Issue with proxy 502 Bad Gateway

[tfondrat]

Hello every one!
I want to install authentik with traefik and proxy on my server authentik with traefik and proxy.
I have always have the same issue : proxy_authentik is always "unhealthy"
I have 4 vm : traefik, server_authentik, worker_authentik, proxy_authentik.
They all start, but proxy_authentik is always "unhealthy"
All vm are in the same network.
PROXY LOG:
Starting Debug server" listen="0.0.0.0:9900" logger=authentik.go_debugger
level=error event="Failed to fetch outpost configuration, retrying in 3 seconds"
error="Get "http://server_authentik:9000/api/v3/outposts/instances/": dial tcp 172.20.0.9:9000: connect: connection refused"
logger=authentik.outpost.ak-api-controller

level=error event="Failed to fetch outpost configuration, retrying in 3 seconds"
error="502 Bad Gateway" logger=authentik.outpost.ak-api-controller

MY CONFIG

traefik middleware.yml :
authentik:
forwardAuth:
address: "http://proxy_authentik:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:

• X-authentik-username
• X-authentik-groups
• X-authentik-email
• X-authentik-name
• X-authentik-uid
• X-authentik-jwt
• X-authentik-meta-jwks
• X-authentik-meta-outpost
• X-authentik-meta-provider
• X-authentik-meta-app
• X-authentik-meta-version

docker-compose.yml :

services:

postgresql_authentik: ...
redis_authentik: ...
worker_authentik: ...
command: worker
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_POSTGRESQL__HOST}
AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
AUTHENTIK_POSTGRESQL__DATABASE: ${AUTHENTIK_PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
AUTHENTIK_REDIS__DB: "1"
user: root
volumes:

• /var/run/docker.sock:/var/run/docker.sock
• ./authentik/media:/media
• ./certs:/certs
  depends_on:
• postgresql_authentik
• redis_authentik
  networks:
• mydomain_net
  server_authentik:
  ...
  environment:
  AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
  AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
  AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_POSTGRESQL__HOST}
  AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
  AUTHENTIK_POSTGRESQL__DATABASE: ${AUTHENTIK_PG_DB}
  AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
  AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
  LOGGING__FILE__ENABLED: "true"
  LOGGING__FILE__FILENAME: "/var/log/authentik/server.log"
  LOGGING__FILE__LEVEL: "DEBUG"
  LOGGING__FILE__MAX_BYTES: 10485760
  LOGGING__FILE__BACKUP_COUNT: 3
  AUTHENTIK_BIND: "0.0.0.0:9000"
  volumes:
• ./authentik/media:/media
• ./authentik/custom-templates:/templates
• ./authentik/logs:/var/log/authentik

normalement géré par traefik

ports:

• "9000"
  depends_on:

• worker_authentik

• postgresql_authentik

• redis_authentik
  labels:

• "traefik.enable=true"

• "traefik.http.routers.server-authentik.rule=( Host(auth.${DOMAIN})||HostRegexp({subdomain:[a-z0-9]+}.${DOMAIN}) ) && PathPrefix(/outpost.goauthentik.io/)"

• "traefik.http.routers.server-authentik.entrypoints=websecure"

• "traefik.http.routers.server-authentik.tls=true"

• "traefik.http.routers.server-authentik.service=server-authentik-svc"

• "traefik.http.services.server-authentik-svc.loadbalancer.server.port=9000"

• "traefik.http.routers.server-authentik.middlewares=authentik@file" # cors@file, authentik-forwardauth@file"

  • "traefik.http.routers.authentik-ui.rule=Host(auth.${DOMAIN})"
  • "traefik.http.routers.authentik-ui.entrypoints=websecure"
  • "traefik.http.routers.authentik-ui.tls=true"
  • "traefik.http.routers.authentik-ui.service=server-authentik-svc"
    networks:
  • mydomain_net

proxy_authentik:
...
depends_on:

• server_authentik
  user: root
  ports:
• "9000"
  environment:
  AUTHENTIK_HOST: "http://server_authentik:9000/"
  AUTHENTIK_INSECURE: "false"
  AUTHENTIK_HOST_BROWSER: "https://auth.stratoshare.net"
  AUTHENTIK_LISTEN: "0.0.0.0:9000"
  AUTHENTIK_TOKEN: "..."
  AUTHENTIK_DEBUG: "true"
  extra_hosts:
• "auth.stratoshare.net:172.20.0.9"
  labels:
• "traefik.enable=true"
• "traefik.port=9000"
• "traefik.http.routers.authentik-proxy.rule=Host(app.${DOMAIN}) && PathPrefix(/outpost.goauthentik.io/)"
• "traefik.http.middlewares.authentik.forwardauth.address=http://proxy_authentik:9000/outpost.goauthentik.io/auth/traefik"
• "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
• "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
• "traefik.http.services.authentik-proxy.loadbalancer.server.port=9000"
  healthcheck:
  test: ["CMD-SHELL", "wget -qO- http://localhost:9000/health/live || exit 1"]
  interval: 30s
  timeout: 10s
  retries: 3
  networks:
• mydomain_net

traefik:
image: traefik:v2.10
container_name: traefik
command:

• "--api.dashboard=true"
• "--providers.docker=true"
• "--entrypoints.websecure.address=:443"
• "--entrypoints.web.address=:80"
• "--accesslog=true"
• "--log.level=DEBUG"
• "--entrypoints.websecure.http.tls=true"
• "--providers.file.directory=/etc/traefik/dynamic"
• "--providers.docker.exposedbydefault=false"
  ports:
• "${TRAEFIK_HTTP_PORT}:80"
• "${TRAEFIK_HTTPS_PORT}:443"
  labels:
• "traefik.enable=true"
• "traefik.http.routers.traefik-dashboard.rule=Host(dashboard.${DOMAIN})"
• "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
• "traefik.http.routers.traefik-dashboard.tls=true"
• "traefik.http.routers.traefik-dashboard.service=api@internal"
• "traefik.http.routers.traefik-dashboard.middlewares=authentik@file, cors@file"
  networks:
• mydomain_net
  ...