Issues with access

[EBS-DarkD]

I'm running Portainer BE (2.27.6 LTS) stacks with a stack for the reverse proxy and a stack for each of my apps (i've lots). I was running authelia but want to try setup SSO for my various apps and have been having shits 'n' giggles with openLDAP!

traefik 3.4.0 stack

`
traefik:
<<: common-keys-core
container_name: traefik
image: traefik:latest
command:
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false
## Logging
- --log=true
- --log.level=INFO
- --accessLog=true
- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
- --accessLog.filters.statusCodes=204-299,400-499,500-599
## API
- --api=true
- --api.dashboard=true
- --api.insecure=true
## Basic Entry Points
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --entryPoints.traefik.address=:8080
- --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
## Basic Providers
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --providers.docker.network=t2_proxy
- --providers.file.directory=/rules
- --providers.file.watch=true
## Adv Entry Points
- --entrypoints.https.http.tls.options=tls-opts@file
- --entrypoints.https.http.tls.certresolver=dns-cloudflare
- --entrypoints.https.http.tls.domains[0].main=am-baker.com
- --entrypoints.https.http.tls.domains[0].sans=.am-baker.com
## Cert Resolution
#- --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.dns-cloudflare.acme.email=chief@window-lickers.com
- --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
- --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90
- --serversTransport.insecureSkipVerify=true
## Metrics
- --metrics.prometheus=true
- --metrics.prometheus.buckets=0.1,0.3,1.2,5.0

networks:
  t2_proxy:
  socket_proxy:
  
ports:
  - target: 80
    published: 80
    protocol: tcp
    mode: host
  - target: 443
    published: 443
    protocol: tcp
    mode: host
  - target: 8080
    published: 9079
    protocol: tcp
    mode: host 

volumes:
  - /docker/shared:/shared
  - /docker/logs/cloudserver/traefik:/logs
  - /docker/appdata/traefik2/rules/cloudserver:/rules
  - /docker/appdata/traefik2/acme/acme.json:/acme.json

environment:
  - TZ=Asia/Qatar
  - CF_API_EMAIL_FILE=/run/secrets/cf_email
  - CF_API_KEY_FILE=/run/secrets/cf_api_key
  - HTPASSWD_FILE=/run/secrets/htpasswd
  - DOMAINNAME_CLOUD_SERVER

secrets:
  - cf_email
  - cf_api_key
  - htpasswd
  
labels:
  - "traefik.enable=true"
  # HTTP-to-HTTPS Redirect
  - "traefik.http.routers.http-catchall.entrypoints=http"
  - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
  - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  # HTTP Routers
  - "traefik.http.routers.traefik-rtr.entrypoints=https"
  - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.buggerit.com`)"
  - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
  - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-cloudflare" # Comment out this line after first run of traefik to force the use of wildcard certs
  - "traefik.http.routers.traefik-rtr.tls.domains[0].main=buggerit.com"
  - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.buggerit.com"
  ## Services - API
  - "traefik.http.routers.traefik-rtr.service=api@internal"
  ## Middlewares
  - "traefik.http.routers.traefik-rtr.middlewares=chain-basic-auth@file" # For Authentik
  - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file"
  - "traefik.http.routers.traefik-rtr.middlewares=middlewares-compress@file"

`
This is working ok under authelia. I've also added a middleware into the traefik

middleware-authentik: forwardAuth: address: "http://window-lickers.com:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders:

For the authentik, i've got the following set with a whole list of items in the stack.env

authentik: <<: [*common-keys-apps, *common-keys-dep] image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0} container_name: authentik command: server environment: AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} AUTHENTIK_REDIS__HOST: ${REDIS_HOST} AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST} AUTHENTIK_POSTGRESQL__USER: ${PG_USER} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} volumes: - /opt/docker/appdata/authentik/app/media:/media - /opt/docker/appdata/authentik/app/templates:/templates env_file: - stack.env networks: t2_proxy: ipv4_address: 192.168.92.23 socket_proxy: ipv4_address: 192.168.90.23 ports: - 9000:9000 - 9443:9443 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.authentik-rtr.entrypoints=https" - "traefik.http.routers.authentik-rtr.rule=Host(authentik.${DOMAINNAME})" ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth) - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp({subdomain:[a-z0-9-]+}.${DOMAINNAME}) && PathPrefix(/outpost.goauthentik.io/`)"
## HTTP Services
- "traefik.http.routers.authentik-rtr.service=authentik-svc"
- "traefik.http.services.authentik-svc.loadBalancer.server.port=9443"

#Worker
authworker:
<<: [*common-keys-apps, *common-keys-dep]
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
command: worker
container_name: auth-worker
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_REDIS__HOST: ${REDIS_HOST}
AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /docker/appdata/authentik/app/media:/media
- /docker/appdata/authentik/app/certs:/certs
- /docker/appdata/authentik/app/templates:/templates
env_file:
- stack.env
networks:
t2_proxy:
socket_proxy:

`

Having gone through all the steps of your setup (I think), I get to the point when I try access the authentik interface to login and administer it.
It works on http://window-lickers.com:9000 but I can't access it via https://window-lickers.com:9443.

How have your got your https working?

I went through you catch-all steps using the wizard and got it so I could access one of the running containers, but the login page was http, not https!

Hope you can give me some clues as to what I need to tweak/ hit with a baseball bat to get this damn thing working!