Featured image of post Boosting Navidrome Security: SSO Auth with Traefik and Authentik
Guides

Boosting Navidrome Security: SSO Auth with Traefik and Authentik

Introduction

Music streaming services like Navidrome provide a fantastic way to access your personal music collection from anywhere. However, exposing such services to the internet comes with security concerns.

This guide demonstrates how to secure your Navidrome instance using Authentik’s Single Sign-On (SSO) capabilities behind a Traefik reverse proxy.

By implementing this setup, you’ll add an additional security layer to your music server while maintaining convenient access for legitimate users.

Assumptions and DNS Records

This guide assumes you have already installed and configured:

  • Authentik as your identity provider
  • Traefik as your reverse proxy
  • Navidrome as your music streaming server

For the purposes of this tutorial, we’ll use the following domains:

  • music.example.com: Your public-facing Navidrome instance
  • example.com: Your external domain
  • internal.example.com: Your internal subdomain

Understanding The Authentication Flow

The authentication flow works as follows:

  1. A user attempts to access music.example.com
  2. Traefik intercepts the request and forwards it to Authentik via the authentik-forward-auth middleware
  3. If the user isn’t authenticated, they’re redirected to the Authentik login page
  4. After successful authentication, Authentik sends the user back to Navidrome along with authentication headers
  5. Navidrome reads these headers to identify the user and grants access accordingly

Importantly, our configuration deliberately excludes authentication for two specific paths:

  • /share/: Allows anonymous access to shared music links
  • /rest/: Permits API access for mobile applications like Symfonium or DSub

This selective authentication provides both security and functionality where needed.

Authentik Configuration

Application and Provider

To set up Navidrome in Authentik:

  1. From the Authentik admin dashboard, select “Applications” and click “Create with Provider”

  2. On the “Application” screen:

    • Enter “Navidrome” as the name
    • Set an appropriate slug (e.g., “navidrome”)
    • Add an optional description and icon

  3. On the “Choose A Provider” screen:

    • Select “Proxy Provider”

  4. On the “Configure Provider” screen:

    • Enter a name for the provider (e.g., “navidrome-proxy”)
    • Select the authentication flow that you typically use
    • Choose “Forward auth (single application)”
    • Enter https://music.example.com as the external host

  5. Skip the “Configure Bindings” screen and complete the wizard

Outpost

Next, connect your application to the Authentik outpost:

  1. Navigate to “Outposts” in the Authentik admin interface
  2. Edit the “authentik Embedded Outpost”
  3. Under the “Applications” section, add your newly created Navidrome application
  4. Save the changes

Traefik Configuration

The Traefik configuration manages traffic routing and authentication. Here’s the setup:

# Traefik configuration for Navidrome with Authentik SSO
http:
  routers:
    to-authentik-outpost:
      entryPoints: webSecure
      rule: "Host(`music.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
      service: authentik
      priority: 200
      middlewares:
        - authentik-forward-auth
    to-protected:
      entryPoints: webSecure
      rule: "Host(`music.example.com`) && !(PathPrefix(`/share/`) || PathPrefix(`/rest/`))"
      service: navidrome
      priority: 100
      middlewares:
        - authentik-forward-auth
    to-subsonic:
      entryPoints: webSecure
      rule: "Host(`music.example.com`) && PathPrefix(`/rest/`)"
      service: navidrome
      priority: 150
    to-navidrome:
      entryPoints: webSecure
      rule: "Host(`music.example.com`) && PathPrefix(`/share/`)"
      service: navidrome
      priority: 100
  services:
    navidrome:
      loadBalancer:
        servers:
          - url: http://navidrome.internal.example.com:4533
    authentik:
      loadBalancer:
        servers:
          - url: https://authentik.internal.example.com:9443

  middlewares:
    authentik-forward-auth:
      forwardAuth:
        address: http://authentik.internal.example.com:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-entitlements
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

Configuration Breakdown

The Traefik configuration consists of several key components:

Routers:

  • to-authentik-outpost: Handles Authentik-specific paths with highest priority (200)
  • to-protected: Routes general Navidrome traffic through authentication
  • to-subsonic: Allows unauthenticated access to the Subsonic API (/rest/)
  • to-navidrome: Permits direct access to shared links (/share/)

Services:

  • navidrome: Points to your Navidrome instance
  • authentik: Points to your Authentik instance

Middleware:

  • authentik-forward-auth: The critical component that forwards authentication requests to Authentik and passes user information via headers to Navidrome

The configuration uses routing priorities to ensure that authentication exceptions work correctly, with higher numbers taking precedence.

Navidrome Configuration

For Navidrome to properly integrate with this authentication setup, you’ll need to configure two important settings:

  1. ReverseProxyWhitelist: Set this to the IP address of your Traefik server to ensure Navidrome trusts the authentication headers
  2. ReverseProxyUserHeader: Set this to X-authentik-username so Navidrome knows which header contains the username

You can configure these settings in your Navidrome environment variables or configuration file:

ND_REVERSEPROXYWHITELIST=<your_traefik_ip>
ND_REVERSEPROXYUSERHEADER=X-authentik-username

For more configuration options, refer to the Navidrome documentation.

Conclusion

With this setup complete, your Navidrome instance is now secured with Authentik SSO. When users visit music.example.com, they’ll be presented with the Authentik login page. After successful authentication, they’ll gain access to Navidrome.

One of the most convenient aspects of this integration is automatic user provisioning. If a user authenticates through Authentik but doesn’t yet exist in Navidrome, a new account will be created automatically using the username from Authentik (and a random password).

This approach provides robust security while maintaining convenient access for legitimate users, with selective authentication bypassing for specific functionality like shared links and mobile app access.

Resources Used

https://github.com/brokenscripts/authentik_traefik

https://www.navidrome.org/docs/usage/reverse-proxy

https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_traefik

© 2026 Marco Lazzarotto
Built with Hugo
Theme Stack designed by Jimmy