-forward-auth

funkypenguin | ElfHosted•13mo ago

cool I shall fix my shoddy docs

RyanJ•13mo ago

Do I need to uncomment the v1 and retry?

funkypenguin | ElfHosted•13mo ago

no, we don't really need v1 at all anymore nobody should be using it

RyanJ•13mo ago

Ah okay, I see! Thank you so much for that, I really appreciate the assistance 🙂

funkypenguin | ElfHosted•13mo ago

np, thanks for the quality-control check 🙂 fix pushed, new version building now...

RyanJ•13mo ago

Wow, that's awesome Thank you for the whole guide btw, it's such a good resource

funkypenguin | ElfHosted•13mo ago

🫶

RyanJ•13mo ago

I'm still very new to docker and swarms in general, but your guide is the best I've found I'm going to get back to configuring this machine, and hopefully the next time I swing by will be to say it was all a huge success! Damn, I was really hoping to get further lol middleware "forward-auth@docker" does not exist

root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID             NAME                                              IMAGE                                   NODE      DESIRED STATE   CURRENT STATE                     ERROR                              PORTS
v79whj5np10e   traefik-forward-auth_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Ready           Assigned less than a second ago
xgclawycyq8d    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 4 seconds ago            "invalid mount config for type…"
kotagm9oxf53    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 9 seconds ago            "invalid mount config for type…"
3zb7pxtd1rwi    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 14 seconds ago           "invalid mount config for type…"
l0sa70oqivvu    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 19 seconds ago           "invalid mount config for type…"
1uw577q6orum    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 25 seconds ago           "invalid mount config for type…"
88oe773m2fcs   traefik-forward-auth_whoami.1                     containous/whoami:latest                olympus   Running         Running 7 minutes ago

root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID             NAME                                              IMAGE                                   NODE      DESIRED STATE   CURRENT STATE                     ERROR                              PORTS
v79whj5np10e   traefik-forward-auth_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Ready           Assigned less than a second ago
xgclawycyq8d    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 4 seconds ago            "invalid mount config for type…"
kotagm9oxf53    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 9 seconds ago            "invalid mount config for type…"
3zb7pxtd1rwi    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 14 seconds ago           "invalid mount config for type…"
l0sa70oqivvu    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 19 seconds ago           "invalid mount config for type…"
1uw577q6orum    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Rejected 25 seconds ago           "invalid mount config for type…"
88oe773m2fcs   traefik-forward-auth_whoami.1                     containous/whoami:latest                olympus   Running         Running 7 minutes ago

It appears to deploy, but shows an error in the traefik dash and ps shows "invalid mount config for type…" error I created /var/data/config/traefik-forward-auth/config.ini and chmod'd to 600, which seems to fix the mounting error, but now I get a non-zero

root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID             NAME                                              IMAGE                                   NODE      DESIRED STATE   CURRENT STATE            ERROR                       PORTS
ldbzhye9muxm   traefik-forward-auth_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Ready           Ready 2 seconds ago
656n8kqn872l    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 3 seconds ago     "task: non-zero exit (1)"
hxviko4kk6ic    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 10 seconds ago    "task: non-zero exit (1)"
b0yp8nxz0kwo    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 16 seconds ago    "task: non-zero exit (1)"
wvhy9mo5mav6    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 23 seconds ago    "task: non-zero exit (1)"
88oe773m2fcs   traefik-forward-auth_whoami.1                     containous/whoami:latest                olympus   Running         Running 19 minutes ago

root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID             NAME                                              IMAGE                                   NODE      DESIRED STATE   CURRENT STATE            ERROR                       PORTS
ldbzhye9muxm   traefik-forward-auth_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Ready           Ready 2 seconds ago
656n8kqn872l    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 3 seconds ago     "task: non-zero exit (1)"
hxviko4kk6ic    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 10 seconds ago    "task: non-zero exit (1)"
b0yp8nxz0kwo    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 16 seconds ago    "task: non-zero exit (1)"
wvhy9mo5mav6    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 23 seconds ago    "task: non-zero exit (1)"
88oe773m2fcs   traefik-forward-auth_whoami.1                     containous/whoami:latest                olympus   Running         Running 19 minutes ago

