I have reverse proxy (traefik) authenticated (Authelia) and protecting https://seafile.domain.me and logging in via web shows Authelia first and then correctly logs me in to Seafile.
I’ve configured CLIENT_SSO_VIA_LOCAL_BROWSER = True but logging in via desktop fails - no browser appears, just a warning that it can’t find the server.
Checking log shows a call to https://seafile.domain.me/api2/server-info, which fails because it is covered by traefik/authelia and is 401. This is chicken and egg. Excluding /api2/server-info from Authelia still fails but log shows it went further, but failed getting /api2/client-sso-link/.
Excluding the whole of /api2 works: desktop client opens browser, shows Authelia login and then correctly logs in.
Is safe to leave /api2 un-authenticated? If not, what should be visible to allow desktop to work?
Relevant traefik labels on seafile docker service:
traefik.enable: true
traefik.http.services.seafile.loadbalancer.server.port: 80
traefik.http.routers.seafile.middlewares: 'authelia@docker'
traefik.http.routers.seafile.priority: 1
traefik.http.routers.seafile-api.rule: (Host(`seafile.domain.me`) && PathPrefix(`/api2`))
traefik.http.routers.seafile-api.priority: 3
Thanks