Skip to content
CodeShare

Authelia

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies by allowing, denying or redirecting requests.

References

Make directory

Terminal window
mkdir -p {{DOCKER_PATH_VAR}}/authelia && cd {{DOCKER_PATH_VAR}}/authelia

docker-compose.yml

Terminal window
nano docker-compose.yml
docker-compose.yml
services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    networks:
      - dns-proxy-network
    restart: unless-stopped
    environment:
      - TZ=America/New_York


  redis:
    image: redis:alpine
    container_name: authelia-redis
    networks:
      - dns-proxy-network
    restart: unless-stopped

configuration.yml

Terminal window
mkdir authelia && nano ./authelia/configuration.yml
./authelia/configuration.yml
server:
  address: "tcp://0.0.0.0:9091/"


log:
  level: info


jwt_secret: "PASTE_JWT_SECRET_HERE" # openssl rand -hex 32


default_redirection_url: https://adguard.lan.huffmanks.com


authentication_backend:
  file:
    path: /config/users_database.yml


session:
  name: authelia_session
  domain: lan.huffmanks.com # This allows SSO across all subdomains
  same_site: lax
  secret: "PASTE_SESSION_SECRET_HERE" # openssl rand -hex 32
  expiration: 1h
  inactivity: 5m
  remember_me_duration: 1M
  redis:
    host: redis
    port: 6379


storage:
  encryption_key: "PASTE_STORAGE_KEY_HERE" # openssl rand -hex 32
  local:
    path: /config/db.sqlite3


notifier:
  filesystem:
    filename: /config/notification.txt


access_control:
  default_policy: one_factor # two_factor
  rules:
    - domain: "auth.lan.huffmanks.com"
      policy: bypass
# Uncomment if using 2FA
# totp:
#   disable: false
#   issuer: "Authelia" # This name shows up in your Authenticator App
#   period: 30
#   skew: 1

users-database.yml

Terminal window
mkdir authelia && nano ./authelia/users-database.yml
./authelia/users-database.yml
users:
  huffmanks:
    displayname: "Admin"
    password: "PASTE_YOUR_HASH_HERE" # docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your_secure_password'
    email: "admin@huffmanks.com"
    groups:
      - admins
      - dev

Start container

Terminal window
docker compose up -d

Open web ui

http://localhost:9091 or http://{{SERVER_IP_VAR}}:9091

Nginx Proxy Manager

  • Create a Proxy Host in NPM for auth.lan.your-domain.tld pointing to authelia port 9091.
  • For every service you want to protect:
    • Open the Proxy Host in NPM.
    • Go to the Advanced tab.
    • Paste this snippet.
location /internal/authelia/authz {
    internal;
    set $upstream_authelia http://authelia:9091/api/authz/auth-request;
    proxy_pass $upstream_authelia;
    proxy_set_header X-Original-Method $request_method;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
}


auth_request /internal/authelia/authz;
auth_request_set $target_url $scheme://$http_host$request_uri;
error_page 401 = @go_auth;


location @go_auth {
    return 302 https://auth.lan.huffmanks.com/?rd=$target_url;
}