dex deploy - array items must be unique?

Hi there @Darth-Penguini and friends! I'm encountering a strange error when attempting to deploy dex, after following instructions here: https://geek-cookbook.funkypenguin.co.nz/docker-swarm/traefik-forward-auth/dex-static/ Running the following: docker stack deploy dex -c /var/data/dex/dex.yml Gives me the following error: services.whoami.deploy.labels array items[3,9] must be unique My labels, from /var/data/dex/dex.yml, are as follows (domain.tld being replaced by my actual domain):
# This simply validates that traefik forward authentication is working
whoami:
image: containous/whoami
networks:
- traefik_public
deploy:
labels:
# traefik
- "traefik.enable=true"
- "traefik.docker.network=traefik_public"

# traefikv1
- "traefik.frontend.rule=Host:whoami.domain.tld"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"

# traefikv2
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
traefik_public:
external: true
# This simply validates that traefik forward authentication is working
whoami:
image: containous/whoami
networks:
- traefik_public
deploy:
labels:
# traefik
- "traefik.enable=true"
- "traefik.docker.network=traefik_public"

# traefikv1
- "traefik.frontend.rule=Host:whoami.domain.tld"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
- "traefik.frontend.auth.forward.trustForwardHeader=true"

# traefikv2
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
traefik_public:
external: true
I've double checked spelling and searched for hours but I'm stuck and unable to progress past this point. Any help on figuring this out would be greatly appreciated.
SSO with traefik forward auth and Dex - Funky Penguin's Geek Cookbook
Traefik forward auth needs an authentication backend, but if you don't want to use a cloud provider, you can setup your own simple OIDC backend, using Dex.
44 Replies
funkypenguin | ElfHosted
👋 @ryanjolliffe weird, I sure don't see any duplicate labels there are you using traefik v2?
RyanJ
RyanJ13mo ago
I am, yes It's very strange
funkypenguin | ElfHosted
so what if you comment out the v1 labels in case?
RyanJ
RyanJ13mo ago
Then I get: poorly formatted environment: variable 'DEFAULT_PROVIDER: oidc' contains whitespaces
funkypenguin | ElfHosted
gah what does your .env look like?
RyanJ
RyanJ13mo ago
/var/data/config/traefik-forward-auth/traefik-forward-auth.env is as follows:
DEFAULT_PROVIDER: oidc
PROVIDERS_OIDC_CLIENT_ID: ryan # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET: authsecret # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL: https://dex.domain.tld # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET: noneofthisreallymatters # Make this up. It's not configured anywhere else
AUTH_HOST: auth.domain.tld # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN: domain.tld # This should match your base domain
DEFAULT_PROVIDER: oidc
PROVIDERS_OIDC_CLIENT_ID: ryan # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET: authsecret # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL: https://dex.domain.tld # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET: noneofthisreallymatters # Make this up. It's not configured anywhere else
AUTH_HOST: auth.domain.tld # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN: domain.tld # This should match your base domain
Apologies, the formatting is slightly incorrect compared to what I see The comments (#) are all aligned when viewing in nano
funkypenguin | ElfHosted
I think your env syntax is wrong try something like this: DEFAULT_PROVIDER=oidc
RyanJ
RyanJ13mo ago
should I do that for all values?
funkypenguin | ElfHosted
yep and then you should rightly complain that the docs show it differently
RyanJ
RyanJ13mo ago
lol I didn't want to say it Okay, so with v1 still commented out it appears to run:
root@olympus:/home/ryan# docker stack deploy dex -c /var/data/dex/dex.yml
Creating service dex_whoami
Creating service dex_traefik-forward-auth
root@olympus:/home/ryan# docker stack deploy dex -c /var/data/dex/dex.yml
Creating service dex_whoami
Creating service dex_traefik-forward-auth
funkypenguin | ElfHosted
cool I shall fix my shoddy docs
RyanJ
RyanJ13mo ago
Do I need to uncomment the v1 and retry?
funkypenguin | ElfHosted
no, we don't really need v1 at all anymore nobody should be using it
RyanJ
RyanJ13mo ago
Ah okay, I see! Thank you so much for that, I really appreciate the assistance 🙂
funkypenguin | ElfHosted
np, thanks for the quality-control check 🙂 fix pushed, new version building now...
RyanJ
RyanJ13mo ago
Wow, that's awesome Thank you for the whole guide btw, it's such a good resource
RyanJ
RyanJ13mo ago
