Authelia
This guide on Authelia will demonstrate how the application is set up and how to protect your domains with SSO. The examples used in this document are basic configurations. Elements such as proxy authentication and 2FA are not covered.
INFO
Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.
Docker Compose
version: "3"
services:
auth:
image: authelia/authelia
container_name: authelia
volumes:
- /opt/appdata/authelia/files:/config
ports:
- 9091:9091
networks:
- proxy
environment:
- TZ=Europe/London
labels:
traefik.enable: true
traefik.http.routers.auth.entryPoints: https
networks:
proxy:
driver: bridge
external: trueConfiguration set‑up
This file holds all of the configuration for Authelia, including its protected subdomains and any other configuration or integrations used. It must be called configuration.yml.
# yamllint disable rule:comments-indentation
---
###############################################################################
# Authelia Configuration #
###############################################################################
## The theme to display: light, dark, grey, auto.
theme: grey
jwt_secret: JWT_SECRET_HERE # any text or number you want to add here to create JWT token
default_redirection_url: https://unraid.domain.xyz # where to redirect for a non-existent URL
server:
host: authelia
port: 9091
path: ""
read_buffer_size: 4096
write_buffer_size: 4096
enable_pprof: false
enable_expvars: false
disable_healthcheck: false
tls:
key: ""
certificate: ""
# Set the path on disk to Authelia assets.
# Useful to allow overriding of specific static assets.
asset_path: '/config/assets/'
## Level of verbosity for logs: info, debug, trace.
log:
level: info
# format: json
# file_path: /var/log/crowdsec/authelia.log
# keep_stdout: true
totp:
issuer: login.domain.xyz # your Authelia top-level domain
period: 30
skew: 1
authentication_backend:
disable_reset_password: false
refresh_interval: 5m
file:
path: /config/users_database.yml # this is where your authorised users are stored
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
webauthn:
disable: false
display_name: Authelia
attestation_conveyance_preference: indirect
user_verification: preferred # preferred enables PIN enrolment
timeout: 60s
access_control:
default_policy: deny
rules:
## Bypass rules
- domain:
- "login.domain.xyz" #This should be your authentication URL
- "unraid.domain.xyz"
policy: bypass
## Bypass API for LunaSea apps
- domain_regex: '^(sonarr|radarr|sabnzbd)\.domain\.xyz'
resources:
- '^/api.*'
policy: bypass
## When auth@file enabled, apply 2FA for group admins
- domain:
- '*.domain.com'
policy: two_factor
subject:
- 'group:admins'
session:
name: authelia_session
same_site: lax
secret: SECRET_HERE #any text or number you want to add here to create jwt Token
inactivity: '5m'
expiration: '1h'
remember_me: '1M'
domain: domain.com # should match your root protected domain
regulation:
max_retries: 5
find_time: 10m
ban_time: 1h
storage:
local:
path: /config/db.sqlite3 # this is your database. You could use a MySQL database if you wanted, but we're going to use this one.
encryption_key: HASHED_KEY_HERE
notifier:
disable_startup_check: true #true/false
smtp:
username: postmaster@domain.com # Mailgun username
password: PASSWORD_HERE # Mailgun password
host: smtp.eu.mailgun.org # email SMTP server
port: 587 # email SMTP port
sender: auth@domain.xyz
identifier: localhost
subject: "[Auth] {title}" #email subject
startup_check_address: auth@domain.xyz
disable_require_tls: false
disable_html_emails: false
tls:
skip_verify: false
minimum_version: TLS1.2
...Variables such as DOMAIN.COM and EMAIL@GMAIL.COM will need to be changed with the relevant information. All other keys referenced also need to be generated.
User set‑up
A second file called users_database.yml must be created. As we are not using an LDAP service and instead saving the user data in a flat file, it must be hashed. Create a password on argon2.online using the following configuration:
- Algorithm:
argon2id - Iterations:
1 - Key length:
32 - Salt length:
16 - Memory:
1024 - Parallelism:
8
Alternatively, an easier solution would be to run the following command in your terminal:
docker run authelia/authelia:latest authelia hash-password 'yourpassword'Example below with the username john. You can also specify the groups to which the user belongs. This allows different users specific access to different pages.
users:
john:
displayname: "John Doe"
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
email: john.doe@authelia.com
groups:
- admins
- devContainer labels (Traefik)
When protecting a container, you must specify the middleware you have set up for Authelia in the Traefik config. This will tell Traefik to route the request through Authelia to authenticate before accessing the page.
labels:
traefik.http.routers.organizr.middlewares: auth@file