Some very old blogs with hints for docker compose and Traefik. Can this site host a best practice?

I’ve been struggling with what seems like hundreds of various authors of installs but they are often very old or simply do not work.

In an ideal world, it would be awesome to have a compose file that loads up recent Keycloak (ie 23.0.1) with a persistent database alongside a Traefik proxy and has a forward-auth config that lets Traefik protect various services. Compose that works via Portainer for double extra points.

Bonus points if the Keycloak image has healthchecks enabled so that I can have the forward auth wait until keycloak is up and running. I think docker healthcheck was difficult for a while due to lack of curl being built into the image but maybe that changed.

WIth old instances of keycloak image and dozens of variations of forward-auth I’ve not had great luck.

I would be happy with even just a docker compose that does Keycloak with a persistent database.

Maybe pin a suggestion that can be kept up to date with current versions.

[edit] below is my (as of now) unsuccessful journey in kind of a diary format. Attempts, failures, corrections, miror progress, loop.

  • Traefik :+1:
  • Authelia Protecting Services through Traefik Forward-Auth :+1:
  • Keycloak behind Traefik :+1:
  • Keycload Protecting Services through Traefik Forward-Auth :-1:

Have you tried it yet? In general, this forum works better if you show what you’ve tried before asking for a solution.

This is an example I use for testing. It uses caddy instead of traefik, but it might help you get started. If it doesn’t help, please post what you tried in your follow up, so that we can help you debug.

version: '3'

volumes:
  postgres_data:
    driver: local
  caddy_data:
    driver: local

services:
  postgres:
    image: postgres:11
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    ports:
      - 5432:5432
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    environment:
      PROXY_ADDRESS_FORWARDING: 'true'
      KC_DB_URL_HOST: postgres
      KC_DB_URL_DATABASE: keycloak
      KC_DB_SCHEMA: public
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      KC_HOSTNAME_STRICT: 'false'
      KC_HTTP_ENABLED: 'true'
      KC_PROXY: 'edge'
      KC_LOG_LEVEL: INFO
    entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]
    ports:
      - 8080:8080
      - 8443:8443
    depends_on:
      - postgres
  caddy:
    image: caddy:2.4.6-alpine
    restart: unless-stopped
    command: caddy reverse-proxy --from https://localhost:443 --to http://keycloak:8080
    ports:
      - 80:80
      - 443:443
    volumes:
      - caddy_data:/data
    depends_on:
      - keycloak

I get the idea of posting attempts first, but to be honest, I have tried dozens and never got a match. Not that you have any trust in a noob, but I have put some effort in before coming here.

For instance, just with Traefik forward-auth services I have seen about 10 different flavors. Seemingly [thomseddon]'s is the preferred flavor.

I’ll try your keycloak/postgres combo now to see if I can 1) swap in Traefik for caddy and then 2) get the forward-auth to work.

Thanks for a stating hint.

So the base that I am starting with is a Traefik proxy that authorizes access to services using Authelia and its associated Forward-Auth.

There are three test services being used: public, secure-1 and secure-2. The authelia forward auth tags are used on all three of the services but authelia is configured to have public bypasses and one-factor used for both secure-1 and secure-2.

That is working but I would like to swap over to Keycloak.

deleting since there is a newer version in a newer post
...

This is getting gateway timeouts which I think means that Traefik is close to being configured right but it is not connecting well to the keycloak instance.

Logs for Keycloak show nothing alarming to me. A warning about using the deprecated method for running behind a proxy.

Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2024-03-09 20:10:14,252 WARN  [org.key.qua.run.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
	- proxy: Use proxy-headers.
2024-03-09 20:10:20,094 INFO  [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 5229ms
Server configuration updated and persisted. Run the following command to review the configuration:
	kc.sh show-config
Next time you run the server, just run:
	kc.sh start --optimized
2024-03-09 20:10:20,789 WARN  [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
	- proxy: Use proxy-headers.
2024-03-09 20:10:21,230 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-03-09 20:10:21,431 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-03-09 20:10:21,545 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
2024-03-09 20:10:21,634 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2024-03-09 20:10:21,638 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 9ec9c17c-9106-41f2-aed2-efe333ce9505, name: 1b20841fe688-50466
2024-03-09 20:10:21,644 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,644 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,644 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,644 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
2024-03-09 20:10:21,651 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.33735
2024-03-09 20:10:22,726 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-03-09 20:10:23,397 WARN  [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-03-09 20:10:23,656 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 1b20841fe688-50466: no members discovered after 2002 ms: creating cluster as coordinator
2024-03-09 20:10:23,663 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [1b20841fe688-50466|0] (1) [1b20841fe688-50466]
2024-03-09 20:10:23,677 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `1b20841fe688-50466`, physical addresses are `[192.168.176.3:49271]`
2024-03-09 20:10:23,687 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-03-09 20:10:24,351 INFO  [org.keycloak.quarkus.runtime.storage.legacy.liquibase.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml
UPDATE SUMMARY
Run:                        121
Previously run:               0
Filtered out:                 0
-------------------------------
Total change sets:          121
2024-03-09 20:10:26,014 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 1b20841fe688-50466, Site name: null
2024-03-09 20:10:26,089 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-03-09 20:10:26,131 INFO  [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
2024-03-09 20:10:27,129 INFO  [io.quarkus] (main) Keycloak 24.0.1 on JVM (powered by Quarkus 3.8.1) started in 6.786s. Listening on: http://0.0.0.0:8080
2024-03-09 20:10:27,129 INFO  [io.quarkus] (main) Profile prod activated. 
2024-03-09 20:10:27,129 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]