I'm still very new to docker and swarms in general, but your guide is the best I've found I'm going to get back to configuring this machine, and hopefully the next time I swing by will be to say it was all a huge success! Damn, I was really hoping to get further lol middleware "forward-auth@docker" does not exist
root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
v79whj5np10e traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Ready Assigned less than a second ago
xgclawycyq8d \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 4 seconds ago "invalid mount config for type…"
kotagm9oxf53 \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 9 seconds ago "invalid mount config for type…"
3zb7pxtd1rwi \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 14 seconds ago "invalid mount config for type…"
l0sa70oqivvu \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 19 seconds ago "invalid mount config for type…"
1uw577q6orum \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 25 seconds ago "invalid mount config for type…"
88oe773m2fcs traefik-forward-auth_whoami.1 containous/whoami:latest olympus Running Running 7 minutes ago
root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
v79whj5np10e traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Ready Assigned less than a second ago
xgclawycyq8d \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 4 seconds ago "invalid mount config for type…"
kotagm9oxf53 \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 9 seconds ago "invalid mount config for type…"
3zb7pxtd1rwi \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 14 seconds ago "invalid mount config for type…"
l0sa70oqivvu \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 19 seconds ago "invalid mount config for type…"
1uw577q6orum \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Rejected 25 seconds ago "invalid mount config for type…"
88oe773m2fcs traefik-forward-auth_whoami.1 containous/whoami:latest olympus Running Running 7 minutes ago
It appears to deploy, but shows an error in the traefik dash and ps shows "invalid mount config for type…" error I created /var/data/config/traefik-forward-auth/config.ini and chmod'd to 600, which seems to fix the mounting error, but now I get a non-zero
root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ldbzhye9muxm traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Ready Ready 2 seconds ago
656n8kqn872l \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 3 seconds ago "task: non-zero exit (1)"
hxviko4kk6ic \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 10 seconds ago "task: non-zero exit (1)"
b0yp8nxz0kwo \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 16 seconds ago "task: non-zero exit (1)"
wvhy9mo5mav6 \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 23 seconds ago "task: non-zero exit (1)"
88oe773m2fcs traefik-forward-auth_whoami.1 containous/whoami:latest olympus Running Running 19 minutes ago
root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ldbzhye9muxm traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Ready Ready 2 seconds ago
656n8kqn872l \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 3 seconds ago "task: non-zero exit (1)"
hxviko4kk6ic \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 10 seconds ago "task: non-zero exit (1)"
b0yp8nxz0kwo \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 16 seconds ago "task: non-zero exit (1)"
wvhy9mo5mav6 \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 23 seconds ago "task: non-zero exit (1)"
88oe773m2fcs traefik-forward-auth_whoami.1 containous/whoami:latest olympus Running Running 19 minutes ago
funkypenguin | ElfHosted
Sorry, distracted with kids and dinner, will circle back in 4h or so 🙂
RyanJ
RyanJ13mo ago
Hey, any response is above and beyond what I'd hope for - apologies for bothering you! This is a personal project with no real stakes; I wouldn't want to distract you from your family 🙂 I appreciate all the help already 🙏
funkypenguin | ElfHosted
mmm, TFA can be a PITA to debug, IIRC it just exists without logging if it's unhappy with your OIDC config I think there's a way to add debugging, checking... aah, here it is. Try adding an env var LOG_LEVEL to TFA, set to debug
RyanJ
RyanJ13mo ago
Thank you! I stopped the stack/services and added that to "/var/data/traefik-forward-auth/traefik-forward-auth.yml", then deployed again whoops, wrong paste
funkypenguin | ElfHosted
now you can run docker service logs traefik-forward-auth and hopefully see why it's unhappy...
RyanJ
RyanJ13mo ago
"/var/data/config/traefik-forward-auth/traefik-forward-auth.env"
root@olympus:/home/ryan# docker stack ls
NAME SERVICES
dex 2
traefik 1
traefik-forward-auth 2
traefikv2 1
root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth
