Authentik on different domain behind Pangolin

[kapuett]

Hi, I am struggling with this problem:

• server1 is hosting different services, including Authentik (2025.10.3). All those services are reachable local only via TLS served by traefik with a wildcard domain cert *.example.com.
• vps is publicly available in a different location and running Pangolin to access server1 through newt. Pangolins traefik is configured to serve domain pangolin.gw.example.com and has a wildcard cert for *.gw.example.com.
• Pangolin has a public resource authentik with URL https://authentik.gw.example.com. Target is the newt site with https://authentik.example.com on port 443. Setting Host and SNI Headers in Pangolin

makes the authentik dashboard reachable, but with message:

The request failed and the interceptors did not return an alternative response

Browser devtools network tab reveals what seems to me like a wrong redirect:

I would expect authentik.gw.example.com also for the /api requests instead of authentik.example.com. I found env vars AUTHENTIK_HOST and AUTHENTIK_HOST_BROWSER but they are only mentioned for outposts which I don't have.

Did I forget to configure something? Is this even possible or is an outpost the right choice for this scenario?

[wm-ek]

@kapuett pangolin itself already is be an identity aware reverse proxy. why do you put authentik behind pangolin? is it just for tunneling reasons and to make it accessible publicly?

also check this one: https://docs.goauthentik.io/install-config/reverse-proxy/

[kapuett]

Authentik existed before Pangolin in my setup, so all services are configured to use that already, including all required accounts. Also not every application is exposed via Pangolin. As Pangolin supports adding external identity providers (https://docs.pangolin.net/manage/identity-providers/add-an-idp) I figured that's the best way for my setup. There's also a docu integrating Pangolin with Authentik: https://integrations.goauthentik.io/networking/pangolin/.

Thanks for https://docs.goauthentik.io/install-config/reverse-proxy/ - all those headers are included by Traefik, so it seems not to be the issue here.