funkypenguin | ElfHosted•13mo ago

Sorry, distracted with kids and dinner, will circle back in 4h or so 🙂

RyanJ•13mo ago

Hey, any response is above and beyond what I'd hope for - apologies for bothering you! This is a personal project with no real stakes; I wouldn't want to distract you from your family 🙂 I appreciate all the help already 🙏

funkypenguin | ElfHosted•13mo ago

mmm, TFA can be a PITA to debug, IIRC it just exists without logging if it's unhappy with your OIDC config I think there's a way to add debugging, checking... aah, here it is. Try adding an env var LOG_LEVEL to TFA, set to debug

RyanJ•13mo ago

Thank you! I stopped the stack/services and added that to "/var/data/traefik-forward-auth/traefik-forward-auth.yml", then deployed again whoops, wrong paste

funkypenguin | ElfHosted•13mo ago

now you can run docker service logs traefik-forward-auth and hopefully see why it's unhappy...

RyanJ•13mo ago

"/var/data/config/traefik-forward-auth/traefik-forward-auth.env"

root@olympus:/home/ryan# docker stack ls
NAME                   SERVICES
dex                    2
traefik                1
traefik-forward-auth   2
traefikv2              1
root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth

root@olympus:/home/ryan# docker stack ls
NAME                   SERVICES
dex                    2
traefik                1
traefik-forward-auth   2
traefikv2              1
root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth

My .env is as follows:

  GNU nano 6.2                                    /var/data/config/traefik-forward-auth/traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan                             # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret                   # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.phrontistes.link    # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters                            # Make this up. It's not configured anywhere else
AUTH_HOST=auth.phrontistes.link                           # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=phrontistes.link                            # This should match your base domain
LOG_LEVEL=debug

  GNU nano 6.2                                    /var/data/config/traefik-forward-auth/traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan                             # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret                   # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.phrontistes.link    # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters                            # Make this up. It's not configured anywhere else
AUTH_HOST=auth.phrontistes.link                           # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=phrontistes.link                            # This should match your base domain
LOG_LEVEL=debug

funkypenguin | ElfHosted•13mo ago

ah, sorry, bad syntax try docker service logs traefik-forward-auth_traefik-forward-auth

RyanJ•13mo ago

root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.z7foqqcofdpl@olympus    | time="2023-10-18T09:17:11Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.4fdslepduuxx@olympus    | time="2023-10-18T09:16:59Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.ke2gxg0klu03@olympus    | time="2023-10-18T09:17:18Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.t2ziu4uqp42h@olympus    | time="2023-10-18T09:17:05Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"

root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.z7foqqcofdpl@olympus    | time="2023-10-18T09:17:11Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.4fdslepduuxx@olympus    | time="2023-10-18T09:16:59Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.ke2gxg0klu03@olympus    | time="2023-10-18T09:17:18Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.t2ziu4uqp42h@olympus    | time="2023-10-18T09:17:05Z" level=fatal msg="parse https://dex.domain.tld    : invalid character \" \" in host name"

funkypenguin | ElfHosted•13mo ago

aha try moving the comments to the line above/below the env vars, and then making sure each ENV var has no whitespace after it my CI instance looks like this:

root@raphael:/var/data/config/traefik-forward-auth# cat traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=foo
PROVIDERS_OIDC_CLIENT_SECRET=bar
PROVIDERS_OIDC_ISSUER_URL=https://dex.elpenguino.be
AUTH_HOST=auth.elpenguino.be
COOKIE_DOMAIN=elpenguino.be
SECRET=imtoosexyformyshorts
root@raphael:/var/data/config/traefik-forward-auth#

root@raphael:/var/data/config/traefik-forward-auth# cat traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=foo
PROVIDERS_OIDC_CLIENT_SECRET=bar
PROVIDERS_OIDC_ISSUER_URL=https://dex.elpenguino.be
AUTH_HOST=auth.elpenguino.be
COOKIE_DOMAIN=elpenguino.be
SECRET=imtoosexyformyshorts
root@raphael:/var/data/config/traefik-forward-auth#