root@olympus:/home/ryan# docker stack ls
NAME SERVICES
dex 2
traefik 1
traefik-forward-auth 2
traefikv2 1
root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth
My .env is as follows:
GNU nano 6.2 /var/data/config/traefik-forward-auth/traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.phrontistes.link # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters # Make this up. It's not configured anywhere else
AUTH_HOST=auth.phrontistes.link # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=phrontistes.link # This should match your base domain
LOG_LEVEL=debug
GNU nano 6.2 /var/data/config/traefik-forward-auth/traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan # This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret # This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.phrontistes.link # This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters # Make this up. It's not configured anywhere else
AUTH_HOST=auth.phrontistes.link # This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=phrontistes.link # This should match your base domain
LOG_LEVEL=debug
funkypenguin | ElfHosted
ah, sorry, bad syntax try docker service logs traefik-forward-auth_traefik-forward-auth
RyanJ
RyanJ13mo ago
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.z7foqqcofdpl@olympus | time="2023-10-18T09:17:11Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.4fdslepduuxx@olympus | time="2023-10-18T09:16:59Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.ke2gxg0klu03@olympus | time="2023-10-18T09:17:18Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.t2ziu4uqp42h@olympus | time="2023-10-18T09:17:05Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.z7foqqcofdpl@olympus | time="2023-10-18T09:17:11Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.4fdslepduuxx@olympus | time="2023-10-18T09:16:59Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.ke2gxg0klu03@olympus | time="2023-10-18T09:17:18Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
traefik-forward-auth_traefik-forward-auth.1.t2ziu4uqp42h@olympus | time="2023-10-18T09:17:05Z" level=fatal msg="parse https://dex.domain.tld : invalid character \" \" in host name"
funkypenguin | ElfHosted
aha try moving the comments to the line above/below the env vars, and then making sure each ENV var has no whitespace after it my CI instance looks like this:
root@raphael:/var/data/config/traefik-forward-auth# cat traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=foo
PROVIDERS_OIDC_CLIENT_SECRET=bar
PROVIDERS_OIDC_ISSUER_URL=https://dex.elpenguino.be
AUTH_HOST=auth.elpenguino.be
COOKIE_DOMAIN=elpenguino.be
SECRET=imtoosexyformyshorts
root@raphael:/var/data/config/traefik-forward-auth#
root@raphael:/var/data/config/traefik-forward-auth# cat traefik-forward-auth.env
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=foo
PROVIDERS_OIDC_CLIENT_SECRET=bar
PROVIDERS_OIDC_ISSUER_URL=https://dex.elpenguino.be
AUTH_HOST=auth.elpenguino.be
COOKIE_DOMAIN=elpenguino.be
SECRET=imtoosexyformyshorts
root@raphael:/var/data/config/traefik-forward-auth#
RyanJ
RyanJ13mo ago
Unfortunately I'm still getting the following:
root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
1alnpym57m2q traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Running Running less than a second ago
8177g4s520oe \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 6 seconds ago "task: non-zero exit (1)"
pjvn7tcgbwm0 \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 12 seconds ago "task: non-zero exit (1)"
z8h6ce6964gb \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 18 seconds ago "task: non-zero exit (1)"
vo8vw7mctt0g \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 25 seconds ago "task: non-zero exit (1)"
3xb3wehz9d5e traefik-forward-auth_whoami.1 containous/whoami:latest olympus Running Running 2 minutes ago
root@olympus:/home/ryan# docker stack ps traefik-forward-auth
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
1alnpym57m2q traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Running Running less than a second ago
8177g4s520oe \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 6 seconds ago "task: non-zero exit (1)"
pjvn7tcgbwm0 \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 12 seconds ago "task: non-zero exit (1)"
z8h6ce6964gb \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 18 seconds ago "task: non-zero exit (1)"
vo8vw7mctt0g \_ traefik-forward-auth_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 25 seconds ago "task: non-zero exit (1)"
3xb3wehz9d5e traefik-forward-auth_whoami.1 containous/whoami:latest olympus Running Running 2 minutes ago
