Receiving 502 on https://auth.example.org, with no debug message on log #7319
-
I am trying to setup authelia with traefik with, but I have been stuck on 502 since hours with no debug message to troubleshoot. So hoping anyone here can show me where to look for help. docker-compose.ymlversion: '3.7'
services:
# =============================================================
#
# TRAEFIK - reverse proxy
#
# =============================================================
reverse-proxy:
image: traefik:v2.11
command:
- "--log.level=DEBUG"
- "--api.dashboard=true"
- "--api.insecure=true"
- "--providers.file.directory=/FileProvider/"
- "--providers.file.watch=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=web-secure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web-secure.address=:443"
- "--serverstransport.insecureskipverify=true"
- "--certificatesresolvers.selfresolver.acme.dnschallenge=true"
- "--certificatesresolvers.selfresolver.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.selfresolver.acme.dnschallenge.delaybeforecheck=10"
- "--certificatesresolvers.selfresolver.acme.dnschallenge.resolvers=1.1.1.1:53"
# - "--certificatesresolvers.selfresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.selfresolver.acme.email=${ACME_EMAIL}"
- "--certificatesresolvers.selfresolver.acme.storage=acme.json"
environment:
CF_API_EMAIL: ${CF_API_EMAIL}
CF_API_KEY: ${CF_API_KEY}
CLOUDFLARE_EMAIL: ${CLOUDFLARE_EMAIL}
CLOUDFLARE_API_KEY: ${CLOUDFLARE_API_KEY}
container_name: traefik
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)"
- "traefik.http.routers.api.entrypoints=web-secure"
- "traefik.http.routers.api.tls.certresolver=selfresolver"
- "traefik.http.routers.api.tls.domains[0].main=*.${DOMAIN}"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.middlewares=authelia@docker"
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- /home/user/servers/traefik/acme.json:/acme.json
- /home/user/servers/traefik/FileProvider/:/FileProvider/
restart: always
# =============================================================
#
# AUTHELIA
#
# =============================================================
authelia:
image: ghcr.io/authelia/authelia:master
container_name: authelia
volumes:
- /home/rukh/servers/traefik/authelia:/config
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)'
- 'traefik.http.routers.authelia.entrypoints=web-secure'
- 'traefik.http.routers.authelia.tls=true'
- "traefik.http.routers.authelia.tls.certresolver=selfresolver"
- "traefik.http.routers.authelia.tls.domains[0].main=*.${DOMAIN}"
- "traefik.docker.network=traefik_default"
# The middleware that you use in every container that you want to protect
- 'traefik.http.middlewares.authelia.forwardauth.address=http://auth.example.org/api/verify?rd=https://auth.${DOMAIN}/'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups'
restart: unless-stopped
environment:
- TZ=${TIME_ZONE} configuration.yaml###############################################################
# Authelia configuration #
###############################################################
host: 0.0.0.0
port: 9091
log_level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: this_IS_avery_Long_SECRET_which_probably_is_Secure
default_redirection_url: https://auth.example.org
totp:
issuer: auth.example.org
authentication_backend:
disable_reset_password: false
file:
path: /config/users_database.yml
password:
algorithm: sha512
iterations: 1000
salt_length: 16
parallelism: 8
memory: 1024
access_control:
default_policy: bypass
rules:
# Rules applied to everyone
- domain: domain1.example.org
policy: one_factor
- domain: domain2.example.org
policy: bypass
- domain: domain3.example.org
policy: two_factor
session:
name: EXAMPLE_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: ########some secret#########
expiration: 1M # 1 month
inactivity: 2w # 2 week
domain: example.org # Should match whatever your root protected domain is
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: this_is_a_encryption_key_you_ASKED_FOR_182u192u129
local:
path: /config/db.sqlite3
notifier:
smtp:
username: example@example.org
password: helloworld
host: smtp-host.example.org
port: 587
sender: admin@example.org users_database.yml# List of users
users:
userxyz:
displayname: "Home User"
password: "#HIDDEN"
email: admin@example.org
groups:
- admins
- dev Running docker gives no log that can be helpful to debug. time="2024-05-16T21:35:48-04:00" level=debug msg="Loaded Configuration Sources" files="[/config/configuration.yml]" filters="[]"
time="2024-05-16T21:35:48-04:00" level=debug msg="Logging Initialized" fields.level=debug file= format= keep_stdout=false
time="2024-05-16T21:35:48-04:00" level=debug msg="Process user information" gid=0 gids="1,2,3,4,6,10,11,20,26,27" name=root uid=0 username=root
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: configuration key 'authentication_backend.disable_reset_password' is deprecated in 4.36.0 and has been replaced by 'authentication_backend.password_reset.disable': you are not required to make any changes as this has been automatically mapped for you, but to stop this warning being logged you will need to adjust your configuration, and this configuration key and auto-mapping is likely to be removed in 5.0.0"
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: configuration key 'jwt_secret' is deprecated in 4.38.0 and has been replaced by 'identity_validation.reset_password.jwt_secret': you are not required to make any changes as this has been automatically mapped for you, but to stop this warning being logged you will need to adjust your configuration, and this configuration key and auto-mapping is likely to be removed in 5.0.0"
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: configuration key 'port' is deprecated in 4.30.0 and has been replaced by 'server.port': you are not required to make any changes as this has been automatically mapped for you, but to stop this warning being logged you will need to adjust your configuration, and this configuration key and auto-mapping is likely to be removed in 5.0.0"
