Traefik Forward Auth - Funky Penguin's Geek Cookbook

Now that we have Traefik deployed, automatically exposing SSL access to our Docker Swarm services using LetsEncrypt wildcard certificates, let's pause to consider that we may not want some services exposed directly to the internet...

This is a companion discussion topic for the original entry at

From my Point of view the foward-auth offers a wider variety of whitelist options EG whitelist by email, by IP even with certain time of the day. And it looks nicer than oauth. As far as I know both will work fine though :slight_smile:

Some changes to the env variable names in the example for the traefik-forward-auth version used here (2.1.0). These two will break the container unless changed:
This one will raise a warning in the logs that its depreciated, but wont break it (yet, at 2.1.0):

link to “Forward Authentication” has changed, now it’s

Hello everyone!

I’m trying to setup kc with traefik proxy for applications that aren’t able to authenticate users themselves.

But I have issues. I’ve described them here (redirects loop between proxy and keycloak), please take a look:

Many thanks in advance.

Best regards,