goauthentik/authentik

Proxy Outpost no longer works after changing server URL

rdmchr opened this issue · 0 comments

rdmchr commented

Describe the bug
I have two Authentik Proxy outposts deployed. One on the server that is hosting Authentik and one on another server. During a migration I noticed that changing my TLD would cause both proxies to malfunction (see screenshot below). Both of them seem to be able to connect to my Authentik server fine (see screenshot below), but handling requests does not work.

To Reproduce
Steps to reproduce the behavior:

  1. Create a new Authentik instance with a proxy outpost (I used Traefik as my reverse proxy)
  2. Verify that you can access a service that is protected with the Authentik middleware, you can use the Traefik dashboard
  3. Stop Authentik & Traefik, change the domain (I switched TLD), start the services again
  4. You won't be able to access the dashboard

Expected behavior
There should be some kind of way to migrate domains, or this should be handled automatically.

Screenshots
Opening a misbehaving page:
image

Outposts seem to be connected:
image

Logs
Proxy log output:

authentik-proxy  | {"event":"Loaded config","level":"debug","path":"inbuilt-default","timestamp":"2024-06-09T21:32:01Z"}
authentik-proxy  | {"event":"Loaded config from environment","level":"debug","timestamp":"2024-06-09T21:32:01Z"}
authentik-proxy  | {"event":"not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.","level":"info","logger":"authentik.go_debugger","timestamp":"2024-06-09T21:32:01Z"}
authentik-proxy  | {"event":"Successfully connected websocket","level":"info","logger":"authentik.outpost.ak-ws","outpost":"b1ff61cd-076e-40c8-85e4-50a35edbd164","timestamp":"2024-06-09T21:32:01Z"}
authentik-proxy  | {"event":"Starting Metrics server","level":"info","listen":"0.0.0.0:9300","logger":"authentik.outpost.metrics","timestamp":"2024-06-09T21:32:02Z"}
authentik-proxy  | {"event":"Starting HTTP server","level":"info","listen":"0.0.0.0:9000","logger":"authentik.outpost.proxyv2","timestamp":"2024-06-09T21:32:02Z"}
authentik-proxy  | {"event":"Starting HTTPS server","level":"info","listen":"0.0.0.0:9443","logger":"authentik.outpost.proxyv2","timestamp":"2024-06-09T21:32:02Z"}
authentik-proxy  | {"event":"Starting authentik outpost","hash":"tagged","level":"info","logger":"authentik.outpost","timestamp":"2024-06-09T21:32:03Z","version":"2024.4.2"}
authentik-proxy  | {"event":"No state saved in session","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider for dns.XXXX.dev","timestamp":"2024-06-09T21:32:06Z"}
authentik-proxy  | {"event":"/outpost.goauthentik.io/auth/traefik","host":"dns.XXXX.dev","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for dns.XXXX.dev","remote":"172.18.0.2:34254","runtime":"0.515","scheme":"http","size":49,"status":302,"timestamp":"2024-06-09T21:32:06Z","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"}
authentik-proxy  | {"event":"/outpost.goauthentik.io/auth/traefik","host":"dns.XXXX.dev","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for dns.XXXX.dev","remote":"172.18.0.2:34254","runtime":"0.809","scheme":"http","size":364,"status":302,"timestamp":"2024-06-09T21:32:06Z","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"}
authentik-proxy  | {"error":"oauth2: cannot fetch token: 404 Not Found\nResponse: 404 page not found\n","event":"failed to redeem code","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider for dns.XXXX.dev","timestamp":"2024-06-09T21:32:07Z"}
authentik-proxy  | {"event":"/outpost.goauthentik.io/auth/traefik","host":"dns.XXXX.dev","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for dns.XXXX.dev","remote":"172.18.0.2:34254","runtime":"1.090","scheme":"http","size":0,"status":400,"timestamp":"2024-06-09T21:32:07Z","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"}

Version and Deployment (please complete the following information):

  • authentik version: 2024.4.2
  • Traefik: v3.0
  • Deployment: Docker Compose version v2.27.0
Client: Docker Engine - Community
 Version:           26.1.3
 API version:       1.45
 Go version:        go1.21.10
 Git commit:        b72abbb
 Built:             Thu May 16 08:33:25 2024
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.1.3
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.10
  Git commit:       8e96db1
  Built:            Thu May 16 08:33:25 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.32
  GitCommit:        8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Additional context
Authentik Proxy snippet from my docker-compose.yml (the one that runs on the same server as Authentik)

  authentik-proxy:
    image: ghcr.io/goauthentik/proxy
    container_name: authentik-proxy
    networks:
      - authentik
      - traefik
    environment:
      AUTHENTIK_HOST: https://sso.XXXX.church
      AUTHENTIK_INSECURE: "true"
      AUTHENTIK_TOKEN: XXXX
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.authentik.rule=HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\\-]{0,61}[A-Za-z0-9])?}.XXXX.cool`) && PathPrefix(`/outpost.goauthentik.io/`)" <-- Tweaking this domain didn't help
      - "traefik.http.routers.authentik.entrypoints=websecure"
      - "traefik.http.routers.authentik.tls.certresolver=le"
      # `authentik-proxy` refers to the service name in the compose file.
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
    restart: unless-stopped

Authentik Server snippet from my docker-compose.yml

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
    container_name: authentik-server
    networks:
      - authentik
      - traefik
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.services.authentik-server.loadbalancer.server.port=9000"

      - "traefik.http.routers.authentik-server.rule=Host(`sso.XXXX.church`)"
      - "traefik.http.routers.authentik-server.entrypoints=websecure"
      - "traefik.http.routers.authentik-server.tls.certresolver=le"
      - "traefik.http.routers.authentik-server.service=authentik-server"