Though the whoami@docker entry has appeared in HTTP Services (traefik dashboard), but I'm still getting a
middleware "forward-auth@docker" does not exist
middleware "forward-auth@docker" does not exist
error in HTTP Routers
funkypenguin | ElfHosted
it may be that unless it's actually working, traefik won't consider it to be valid
RyanJ
RyanJ13mo ago
Damn Is there any way to get more debugging info about what specifically is failing?
funkypenguin | ElfHosted
what does your env look like now? and what's the output of docker service logs traefik-forward-auth_traefik-forward-auth ?
RyanJ
RyanJ13mo ago
.env:
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan
# This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret
# This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.domain.tld
# This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters
# Make this up. It's not configured anywhere else
AUTH_HOST=auth.domain.tld
# This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=domain.tld
# This should match your base domain
LOG_LEVEL=debug
DEFAULT_PROVIDER=oidc
PROVIDERS_OIDC_CLIENT_ID=ryan
# This is the staticClients.id value in config.yml above
PROVIDERS_OIDC_CLIENT_SECRET=authsecret
# This is the staticClients.secret value in config.yml above
PROVIDERS_OIDC_ISSUER_URL=https://dex.domain.tld
# This is the issuer value in config.yml above, and it has to be reachable via a browser
SECRET=noneofthisreallymatters
# Make this up. It's not configured anywhere else
AUTH_HOST=auth.domain.tld
# This should match the value of the traefik hosts labels in Traefik Forward Auth
COOKIE_DOMAIN=domain.tld
# This should match your base domain
LOG_LEVEL=debug
Running the command gives:
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.wyeh93w0l0qt@olympus | time="2023-10-18T09:31:16Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.qtd72n6eelra@olympus | time="2023-10-18T09:31:10Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.foiqckucg6th@olympus | time="2023-10-18T09:31:03Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.htaflitodk05@olympus | time="2023-10-18T09:30:53Z" level=fatal msg="404 Not Found: 404 page not found\n"
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.wyeh93w0l0qt@olympus | time="2023-10-18T09:31:16Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.qtd72n6eelra@olympus | time="2023-10-18T09:31:10Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.foiqckucg6th@olympus | time="2023-10-18T09:31:03Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.htaflitodk05@olympus | time="2023-10-18T09:30:53Z" level=fatal msg="404 Not Found: 404 page not found\n"
funkypenguin | ElfHosted
interesting what do you get at https://dex.domain.tld ?
RyanJ
RyanJ13mo ago
I get a
404 page not found
404 page not found
funkypenguin | ElfHosted
right so fix that next 🙂 what does the traefik dashboard say about it?
RyanJ
RyanJ13mo ago
funkypenguin | ElfHosted
yeah, but what does it say about dex?
RyanJ
RyanJ13mo ago
No description
RyanJ
RyanJ13mo ago
No description
RyanJ
RyanJ13mo ago
There's no mention of dex at all
root@olympus:/home/ryan# docker stack ps dex
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
4mxre3b73u12 dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Running Starting less than a second ago
p60xm1901h8z \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 5 seconds ago "task: non-zero exit (1)"
rx5dcucxe2rc \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 11 seconds ago "task: non-zero exit (1)"
rwhwtiw47lds \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 18 seconds ago "task: non-zero exit (1)"
3l2tx9nggdtj \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 24 seconds ago "task: non-zero exit (1)"
hu57a0frj7fu dex_whoami.1 containous/whoami:latest olympus Running Running 8 hours ago
root@olympus:/home/ryan# docker stack ps dex
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
4mxre3b73u12 dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Running Starting less than a second ago
p60xm1901h8z \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 5 seconds ago "task: non-zero exit (1)"
rx5dcucxe2rc \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 11 seconds ago "task: non-zero exit (1)"
rwhwtiw47lds \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 18 seconds ago "task: non-zero exit (1)"
3l2tx9nggdtj \_ dex_traefik-forward-auth.1 thomseddon/traefik-forward-auth:2.2.0 olympus Shutdown Failed 24 seconds ago "task: non-zero exit (1)"
hu57a0frj7fu dex_whoami.1 containous/whoami:latest olympus Running Running 8 hours ago
funkypenguin | ElfHosted
mmm do you have dex.yml ?
RyanJ
RyanJ12mo ago
Apologies, when the kids call you must obey 😅 /var/data/dex/dex.yml is as follows:
version: "3.2"