RyanJ•13mo ago

Unfortunately I'm still getting the following:

root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID             NAME                                              IMAGE                                   NODE      DESIRED STATE   CURRENT STATE                    ERROR                       PORTS
1alnpym57m2q   traefik-forward-auth_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Running         Running less than a second ago
8177g4s520oe    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 6 seconds ago             "task: non-zero exit (1)"
pjvn7tcgbwm0    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 12 seconds ago            "task: non-zero exit (1)"
z8h6ce6964gb    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 18 seconds ago            "task: non-zero exit (1)"
vo8vw7mctt0g    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 25 seconds ago            "task: non-zero exit (1)"
3xb3wehz9d5e   traefik-forward-auth_whoami.1                     containous/whoami:latest                olympus   Running         Running 2 minutes ago

root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID             NAME                                              IMAGE                                   NODE      DESIRED STATE   CURRENT STATE                    ERROR                       PORTS
1alnpym57m2q   traefik-forward-auth_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Running         Running less than a second ago
8177g4s520oe    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 6 seconds ago             "task: non-zero exit (1)"
pjvn7tcgbwm0    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 12 seconds ago            "task: non-zero exit (1)"
z8h6ce6964gb    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 18 seconds ago            "task: non-zero exit (1)"
vo8vw7mctt0g    \_ traefik-forward-auth_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 25 seconds ago            "task: non-zero exit (1)"
3xb3wehz9d5e   traefik-forward-auth_whoami.1                     containous/whoami:latest                olympus   Running         Running 2 minutes ago

Though the whoami@docker entry has appeared in HTTP Services (traefik dashboard), but I'm still getting a

middleware "forward-auth@docker" does not exist

middleware "forward-auth@docker" does not exist

error in HTTP Routers

funkypenguin | ElfHosted•13mo ago

it may be that unless it's actually working, traefik won't consider it to be valid

RyanJ•13mo ago

Damn Is there any way to get more debugging info about what specifically is failing?

funkypenguin | ElfHosted•13mo ago

what does your env look like now? and what's the output of docker service logs traefik-forward-auth_traefik-forward-auth ?

RyanJ•13mo ago

.env:

DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan
# This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret
# This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.domain.tld
# This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters
# Make this up. It's not configured anywhere else
AUTH_HOST=auth.domain.tld
# This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=domain.tld
# This should match your base domain
LOG_LEVEL=debug

DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan
# This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret
# This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.domain.tld
# This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters
# Make this up. It's not configured anywhere else
AUTH_HOST=auth.domain.tld
# This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=domain.tld
# This should match your base domain
LOG_LEVEL=debug

Running the command gives:

root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.wyeh93w0l0qt@olympus    | time="2023-10-18T09:31:16Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.qtd72n6eelra@olympus    | time="2023-10-18T09:31:10Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.foiqckucg6th@olympus    | time="2023-10-18T09:31:03Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.htaflitodk05@olympus    | time="2023-10-18T09:30:53Z" level=fatal msg="404 Not Found: 404 page not found\n"

root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.wyeh93w0l0qt@olympus    | time="2023-10-18T09:31:16Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.qtd72n6eelra@olympus    | time="2023-10-18T09:31:10Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.foiqckucg6th@olympus    | time="2023-10-18T09:31:03Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.htaflitodk05@olympus    | time="2023-10-18T09:30:53Z" level=fatal msg="404 Not Found: 404 page not found\n"

funkypenguin | ElfHosted•13mo ago

interesting what do you get at https://dex.domain.tld ?

RyanJ•13mo ago

I get a

404 page not found

404 page not found

funkypenguin | ElfHosted•13mo ago

right so fix that next 🙂 what does the traefik dashboard say about it?

RyanJ•13mo ago

https://traefik.domain.tld works fine

funkypenguin | ElfHosted•13mo ago

yeah, but what does it say about dex?

