302 Redirect using NGINX Proxy Manager on another host

[wagwan-piffting-blud]

Hello,

I am trying to set up Speedtest Tracker with NGINX Proxy Manager, where NPM is on host 1 and ST is on host 2 on a non-standard port (due to a port conflict with 80/443 on host 2). I have the following docker-compose file on host 2:

services:
    speedtest:
        container_name: speedtest
        image: lscr.io/linuxserver/speedtest-tracker:latest
        ports:
            - 8765:80
        volumes:
            - ./speedtest_config:/config
        environment:
            - TZ=America/Chicago
            - PGID=1000
            - PUID=1000
            - APP_TIMEZONE=America/Chicago
            - DISPLAY_TIMEZONE=America/Chicago
            - DB_CONNECTION=sqlite
            - APP_KEY=base64:REDACTED
            - SPEEDTEST_SCHEDULE=0 * * * *
        restart: unless-stopped

When attempting to access the URL I set up through NPM, I get an instant 302 Redirect to host 1's IP and port number.

I have tried:

• setting APP_URL and ASSET_URL to the NPM hostname, this results in a broken CSS experience but does not fix the underlying redirection issue
• setting FORCE_HTTPS which results in a broken certificate chain, causing the page to not load at all

NPM is configured with Authentik to protect my hosts from unauthorized access, but I do not believe this is a factor, as all of my other hosts have the exact same config with no issues. I believe this is an underlying issue with ST somewhere. Here is the NPM config I have set for posterity (taken from the Authentik documentation):

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-entitlements $authentik_entitlements;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

    # This section should be uncommented when the "Send HTTP Basic authentication" option
    # is enabled in the proxy provider
    # auth_request_set $authentik_auth $upstream_http_authorization;
    # proxy_set_header Authorization $authentik_auth;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    # When using the embedded outpost, use:
    proxy_pass              http://HOST1:PORT/outpost.goauthentik.io;
    # For manual outpost deployments:
    # proxy_pass              http://outpost.company:9000;

    # Note: ensure the Host header matches your external authentik URL:
    proxy_set_header        Host $host;

    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Host 1 is running Windows 11 24H2 with Docker Desktop for Windows. Host 2 is an Ubuntu 24.04.1 LTS mini PC running docker from apt. Any help with this issue would be appreciated, I can provide as much additional information upon request as possible.

Thank you!

Wags

[alexjustesen]

I'm going to transfer this issue to a discussion, I'm tapped out time wise at the moment so hopefully someone in the community can help.