services:

traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2.2.0
env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
volumes:
- /var/data/config/traefik-forward-auth/config.ini:/config.ini:ro
networks:
- traefik_public
deploy:
labels:
# traefikv1
- "traefik.port=4181"
- "traefik.frontend.rule=Host:auth.domain.tld"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.trustForwardHeader=true"

# traefikv2
- "traefik.docker.network=traefik_public"
- "traefik.http.routers.auth.rule=Host(`auth.domain.tld`)"
- "traefik.http.routers.auth.entrypoints=https"
- "traefik.http.routers.auth.tls=true"
- "traefik.http.routers.auth.tls.domains[0].main=domain.tld"
- "traefik.http.routers.auth.tls.domains[0].sans=*.domain.tld"
- "traefik.http.routers.auth.tls.certresolver=main"
- "traefik.http.routers.auth.service=auth@docker"
- "traefik.http.services.auth.loadbalancer.server.port=4181"
- "traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.routers.auth.middlewares=forward-auth"
version: "3.2"

services:

traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2.2.0
env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
volumes:
- /var/data/config/traefik-forward-auth/config.ini:/config.ini:ro
networks:
- traefik_public
deploy:
labels:
# traefikv1
- "traefik.port=4181"
- "traefik.frontend.rule=Host:auth.domain.tld"
- "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
- "traefik.frontend.auth.forward.trustForwardHeader=true"

# traefikv2
- "traefik.docker.network=traefik_public"
- "traefik.http.routers.auth.rule=Host(`auth.domain.tld`)"
- "traefik.http.routers.auth.entrypoints=https"
- "traefik.http.routers.auth.tls=true"
- "traefik.http.routers.auth.tls.domains[0].main=domain.tld"
- "traefik.http.routers.auth.tls.domains[0].sans=*.domain.tld"
- "traefik.http.routers.auth.tls.certresolver=main"
- "traefik.http.routers.auth.service=auth@docker"
- "traefik.http.services.auth.loadbalancer.server.port=4181"
- "traefik.http.middlewares.forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.routers.auth.middlewares=forward-auth"
# This simply validates that traefik forward authentication is working
whoami:
image: containous/whoami
networks:
- traefik_public
deploy:
labels:
# traefik
- "traefik.enable=true"
- "traefik.docker.network=traefik_public"

# traefikv1
# - "traefik.frontend.rule=Host:whoami.domain.tld"
# - "traefik.http.services.whoami.loadbalancer.server.port=80"
# - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
# - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
# - "traefik.frontend.auth.forward.trustForwardHeader=true"