RyanJ•13mo ago

No description

RyanJ•13mo ago

No description

RyanJ•13mo ago

There's no mention of dex at all

root@olympus:/home/ryan# docker stack ps dex
ID             NAME                             IMAGE                                   NODE      DESIRED STATE   CURRENT STATE                     ERROR                       PORTS
4mxre3b73u12   dex_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Running         Starting less than a second ago
p60xm1901h8z    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 5 seconds ago              "task: non-zero exit (1)"
rx5dcucxe2rc    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 11 seconds ago             "task: non-zero exit (1)"
rwhwtiw47lds    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 18 seconds ago             "task: non-zero exit (1)"
3l2tx9nggdtj    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 24 seconds ago             "task: non-zero exit (1)"
hu57a0frj7fu   dex_whoami.1                     containous/whoami:latest                olympus   Running         Running 8 hours ago

root@olympus:/home/ryan# docker stack ps dex
ID             NAME                             IMAGE                                   NODE      DESIRED STATE   CURRENT STATE                     ERROR                       PORTS
4mxre3b73u12   dex_traefik-forward-auth.1       thomseddon/traefik-forward-auth:2.2.0   olympus   Running         Starting less than a second ago
p60xm1901h8z    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 5 seconds ago              "task: non-zero exit (1)"
rx5dcucxe2rc    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 11 seconds ago             "task: non-zero exit (1)"
rwhwtiw47lds    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 18 seconds ago             "task: non-zero exit (1)"
3l2tx9nggdtj    \_ dex_traefik-forward-auth.1   thomseddon/traefik-forward-auth:2.2.0   olympus   Shutdown        Failed 24 seconds ago             "task: non-zero exit (1)"
hu57a0frj7fu   dex_whoami.1                     containous/whoami:latest                olympus   Running         Running 8 hours ago

funkypenguin | ElfHosted•13mo ago

mmm do you have dex.yml ?

RyanJ•12mo ago

Apologies, when the kids call you must obey 😅 /var/data/dex/dex.yml is as follows:

version: "3.2"

services:

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2.2.0
    env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
    volumes:
    - /var/data/config/traefik-forward-auth/config.ini:/config.ini:ro
    networks:
      - traefik_public
    deploy:
      labels:
        # traefikv1
        - "traefik.port=4181"
        - "traefik.frontend.rule=Host:auth.domain.tld"
        - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
        - "traefik.frontend.auth.forward.trustForwardHeader=true"

        # traefikv2
        - "traefik.docker.network=traefik_public"
        - "traefik.http.routers.auth.rule=Host(`auth.domain.tld`)"
        - "traefik.http.routers.auth.entrypoints=https"
        - "traefik.http.routers.auth.tls=true"
        - "traefik.http.routers.auth.tls.domains[0].main=domain.tld"
        - "traefik.http.routers.auth.tls.domains[0].sans=*.domain.tld"
        - "traefik.http.routers.auth.tls.certresolver=main"
        - "traefik.http.routers.auth.service=auth@docker"
        - "traefik.http.services.auth.loadbalancer.server.port=4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
        - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
        - "traefik.http.routers.auth.middlewares=forward-auth"

version: "3.2"

services:

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2.2.0
    env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
    volumes:
    - /var/data/config/traefik-forward-auth/config.ini:/config.ini:ro
    networks:
      - traefik_public
    deploy:
      labels:
        # traefikv1
        - "traefik.port=4181"
        - "traefik.frontend.rule=Host:auth.domain.tld"
        - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
        - "traefik.frontend.auth.forward.trustForwardHeader=true"

        # traefikv2
        - "traefik.docker.network=traefik_public"
        - "traefik.http.routers.auth.rule=Host(`auth.domain.tld`)"
        - "traefik.http.routers.auth.entrypoints=https"
        - "traefik.http.routers.auth.tls=true"
        - "traefik.http.routers.auth.tls.domains[0].main=domain.tld"
        - "traefik.http.routers.auth.tls.domains[0].sans=*.domain.tld"
        - "traefik.http.routers.auth.tls.certresolver=main"
        - "traefik.http.routers.auth.service=auth@docker"
        - "traefik.http.services.auth.loadbalancer.server.port=4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
        - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
        - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
        - "traefik.http.routers.auth.middlewares=forward-auth"

