Hello everyone,
I’m running into persistent 502 Bad Gateway errors when trying to protect my subdomains with Authelia behind the LinuxServer SWAG (Secure Web Application Gateway) container. I’ve followed every step in the official documentation, but can’t get past this error. I’m hoping someone here can help me spot what I’m missing.
Domain & DNS Setup
- Main domains:
my-first-domain.com→ A record →my-server-ipdomain-two.de→ A record →my-server-ip
- Subdomains:
www.my-first-domain.com→ A →my-server-ip(works)dashboard.my-first-domain.com→ A →my-server-ip(502)auth.my-first-domain.com→ A →my-server-ip(502)
All DNS lookups resolve correctly:
$ dig +short dashboard.my-first-domain.com
my-server-ip
$ dig +short auth.my-first-domain.com
my-server-ip
Environment
- Host OS: Ubuntu 22.04 LTS
- Docker Compose Version: 1.29.2
- SWAG Image:
lscr.io/linuxserver/swag:latest - Authelia Image:
authelia/authelia:latest - Docker Network:
swag_network(bridge, shared by both containers) - Ports forwarded:
- Host → Container:
80:80,443:443, Authelia9091:9091
- Host → Container:
What Works
- SWAG landing and www.my-first-domain.com HTTPS are up and serving the default page.
- Certificate issuance via HTTP‑validation for all domains succeeds.
- Docker networking:
docker exec -it swag ping authelia # OK PING authelia (172.19.0.2): 56 data bytes 64 bytes from 172.19.0.2: seq=0 ttl=64 time=0.290 ms 64 bytes from 172.19.0.2: seq=1 ttl=64 time=0.088 ms 64 bytes from 172.19.0.2: seq=2 ttl=64 time=0.089 ms docker exec -it swag curl --head http://authelia:9091 HTTP/1.1 200 OK Date: Sun, 20 Apr 2025 09:25:32 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1087 X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=(), interest- cohort=() X-Frame-Options: DENY X-Dns-Prefetch-Control: off Content-Security-Policy: default-src 'self'; frame-src 'none'; object-src 'none'; style-src 'self' 'nonce-RTXBQa4Jf1ntxpsinUuZn8cC3ShylTCZ'; frame-ancestors 'none'; base-uri 'self'
The Problem
https://auth.my-first-domain.com→ 502 Bad Gatewayhttps://dashboard.my-first-domain.com→ 502 Bad Gateway
Both subdomains return a 502 from SWAG’s NGINX layer, even though Authelia itself is healthy and reachable on port 9091.
Configuration Summary
1. docker-compose.yml
services:
swag:
image: lscr.io/linuxserver/swag:latest
container_name: swag
cap_add:
- NET_ADMIN
ports:
- "80:80"
- "443:443"
# - "81:81"
environment:
- PUID=1101
- PGID=1101
- TZ=Europe/Berlin
- URL=my-first-domain.com
- SUBDOMAINS=www,dashboard,auth
- EXTRA_DOMAINS=domain-two.de
- VALIDATION=http
- EMAIL=firstname.lastname@domain.com
- STAGING=false
- DOCKER_MODS=linuxserver/mods:swag-dashboard
volumes:
- ./swag/config:/config
networks:
- swag_network
mariadb:
image: lscr.io/linuxserver/mariadb:latest
container_name: mariadb
environment:
- PUID=1101
- PGID=1101
- TZ=Europe/Berlin
- MYSQL_ROOT_PASSWORD=password
- MYSQL_DATABASE=wordpress_mb
- MYSQL_USER=wpmb_user
- MYSQL_PASSWORD=password
volumes:
- ./mariadb:/config
networks:
- swag_network
authelia:
image: authelia/authelia:latest
container_name: authelia
volumes:
- ./authelia/config:/config
ports:
- "9091:9091"
restart: unless-stopped
networks:
- swag_network
networks:
swag_network:
driver: bridge
2. Authelia NGINX Snippets (/config/nginx/)
# authelia-server.conf
location = /authelia/api/verify { … proxy_pass http://authelia:9091/api/verify; }
location = /authelia/api/authz/auth-request { … proxy_pass http://authelia:9091/api/authz/auth-request; }
3. Dashboard Proxy Conf (dashboard.subdomain.conf)
# HTTP redirect
server {
listen 80; listen [::]:80;
server_name dashboard.my-first-domain.com;
return 301 https://$host$request_uri;
}
# HTTPS with Authelia
server {
listen 443 ssl; listen [::]:443 ssl;
server_name dashboard.my-first-domain.com;
include /config/nginx/ssl.conf;
include /config/nginx/authelia-server.conf;
location / {
include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app dashboard;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
try_files $uri $uri/ /index.php$is_args$args =404;
}
location ~ ^(.+\.php)(.*)$ { … include /config/nginx/authelia-location.conf; … }
}
4. Authelia Proxy Conf (authelia.subdomain.conf)
server {
listen 443 ssl; listen [::]:443 ssl;
server_name auth.my-first-domain.com;
include /config/nginx/ssl.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app authelia; set $upstream_port 9091; set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
Troubleshooting Steps Taken
- Verified DNS & Port Forwarding – all resolve to the correct IP and ports are open.
- Inside SWAG container
ping authelia # OK curl -v http://authelia:9091/api/authz/auth-request # → HTTP/1.1 400 Bad Request (at least it’s talking to Authelia) - Checked Logs
- SWAG logs only show 502 on incoming requests to
/and/api/.... - Authelia logs show:
Access to https://dashboard.my-first-domain.com/ is not authorized → 401 → redirect to https://auth...?rd=…
- SWAG logs only show 502 on incoming requests to
- Ensured
internal;is present on both/authelia/api/...locations. - Recreated default configs with
docker run … cp -r /defaults /config.
My Questions
- What am I missing in the SWAG proxy configuration that causes NGINX to return 502 Bad Gateway for these two subdomains?
- Are there any additional headers or proxy directives that Authelia requires but SWAG isn’t injecting?
- Has anyone successfully protected multiple subdomains (one for the portal, one for an app) behind SWAG + Authelia and can share a minimal working example?
Thank you in advance for any pointers! 