This install assumes that Docker has been installed previously, and extends the Docker stack created for the Traefik Reverse Proxy.
Authelia (GitHub) is an open-source authentication and authorization server providing Two-Factor Authentication (2FA) and Single Sign-On (SSO) for applications via a web portal. It acts as a companion for reverse proxies by allowing, denying, or redirecting requests.
Refer to this guide (TechnoTim) which includes YouTube video and notes and YAML files.
Create folder for Authelia data
1
2
3
| cd ~/docker
mkdir authelia
mkdir authelia/config
|
Setup Authelia Configuration Files
- Before deploying the docker container, it is essential to setup the static configuration file for Authelia. In the config folder created above, add configuration.yml file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
| # The secret used to generate GWT tokens when validating user ID by email
jwt_secret:[STRONGBOX]
# If user tries to authenticate directly (without referrer) Authelia uses
# this URL to go to after authentication, in this case back to self
default_redirection_url: [STRONGBOX]
# Time-based One-Time Password (TOTP); issuer name used on authenticator app
totp:
issuer: authelia.com
server:
host: 0.0.0.0
port: 9091
# Log level can be set to 'trace', 'debug', 'info', 'warn' or 'error'
log:
level: warn
# The theme to display: light, dark, gray, auto
theme: dark
# Database used for verifying user passwords, emails, etc
# Small number users so use file, else would use LDAP
authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
# Policy must be one of 'bypass', 'one_factor', 'two_factor' or 'deny'
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: [STRONGBOX]
policy: two_factor
- domain: [STRONGBOX]
policy: two_factor
# The session cookies identify the user once logged in
session:
name: authelia_session
secret: [STRONGBOX]
domain: bbproj.org # Should match whatever root domain is
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are made in a short period of time
regulation:
max_retries: 3
find_time: 120 # 2 minutes
ban_time: 300 # 5 minutes
# Storage used by Authelia, must be one of 'local, 'mysql', 'postgres'
# For 'lite' version, using SQLite3
storage:
encryption_key: [STRONGBOX] # Now required
local:
path: /config/db.sqlite3
# Notifications sent to users when require password reset; email/local_file
notifier:
smtp:
username: [STRONGBOX]
password: [STRONGBOX]
host: [STRONGBOX]
port: 465
sender: "Authelia @ TITAN <STRONGBOX>"
subject: "[Authelia] {title}"
#filesystem:
# filename: /config/notification.txt
|
- Setup users_database.yml file, using the password defined in the next para:
1
2
3
4
5
6
7
8
| users:
bob:
displayname: "[STRONGBOX]"
password: "[STRONGBOX]"
email: [STRONGBOX]
groups:
- admins
- dev
|
- Authelia provide a docker container that will generate the argon2 password required, just enter the following in SSH terminal, and copy & paste the result into password above:
1
| docker run authelia/authelia:latest authelia hash-password ‘[STRONGBOX]‘
|
Create Docker File
- Add the following service definition to dc-authelia.yml in docker root folder
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| version: "3"
# NETWORKS ####################################################
networks:
traefik_proxy:
external: true
# SERVICES ####################################################
services:
authelia:
container_name: authelia
image: authelia/authelia
#
restart: unless-stopped
healthcheck:
disable: true
#
networks:
- traefik_proxy
#
expose:
- 9091
#
volumes:
- $DOCKERDIR/authelia/config:/config
#
environment:
- TZ=$TZ
#
labels:
- "traefik.enable=true"
# HTTPS
- "traefik.http.routers.authelia.entrypoints=web_https"
- "traefik.http.routers.authelia.rule=Host(`auth.$DOMAINNAME_CLOUD_SERVER`)"
- "traefik.http.routers.authelia.tls=true"
# MIDDLEWARES
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.$DOMAINNAME_CLOUD_SERVER"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
|
- From the Docker root folder, run this command to build the container. Ignore any reference to orphan containers, just adding another container to the stack.
1
| sudo docker compose -f dc-authelia.yml up -d
|
- To confirm Authelia is working, go to auth.bbproj.org as setup earlier, and confirm the GUI opens ok. Now need to start protecting endpoints with Authelia
- Heimdall. Heimdall is already using Traefik as a reverse proxy. To add Authelia authentication add a middlewares label to Heaimdall’s docker file:
- – “traefik.http.routers.heimdall-secure.middlewares=authelia@docker”
- This adds Authelia as a middleware that will ask for a password/2FA if this is the first login of a session, or go straight to Heimdall if a session cookie already exists. Cool!
- SyncThing. Add similar label to docker file as above
- Go into Actions -> Advance -> GUI, set Insecure Admin Access = ticked to disable password as now covered by Authelia. Will get a warning about this setting on startup
- Add similar labels for Traefik, Portainer, Tautilli, etc
Resources