Traefik isn’t showing anything particularly nasty

I have to switch log level to warn to but back on the traefik logs.

Made a few edits to things like adding the network block to the compose service for postgres and keycloak.

---
removed with newer version below

Now I get to the keycloak page but am getting a not-found with the keycloak theme

[edit - silly bear, the admin dashboard may have changed since I last used it and now you need {url]/admin to get to the dashboard.

I know a to-do for me is to better use network segmentation. Everything is on one net now.

So, next up is getting the forward auth to work for the services.

You asked for me to post my progress and ask for help from there…

well, here goes another one…

Anyone know why my

      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: this_is_a_test

are not being accepted?

The names of those variables changed in recent Keycloak versions to:

      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
1 Like

Thanks @xgp Garth.

Back to trying to get my forward auth working.

Any community sentiment on which of the dozen foward auth implementations (mesosphere, thomseddon, funky-penguin (funky deprecated his), core-middleware, etc) is best or for which use cases?

I just want to separately protect a number of docker containers and sites outside docker.

The authelia demo I am starting with seems to be using the core forward-auth.

I’m trying out the thomseddon forward auth method and using his demo (although I am not using swarm but standalone docker)

This attempt is not working when I switched secure-1.{domain} from authelia to keycloak

---
version: '3.3'

networks:
  net:
    driver: bridge
      
services:
  #################### Keycloak Services ####################
  postgres:
    image: postgres:11
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/postgresql/data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    ports:
      - 5432:5432
    networks:
      - net
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    environment:
      PROXY_ADDRESS_FORWARDING: 'true'
      KC_DB_URL_HOST: postgres
      KC_DB_URL_DATABASE: keycloak
      KC_DB_SCHEMA: public
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      KC_HOSTNAME_STRICT: 'false'
      KC_HTTP_ENABLED: 'true'
      KC_PROXY: 'edge'
      KC_LOG_LEVEL: INFO
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      #KEYCLOAK_USER: admin
      #KEYCLOAK_PASSWORD: this_is_a_test
    entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]
#    ports:
#      - 8080:8080
#      - 8443:8443
    depends_on:
      - postgres
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - "traefik.docker.network=net"
      - 'traefik.http.routers.keycloak.rule=Host(`keycloak.${DOMAIN}`)'
      - 'traefik.http.routers.keycloak.entrypoints=https'
      - 'traefik.http.routers.keycloak.tls=true'
      - 'traefik.http.routers.keycloak.tls.certresolver=letsencrypt'
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2
    environment:
      - DEFAULT_PROVIDER=oidc
      - PROVIDERS_OIDC_ISSUER_URL=https://keycloak.flynnconsultingllc.com/realms/master
      - PROVIDERS_OIDC_CLIENT_ID=traefik-forward-auth-client
      - PROVIDERS_OIDC_CLIENT_SECRET=zv9dbvlIX6hNN2Nm1ORM91Qyw9CBMYb4
      - SECRET=something-random-something-random
      # INSECURE_COOKIE is required if not using a https entrypoint
      - INSECURE_COOKIE=true
      - LOG_LEVEL=debug
    labels:
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      
      
  #################### Authelia Services ####################
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/authelia:/config
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`authelia.${DOMAIN}`)'
      - 'traefik.http.routers.authelia.entrypoints=https'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://authelia.${DOMAIN}'  # yamllint disable-line rule:line-length
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
    expose:
      - 9091
    restart: unless-stopped
    healthcheck:
      ## In production the healthcheck section should be commented.
      disable: true
    environment:
      - TZ=${TZ}
      
  redis:
    image: redis:alpine
    container_name: redis
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/redis:/data
    networks:
      - net
    expose:
      - 6379
    restart: unless-stopped
    environment:
      - TZ=${TZ}
      