  # This simply validates that traefik forward authentication is working
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        # traefik
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_public"

        # traefikv1
#        - "traefik.frontend.rule=Host:whoami.domain.tld"
 #       - "traefik.http.services.whoami.loadbalancer.server.port=80"
  #      - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
   #     - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
    #    - "traefik.frontend.auth.forward.trustForwardHeader=true"

        # traefikv2
        - "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami.entrypoints=https"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
  traefik_public:
    external: true

  # This simply validates that traefik forward authentication is working
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    deploy:
      labels:
        # traefik
        - "traefik.enable=true"
        - "traefik.docker.network=traefik_public"

        # traefikv1
#        - "traefik.frontend.rule=Host:whoami.domain.tld"
 #       - "traefik.http.services.whoami.loadbalancer.server.port=80"
  #      - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
   #     - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
    #    - "traefik.frontend.auth.forward.trustForwardHeader=true"

        # traefikv2
        - "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
        - "traefik.http.routers.whoami.entrypoints=https"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
        - "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
  traefik_public:
    external: true

root@olympus:/home/ryan# docker service logs dex_dex
dex_dex.1.ukpfpg1wqx9v@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.c8u2m77c9kt1@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.i81z0ayq52jz@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.sayeuy0i3ten@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.31icur7fsig5@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH

root@olympus:/home/ryan# docker service logs dex_dex
dex_dex.1.ukpfpg1wqx9v@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.c8u2m77c9kt1@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.i81z0ayq52jz@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.sayeuy0i3ten@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.31icur7fsig5@olympus    | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH

root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.28zcj16r8cmx@olympus    | time="2023-10-18T13:27:27Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.dcnz1cv7xewp@olympus    | time="2023-10-18T13:27:21Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.yqpk4upeap6k@olympus    | time="2023-10-18T13:27:40Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.h886ucugh6ye@olympus    | time="2023-10-18T13:27:33Z" level=fatal msg="404 Not Found: 404 page not found\n"

root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.28zcj16r8cmx@olympus    | time="2023-10-18T13:27:27Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.dcnz1cv7xewp@olympus    | time="2023-10-18T13:27:21Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.yqpk4upeap6k@olympus    | time="2023-10-18T13:27:40Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.h886ucugh6ye@olympus    | time="2023-10-18T13:27:33Z" level=fatal msg="404 Not Found: 404 page not found\n"

Hey there! So I thought I'd managed to avoid this issue by using authelia, and all is working well with that so far. In trying to deploy Jellyfin, however, I've come across the same error and I can't avoid it this time: Using the following docker-compose.yml:

version: "3.0"

services:
  jellyfin:
    image: jellyfin/jellyfin
    env_file: /var/data/config/jellyfin/jellyfin.env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/data/jellyfin:/config
      - /var/data/runtime/jellyfin:/cache
      - /var/data/jellyfin/jellyfin:/config
      - /srv/data/:/data
    deploy:
      labels:
        # traefik common
        - traefik.enable=true
        - traefik.docker.network=traefik_public

        # traefikv1
        - traefik.frontend.rule=Host:jellyfin.example.com
        - traefik.port=8096     

        # traefikv2
        - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
        - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
        - "traefik.enable=true"

    networks:
        - traefik_public
    ports:
      - 8096:8096

networks:
  traefik_public:
    external: true

version: "3.0"

services:
  jellyfin:
    image: jellyfin/jellyfin
    env_file: /var/data/config/jellyfin/jellyfin.env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/data/jellyfin:/config
      - /var/data/runtime/jellyfin:/cache
      - /var/data/jellyfin/jellyfin:/config
      - /srv/data/:/data
    deploy:
      labels:
        # traefik common
        - traefik.enable=true
        - traefik.docker.network=traefik_public

