Fix Prowlarr authentication mode conflict using shared Authentik middleware #2

nathan · 2026-05-31T21:24:03-04:00

nathan commented

2026-05-31 21:24:03 -04:00

Problem

The Prowlarr service has an auth_mode_conflict: Authentik is configured for forward authentication but the current Traefik setup uses no authentication. Additionally, a dedicated prowlarr_outpost sidecar container is deployed, which duplicates functionality already available via the shared Traefik middleware.

Solution

Remove the prowlarr_outpost container to eliminate unnecessary duplication
Move Traefik router labels from the outpost container to the main prowlarr service
Apply the existing authentik-auth@file middleware to enforce forward authentication
Keep the security-headers middleware for defense-in-depth

Changes

Removed: prowlarr_outpost service (lines with outpost container definition)
Added: Traefik labels to prowlarr service including the authentik-auth@file middleware
Updated: Service port label to correctly target the prowlarr application port (9696)

This approach leverages the existing shared Authentik middleware infrastructure and simplifies the deployment by eliminating a redundant sidecar container.

After merging, deploy the change to the affected node (pull the repo and reload the service) to apply it.

## Problem The Prowlarr service has an `auth_mode_conflict`: Authentik is configured for forward authentication but the current Traefik setup uses no authentication. Additionally, a dedicated `prowlarr_outpost` sidecar container is deployed, which duplicates functionality already available via the shared Traefik middleware. ## Solution - Remove the `prowlarr_outpost` container to eliminate unnecessary duplication - Move Traefik router labels from the outpost container to the main `prowlarr` service - Apply the existing `authentik-auth@file` middleware to enforce forward authentication - Keep the security-headers middleware for defense-in-depth ## Changes - **Removed**: `prowlarr_outpost` service (lines with outpost container definition) - **Added**: Traefik labels to `prowlarr` service including the `authentik-auth@file` middleware - **Updated**: Service port label to correctly target the prowlarr application port (9696) This approach leverages the existing shared Authentik middleware infrastructure and simplifies the deployment by eliminating a redundant sidecar container. --- _After merging, deploy the change to the affected node (pull the repo and reload the service) to apply it._

nathan added 1 commit 2026-05-31 21:24:03 -04:00

fix(prowlarr): resolve auth_mode_conflict by using shared authentik middleware 19089602b8

Remove redundant prowlarr_outpost sidecar container and apply the shared
authentik-auth@file middleware to the prowlarr router. The Authentik forward
auth middleware already exists in the Traefik dynamic configuration and
provides the necessary authentication layer without requiring a dedicated
outpost container per service.

nathan added 1 commit 2026-05-31 21:24:04 -04:00

fix(prowlarr): resolve auth_mode_conflict by using shared authentik middleware 19089602b8

Remove redundant prowlarr_outpost sidecar container and apply the shared
authentik-auth@file middleware to the prowlarr router. The Authentik forward
auth middleware already exists in the Traefik dynamic configuration and
provides the necessary authentication layer without requiring a dedicated
outpost container per service.

nathan merged commit 1fedfcca01 into main

2026-05-31 21:26:34 -04:00

nathan deleted branch patch/auth_mode_conflict-prowlarr-2026-06-01

2026-05-31 21:26:34 -04:00

nathan referenced this issue from a commit

2026-05-31 21:26:34 -04:00

Merge pull request 'Fix Prowlarr authentication mode conflict using shared Authentik middleware' (#2) from patch/auth_mode_conflict-prowlarr-2026-06-01 into main

nathan referenced this issue from a commit

2026-05-31 21:55:19 -04:00

Revert "Merge pull request 'Fix Prowlarr authentication mode conflict using shared Authentik middleware' (#2) from patch/auth_mode_conflict-prowlarr-2026-06-01 into main"

Sign in to join this conversation.