  #################### Traefik Services ####################
  traefik:
    image: traefik:v3.0
    container_name: traefik
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)'
      - 'traefik.http.routers.api.entrypoints=https'
      - 'traefik.http.routers.api.service=api@internal'
      - 'traefik.http.routers.api.tls=true'
      - 'traefik.http.routers.api.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.api.middlewares=authelia@docker'
    ports:
      # The HTTP and HTTPS ports for incoming connection requests
      - '80:80'
      - '443:443'
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    command:
      # Enables the web UI and tells Traefik to listen to docker
      - '--api.insecure=true'
      - '--providers.docker=true'
      #
      - '--providers.docker.exposedByDefault=false'
      # We want to specify some non-docker services in a file
      - '--providers.file.directory=/etc/traefik/dynamic'
      - '--providers.file.watch=true'
      #
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'
      # Lets Encrypt with the DNS challenge using Cloudflare
      - '--certificatesResolvers.letsencrypt.acme.email=${LE_EMAIL}'
      - '--certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme.json'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0'
      # Logging settings
      - '--log=true'
      - '--log.level=INFO'
    environment:
      - CF_API_EMAIL=${CLOUDFLARE_EMAIL}
      - CF_API_KEY=${CLOUDFLARE_API_KEY}

  #################### Misc APplication Services ####################
  secure_1:
    image: traefik/whoami
    container_name: secure_1
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.secure_1.rule=Host(`secure-1.${DOMAIN}`)'
      - 'traefik.http.routers.secure_1.entrypoints=https'
      - 'traefik.http.routers.secure_1.tls=true'
      - 'traefik.http.routers.secure_1.tls.certresolver=letsencrypt'
#     - 'traefik.http.routers.secure_1.middlewares=authelia@docker'
      - "traefik.http.routers.secure_1.middlewares=traefik-forward-auth"
    expose:
      - 80
    restart: unless-stopped
...

I’ve also tried the mesosphere forward-auth. This one lets me get to secure-1.{domain} but does NOT protect it. Even on a incognito browser to make sure security wasn’t cached.

Also on my to-do is getting the healthcheck to work so that we can make the forward-auth depend on keycloak.

---
version: '3.3'

networks:
  net:
    driver: bridge
      
services:
  #################### Keycloak Services ####################
  postgres:
    image: postgres:11
    container_name: keycloak_db
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/postgresql/data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    ports:
      - 5432:5432
    networks:
      - net
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    environment:
      PROXY_ADDRESS_FORWARDING: 'true'
      KC_DB_URL_HOST: postgres
      KC_DB_URL_DATABASE: keycloak
      KC_DB_SCHEMA: public
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      KC_HOSTNAME_STRICT: 'false'
      KC_HTTP_ENABLED: 'true'
      KC_PROXY: 'edge'
      KC_LOG_LEVEL: INFO
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      #KEYCLOAK_USER: admin
      #KEYCLOAK_PASSWORD: this_is_a_test
    entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]
#    ports:
#      - 8080:8080
#      - 8443:8443
    depends_on:
      - postgres
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - "traefik.docker.network=net"
      - 'traefik.http.routers.keycloak.rule=Host(`keycloak.${DOMAIN}`)'
      - 'traefik.http.routers.keycloak.entrypoints=https'
      - 'traefik.http.routers.keycloak.tls=true'
      - 'traefik.http.routers.keycloak.tls.certresolver=letsencrypt'
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"

#  traefik-forward-auth:
#    image: thomseddon/traefik-forward-auth:2
#    environment:
#      - DEFAULT_PROVIDER=oidc
#      - PROVIDERS_OIDC_ISSUER_URL=https://keycloak.flynnconsultingllc.com/realms/master
#      - PROVIDERS_OIDC_CLIENT_ID=traefik-forward-auth-client
#      - PROVIDERS_OIDC_CLIENT_SECRET=zv9dbvlIX6hNN2Nm1ORM91Qyw9CBMYb4
#      - SECRET=something-random-something-random
#      # INSECURE_COOKIE is required if not using a https entrypoint
#      - INSECURE_COOKIE=true
#      - LOG_LEVEL=debug
#    labels:
#      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
#      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
#      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"

  forwardauth:
    image: mesosphere/traefik-forward-auth
    networks:
      - net
    environment:
      - SECRET=something-random-something-random
      - PROVIDER_URI=https://keycloak.flynnconsultingllc.com/realms/master
      - CLIENT_ID=traefik-forward-auth-client
      - CLIENT_SECRET=zv9dbvlIX6hNN2Nm1ORM91Qyw9CBMYb4
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=net"
      - "traefik.http.services.forwardauth.loadbalancer.server.port=4181"
      - "traefik.http.routers.forwardauth.entrypoints=https"
      - "traefik.http.routers.forwardauth.rule=Path(`/_oauth`)"
      - "traefik.http.routers.forwardauth.middlewares=traefik-forward-auth"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://forwardauth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.routers.traefik-forward-auth.tls.certresolver=letsencrypt"
      