# traefikv2
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
traefik_public:
external: true
# This simply validates that traefik forward authentication is working
whoami:
image: containous/whoami
networks:
- traefik_public
deploy:
labels:
# traefik
- "traefik.enable=true"
- "traefik.docker.network=traefik_public"

# traefikv1
# - "traefik.frontend.rule=Host:whoami.domain.tld"
# - "traefik.http.services.whoami.loadbalancer.server.port=80"
# - "traefik.frontend.auth.forward.address=http://traefik-forward-auth:4181"
# - "traefik.frontend.auth.forward.authResponseHeaders=X-Forwarded-User"
# - "traefik.frontend.auth.forward.trustForwardHeader=true"

# traefikv2
- "traefik.http.routers.whoami.rule=Host(`whoami.domain.tld`)"
- "traefik.http.routers.whoami.entrypoints=https"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
- "traefik.http.routers.whoami.middlewares=forward-auth"

networks:
traefik_public:
external: true
root@olympus:/home/ryan# docker service logs dex_dex
dex_dex.1.ukpfpg1wqx9v@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.c8u2m77c9kt1@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.i81z0ayq52jz@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.sayeuy0i3ten@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.31icur7fsig5@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
root@olympus:/home/ryan# docker service logs dex_dex
dex_dex.1.ukpfpg1wqx9v@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.c8u2m77c9kt1@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.i81z0ayq52jz@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.sayeuy0i3ten@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
dex_dex.1.31icur7fsig5@olympus | error: cannot lookup path for command serve: exec: "serve": executable file not found in $PATH
root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.28zcj16r8cmx@olympus | time="2023-10-18T13:27:27Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.dcnz1cv7xewp@olympus | time="2023-10-18T13:27:21Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.yqpk4upeap6k@olympus | time="2023-10-18T13:27:40Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.h886ucugh6ye@olympus | time="2023-10-18T13:27:33Z" level=fatal msg="404 Not Found: 404 page not found\n"
root@olympus:/home/ryan# docker service logs traefik-forward-auth
no such task or service: traefik-forward-auth
root@olympus:/home/ryan# docker service logs traefik-forward-auth_traefik-forward-auth
traefik-forward-auth_traefik-forward-auth.1.28zcj16r8cmx@olympus | time="2023-10-18T13:27:27Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.dcnz1cv7xewp@olympus | time="2023-10-18T13:27:21Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.yqpk4upeap6k@olympus | time="2023-10-18T13:27:40Z" level=fatal msg="404 Not Found: 404 page not found\n"
traefik-forward-auth_traefik-forward-auth.1.h886ucugh6ye@olympus | time="2023-10-18T13:27:33Z" level=fatal msg="404 Not Found: 404 page not found\n"
Hey there! So I thought I'd managed to avoid this issue by using authelia, and all is working well with that so far. In trying to deploy Jellyfin, however, I've come across the same error and I can't avoid it this time: Using the following docker-compose.yml:
version: "3.0"

services:
jellyfin:
image: jellyfin/jellyfin
env_file: /var/data/config/jellyfin/jellyfin.env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/data/jellyfin:/config
- /var/data/runtime/jellyfin:/cache
- /var/data/jellyfin/jellyfin:/config
- /srv/data/:/data
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public

# traefikv1
- traefik.frontend.rule=Host:jellyfin.example.com
- traefik.port=8096

# traefikv2
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.enable=true"

networks:
- traefik_public
ports:
- 8096:8096

networks:
traefik_public:
external: true
version: "3.0"

services:
jellyfin:
image: jellyfin/jellyfin
env_file: /var/data/config/jellyfin/jellyfin.env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/data/jellyfin:/config
- /var/data/runtime/jellyfin:/cache
- /var/data/jellyfin/jellyfin:/config
- /srv/data/:/data
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public