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: configuration key 'log_level' is deprecated in 4.30.0 and has been replaced by 'log.level': you are not required to make any changes as this has been automatically mapped for you, but to stop this warning being logged you will need to adjust your configuration, and this configuration key and auto-mapping is likely to be removed in 5.0.0"
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: configuration key 'host' is deprecated in 4.30.0 and has been replaced by 'server.host': you are not required to make any changes as this has been automatically mapped for you, but to stop this warning being logged you will need to adjust your configuration, and this configuration key and auto-mapping is likely to be removed in 5.0.0"
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: configuration keys 'notifier.smtp.host' and 'notifier.smtp.port' are deprecated in 4.38.0 and has been replaced by 'notifier.smtp.address' in the format of '[tcp://]<hostname>[:<port>]': you are not required to make any changes as this has been automatically mapped for you to the value 'submission://smtp-relay.brevo.com:587', but to stop this warning being logged you will need to adjust your configuration, and this configuration key and auto-mapping is likely to be removed in 5.0.0"
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: configuration keys 'server.host', 'server.port', and 'server.path' are deprecated in 4.38.0 and has been replaced by 'server.address' in the format of '[tcp[(4|6)]://]<hostname>[:<port>][/<path>]' or 'tcp[(4|6)://][hostname]:<port>[/<path>]': you are not required to make any changes as this has been automatically mapped for you to the value 'tcp://0.0.0.0:9091/', but to stop this warning being logged you will need to adjust your configuration, and this configuration key and auto-mapping is likely to be removed in 5.0.0"
time="2024-05-16T21:35:48-04:00" level=warning msg="Configuration: session: option 'domain' is deprecated in v4.38.0 and has been replaced by a multi-domain configuration: this has automatically been mapped for you but you will need to adjust your configuration to remove this message and receive the latest messages"
time="2024-05-16T21:35:48-04:00" level=info msg="Authelia untagged-v4.38.8 (master, 3869564) is starting"
time="2024-05-16T21:35:48-04:00" level=info msg="Log severity set to debug"
time="2024-05-16T21:35:48-04:00" level=info msg="Storage schema is being checked for updates"
time="2024-05-16T21:35:48-04:00" level=info msg="Storage schema is already up to date" docker inspcet network[
{
"Name": "traefik_default",
"Id": "b938196a43dd2feddd284bd66b16110850c64b904bcb9a63a0590ae3cb4c2308",
"Created": "2024-05-16T20:00:43.513980195-04:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "192.168.32.0/20",
"Gateway": "192.168.32.1"
}
]
},
"Internal": false,
"Attachable": true,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"141e2773b2bfd18a8aec84f56c15acfd5c61e9d8b4958168db0a362ac5f8a20b": {
"Name": "nodered",
"EndpointID": "ea6d38be9925a0dbb8747e4e7aedd652dfe214e30537b4754c845eea738140e4",
"MacAddress": "02:42:c0:a8:20:05",
"IPv4Address": "192.168.32.5/20",
"IPv6Address": ""
},
"1688979afe6c0ba6c51537992203d2700f3c5a84b15c10dc49101df38e029a64": {
"Name": "authelia",
"EndpointID": "10fc62e5f9e40ae35580e8c6da0b2a315c96698505f965a1062c127f4688c84b",
"MacAddress": "02:42:c0:a8:20:06",
"IPv4Address": "192.168.32.6/20",
"IPv6Address": ""
},
"5dae3ed8d394e01848f797c091d6503ac5ff552dca70f171b09cfd11b58f03d3": {
"Name": "grafana",
"EndpointID": "92d32e35e267ac22e3e270fc16e4c0528558e8f910f980bf9fa4561a29a175f8",
"MacAddress": "02:42:c0:a8:20:02",
"IPv4Address": "192.168.32.2/20",
"IPv6Address": ""
},
"a224b7c73e53e8135dbf26aee20fd73ad9b3793e49397a99fabc01479ec34b79": {
"Name": "traefik",
"EndpointID": "d3aa482dc7aa18cc3eddb79d72f2658915acede6cb9a1a365fb463a18ce2f979",
"MacAddress": "02:42:c0:a8:20:03",
"IPv4Address": "192.168.32.3/20",
"IPv6Address": ""
},
"fc700a8fe8b8d2f0a309a6bdb82deeb38f64d53f6c097437dc7aa8a682744e4a": {
"Name": "whoami",
"EndpointID": "1e3eea8cd62176a565790d237496fce6cd7e4c22b7aa973a1b30836dd27f7958",
"MacAddress": "02:42:c0:a8:20:04",
"IPv4Address": "192.168.32.4/20",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {
"com.docker.compose.network": "default",
"com.docker.compose.project": "traefik",
"com.docker.compose.version": "1.29.2"
}
}
] Response from serverwget -S https://auth.example.org
--2024-05-16 21:36:36-- https://auth.example.org/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving auth.example.org (auth.example.org)... 146.190.188.151
Connecting to auth.example.org (auth.example.org)|146.190.188.151|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 502 Bad Gateway
Date: Fri, 17 May 2024 01:36:36 GMT
Content-Length: 11
Content-Type: text/plain; charset=utf-8
2024-05-16 21:36:36 ERROR 502: Bad Gateway.
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 10 replies
-
Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it. It seems like you are encountering a 502 Bad Gateway error when trying to set up Authelia with Traefik. This error typically indicates that Traefik is unable to communicate properly with the Authelia service. Here are a few steps and checks you can perform to troubleshoot and resolve the issue:
If after these checks the issue still persists, consider increasing the verbosity of the logs in Traefik as well to get more detailed error information, and verify the network connectivity between the containers using tools like This comment was generated by Glime. |
Beta Was this translation helpful? Give feedback.
-
The proxy is responding with the 502 by the look of it, not Authelia itself. The proxy will have the information about what's occurring. |
Beta Was this translation helpful? Give feedback.
It's having issues connecting to the SMTP server. As to why it's not timing out I'm not sure since we set a timeout.