        # traefikv1
        - traefik.frontend.rule=Host:jellyfin.example.com
        - traefik.port=8096     

        # traefikv2
        - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
        - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
        - "traefik.enable=true"

    networks:
        - traefik_public
    ports:
      - 8096:8096

networks:
  traefik_public:
    external: true

With the above, the /config is defined twice causing an error, so removing that fixes

version: "3.0"

services:
  jellyfin:
    image: jellyfin/jellyfin
    env_file: /var/data/config/jellyfin/jellyfin.env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/data/jellyfin:/config
      - /var/data/runtime/jellyfin:/cache
      - /srv/data/:/data
    deploy:
      labels:
        # traefik common
        - traefik.enable=true
        - traefik.docker.network=traefik_public

        # traefikv1
        - traefik.frontend.rule=Host:jellyfin.example.com
        - traefik.port=8096     

        # traefikv2
        - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
        - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
        - "traefik.enable=true"

    networks:
        - traefik_public
    ports:
      - 8096:8096

networks:
  traefik_public:
    external: true

version: "3.0"

services:
  jellyfin:
    image: jellyfin/jellyfin
    env_file: /var/data/config/jellyfin/jellyfin.env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/data/jellyfin:/config
      - /var/data/runtime/jellyfin:/cache
      - /srv/data/:/data
    deploy:
      labels:
        # traefik common
        - traefik.enable=true
        - traefik.docker.network=traefik_public

        # traefikv1
        - traefik.frontend.rule=Host:jellyfin.example.com
        - traefik.port=8096     

        # traefikv2
        - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
        - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
        - "traefik.enable=true"

    networks:
        - traefik_public
    ports:
      - 8096:8096

networks:
  traefik_public:
    external: true

The above gives the following error: services.jellyfin.deploy.labels array items[0,6] must be unique This seems to be caused by having

traefik.enable=true

traefik.enable=true

twice within the labels section? However, commenting out one or the other allows the stack to deploy but is unusable and no rules are applied in traefik I'm stuck at this point, and nothing I can find online explains why I'm encountering this error Trying to run this via Portainer gives the same error Does anyone have any idea as to why this is happening, and how to fix it? Updating the jellyfin docker-compose to the following allows things to run locally, but has no traefik rules? I can't understand why they wouldn't be applying

version: "3.8"

services:
  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: jellyfin
    networks:
      - traefik_public
      - internal
    volumes:
      - /var/data/jellyfin/config:/config
      - /var/data/jellyfin/data:/data
      - /var/data/jellyfin/cache:/cache
#    environment:
#      - JELLYFIN_PublishedServerUrl=https://jellyfin.domain.tld
    user: "root"
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.domain.tld`)"
      - "traefik.http.routers.jellyfin.entrypoints=https" 
      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.service=jellyfin"
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
      - "traefik.http.routers.jellyfin.middlewares=authelia"
    ports:
      - "8096:8096"
networks:
  traefik_public:
    external: true
  internal:
    driver: overlay
    ipam:
      config:
        - subnet: 172.16.42.0/24

version: "3.8"

services:
  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: jellyfin
    networks:
      - traefik_public
      - internal
    volumes:
      - /var/data/jellyfin/config:/config
      - /var/data/jellyfin/data:/data
      - /var/data/jellyfin/cache:/cache
#    environment:
#      - JELLYFIN_PublishedServerUrl=https://jellyfin.domain.tld
    user: "root"
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_public"
      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.domain.tld`)"
      - "traefik.http.routers.jellyfin.entrypoints=https" 
      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.service=jellyfin"
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
      - "traefik.http.routers.jellyfin.middlewares=authelia"
    ports:
      - "8096:8096"
networks:
  traefik_public:
    external: true
  internal:
    driver: overlay
    ipam:
      config:
        - subnet: 172.16.42.0/24

funkypenguin | ElfHosted•12mo ago

If you're deploying into docker-swarm, you need your lables to be under the deploy key

RyanJ•12mo ago

Amazing! That fixed it, thank you for taking a look over this - I really appreciate it.

ElfHosted / Funky Penguin Join

ElfHosted is an opensource platform which runs the best selfhosted apps easily, reliably, and securely

2.5KMembers

View on Discord

Want results from more Discord servers?

Add your server