# traefikv1
- traefik.frontend.rule=Host:jellyfin.example.com
- traefik.port=8096

# traefikv2
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.enable=true"

networks:
- traefik_public
ports:
- 8096:8096

networks:
traefik_public:
external: true
With the above, the /config is defined twice causing an error, so removing that fixes
version: "3.0"

services:
jellyfin:
image: jellyfin/jellyfin
env_file: /var/data/config/jellyfin/jellyfin.env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/data/jellyfin:/config
- /var/data/runtime/jellyfin:/cache
- /srv/data/:/data
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public

# traefikv1
- traefik.frontend.rule=Host:jellyfin.example.com
- traefik.port=8096

# traefikv2
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.enable=true"

networks:
- traefik_public
ports:
- 8096:8096

networks:
traefik_public:
external: true
version: "3.0"

services:
jellyfin:
image: jellyfin/jellyfin
env_file: /var/data/config/jellyfin/jellyfin.env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/data/jellyfin:/config
- /var/data/runtime/jellyfin:/cache
- /srv/data/:/data
deploy:
labels:
# traefik common
- traefik.enable=true
- traefik.docker.network=traefik_public

# traefikv1
- traefik.frontend.rule=Host:jellyfin.example.com
- traefik.port=8096

# traefikv2
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.enable=true"

networks:
- traefik_public
ports:
- 8096:8096

networks:
traefik_public:
external: true
The above gives the following error: services.jellyfin.deploy.labels array items[0,6] must be unique This seems to be caused by having
traefik.enable=true
traefik.enable=true
twice within the labels section? However, commenting out one or the other allows the stack to deploy but is unusable and no rules are applied in traefik I'm stuck at this point, and nothing I can find online explains why I'm encountering this error Trying to run this via Portainer gives the same error Does anyone have any idea as to why this is happening, and how to fix it? Updating the jellyfin docker-compose to the following allows things to run locally, but has no traefik rules? I can't understand why they wouldn't be applying
version: "3.8"

services:
jellyfin:
image: jellyfin/jellyfin:latest
container_name: jellyfin
networks:
- traefik_public
- internal
volumes:
- /var/data/jellyfin/config:/config
- /var/data/jellyfin/data:/data
- /var/data/jellyfin/cache:/cache
# environment:
# - JELLYFIN_PublishedServerUrl=https://jellyfin.domain.tld
user: "root"
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_public"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.domain.tld`)"
- "traefik.http.routers.jellyfin.entrypoints=https"
- "traefik.http.routers.jellyfin.tls=true"
- "traefik.http.routers.jellyfin.service=jellyfin"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.http.routers.jellyfin.middlewares=authelia"
ports:
- "8096:8096"
networks:
traefik_public:
external: true
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.42.0/24
version: "3.8"

services:
jellyfin:
image: jellyfin/jellyfin:latest
container_name: jellyfin
networks:
- traefik_public
- internal
volumes:
- /var/data/jellyfin/config:/config
- /var/data/jellyfin/data:/data
- /var/data/jellyfin/cache:/cache
# environment:
# - JELLYFIN_PublishedServerUrl=https://jellyfin.domain.tld
user: "root"
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_public"
- "traefik.http.routers.jellyfin.rule=Host(`jellyfin.domain.tld`)"
- "traefik.http.routers.jellyfin.entrypoints=https"
- "traefik.http.routers.jellyfin.tls=true"
- "traefik.http.routers.jellyfin.service=jellyfin"
- "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
- "traefik.http.routers.jellyfin.middlewares=authelia"
ports:
- "8096:8096"
networks:
traefik_public:
external: true
internal:
driver: overlay
ipam:
config:
- subnet: 172.16.42.0/24
funkypenguin | ElfHosted
If you're deploying into docker-swarm, you need your lables to be under the deploy key
RyanJ
RyanJ12mo ago
Amazing! That fixed it, thank you for taking a look over this - I really appreciate it.
Want results from more Discord servers?
Add your server