  #################### Authelia Services ####################
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/authelia:/config
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`authelia.${DOMAIN}`)'
      - 'traefik.http.routers.authelia.entrypoints=https'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://authelia.${DOMAIN}'  # yamllint disable-line rule:line-length
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
    expose:
      - 9091
    restart: unless-stopped
    healthcheck:
      ## In production the healthcheck section should be commented.
      disable: true
    environment:
      - TZ=${TZ}
      
  redis:
    image: redis:alpine
    container_name: redis
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/redis:/data
    networks:
      - net
    expose:
      - 6379
    restart: unless-stopped
    environment:
      - TZ=${TZ}
      
  #################### Traefik Services ####################
  traefik:
    image: traefik:v3.0
    container_name: traefik
    volumes:
      - /var/lib/docker/volumes/keycloak-traefik-stack/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)'
      - 'traefik.http.routers.api.entrypoints=https'
      - 'traefik.http.routers.api.service=api@internal'
      - 'traefik.http.routers.api.tls=true'
      - 'traefik.http.routers.api.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.api.middlewares=authelia@docker'
    ports:
      # The HTTP and HTTPS ports for incoming connection requests
      - '80:80'
      - '443:443'
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    command:
      # Enables the web UI and tells Traefik to listen to docker
      - '--api.insecure=true'
      - '--providers.docker=true'
      #
      - '--providers.docker.exposedByDefault=false'
      # We want to specify some non-docker services in a file
      - '--providers.file.directory=/etc/traefik/dynamic'
      - '--providers.file.watch=true'
      #
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'
      # Lets Encrypt with the DNS challenge using Cloudflare
      - '--certificatesResolvers.letsencrypt.acme.email=${LE_EMAIL}'
      - '--certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme.json'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
      - '--certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0'
      # Logging settings
      - '--log=true'
      - '--log.level=INFO'
    environment:
      - CF_API_EMAIL=${CLOUDFLARE_EMAIL}
      - CF_API_KEY=${CLOUDFLARE_API_KEY}

  #################### Misc APplication Services ####################
  secure_1:
    image: traefik/whoami
    container_name: secure_1
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.secure_1.rule=Host(`secure-1.${DOMAIN}`)'
      - 'traefik.http.routers.secure_1.entrypoints=https'
      - 'traefik.http.routers.secure_1.tls=true'
      - 'traefik.http.routers.secure_1.tls.certresolver=letsencrypt'
#     - 'traefik.http.routers.secure_1.middlewares=authelia@docker'
#     - "traefik.http.routers.secure_1.middlewares=traefik-forward-auth"
#     - 'traefik.http.routers.secure_1.middlewares=keycloak@docker'
      - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth@docker"
    expose:
      - 80
    restart: unless-stopped

  secure_2:
    image: traefik/whoami
    container_name: secure_2
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.secure_2.rule=Host(`secure-2.${DOMAIN}`)'
      - 'traefik.http.routers.secure_2.entrypoints=https'
      - 'traefik.http.routers.secure_2.tls=true'
      - 'traefik.http.routers.secure_2.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.secure_2.middlewares=authelia@docker'
    expose:
      - 80
    restart: unless-stopped

  public:
    image: traefik/whoami
    container_name: public
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.public.rule=Host(`public.${DOMAIN}`)'
      - 'traefik.http.routers.public.entrypoints=https'
      - 'traefik.http.routers.public.tls=true'
      - 'traefik.http.routers.public.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.public.middlewares=authelia@docker'
    expose:
      - 80
    restart: unless-stopped
...

Uhg, so much old stuff out there. There seem to be a bunch of changed to the mesosphere version I am looking into now.

Upgrading from 2.x version to 3.0 (Breaking Changes):

This is why a pinned updated post would be so helpful here.

Yes please it would be much needed I am now struggling with this for 2-3 months, every tutorial is a home linux server or has already so much preassumed stuff… If i somehow crack it I will be sure to share my config. I even tried to have a go with autheli or authentik but same badly presented “tutorials”.

@Astrohelo , I got Authelia working by using the sample in their github but I had to manually switch the repository from master to the latest version to catch a change that broke it. authelia/examples/compose/lite at v4.38.8 · authelia/authelia · GitHub