Unraid Install

Docker Compose Install

Configuration File

In your appdata/authelia folder you will find

You MUST edit this file to suit your environment. We strongly suggest you watch our video along with this guide to help you understand how it all works.

The sample provided in this guide has been tested and verified to work, however, it is strongly advised to read the official docs on the configuration to ensure it meets your requirements ()

• For secret keys, you can create a 128-bit encryption key to put in from here: Remember to keep them different for the different areas which use them.

Creating Users

You have two options when deciding how you want users to exist for Authelia.

Option 1 - Using a simple YML file with the user's encrypted credentials that Authelia can read.

Option 2 - Allow Authelia to read from an LDAP database such as FreeIPA or Active Directory.

Option 1 - Using a Users Database File

In the sidebar, you will find the file named ''.

1. Copy the file content into appdata/authelia/users_database.yml.

   You MUST edit this file.

2. Adjust the file to the user you would like to sign in as. For help see here:

   1. Changes include the username and display name, for example.

3. To generate the hashed password, open the terminal in Unraid

   1. Type in the following (replacing 'yourpassword' with the password you want for the user):

1. Copy the hashed password that is generated and paste it into the users_database.yml file as replacing the one in the template we provide.

Option 2 - Using an LDAP database

If you prefer to use an LDAP database to read users from, you can do so by using the LDAP configuration in the sidebar.

2. Edit the contents to suit your environment, where necessary

3. Replace the LDAP section in the Authelia configuration.yml with the new one
4. Remember to comment out the 'file' section, since you are not using the users_database.yml file.

OpenLDAP / phpLDAPadmin

Starting Up

At this point, you should start the Authelia container and read the logs.

Traefik

For protecting your apps using Traefik as the reverse proxy, please see our guide on Traefik here

NGINX Proxy Manager

Configuring the Authelia Proxy

1. Copy the data in NGINX Config - Authelia and head to your NPM dashboard > Hosts > Proxy Hosts

2. Select Add Proxy Host

   • Details:

     • Domain name: auth.example.com (or whatever CNAME you set in your DNS for Authelia)

     • Scheme: http

     • Forward Hostname / IP: Name of your Authelia container (must be on the same custom docker network as NPM, otherwise use server IP)

     • Port: 9091

     • Turn ON: Cache Assets, Block Common Exploits

   • SSL:

     • Request new SSL certificate

     • Turn ON: Force SSL, HTTP/2 Support, HSTS Enabled (if using, i.e. in Cloudflare)

     • Email address: used to create Let’s Encrypt cert.

     • Select I Agree and Save.

     • Alternatively, see our guide on using Cloudflare Origin Certs

3. Test that you can reach the WebUI of Authelia selecting the new proxy or typing in its address. i.e. 'auth.example.com'

4. If all the above is working as intended; Edit proxy host 'auth.example.com'

   • Advanced

     • Under Custom Nginx Configuration, paste the config you customized from NGINX Config - Authelia

5. Save and confirm you can still access the WebUI via the URL.

To protect an endpoint (i.e. sonarr)

1. Edit proxy host 'sonarr.example.com'

   • Advanced

     • Under Custom Nginx Configuration, paste the config from NGINX Config - Endpoint and customize as necessary.

2. (Optional) Now that Authelia is acting as your single sign-on security you can now disable any in-app security/logins. Disabling the in-app login will still be secure as Authelia will be protecting it but will prevent you from having to log in twice for every app and remember all of the usernames and passwords etc.

Combined

version: '3'
services:
  auth:
    container_name: auth    
    image: authelia/authelia:latest
    expose:
      - 9091
    volumes:
      - /opt/appdata/authelia:/config
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.entryPoints: https
    networks:
      - proxy
    restart: unless-stopped
    depends_on:
      - redis
      - mariadb

  redis:
    container_name: redis
    image: bitnami/redis:latest
    expose:
      - 6379
    volumes:
      - /opt/appdata/redis:/bitnami/
    environment:
      REDIS_PASSWORD: "YOUR_REDIS_PASSWORD"
    networks:
      - proxy
    restart: unless-stopped

  mariadb:
    container_name: mariadb
    image: linuxserver/mariadb:latest
    expose:
      - 3306
    volumes:
      - /opt/appdata/mariadb:/config
    environment:
      MYSQL_ROOT_PASSWORD: "YOUR_MYSQL_ROOT_PASSWORD"
      MYSQL_ROOT_USER: root
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_PASSWORD: "YOUR_MYSQL_USER_PASSWORD"  
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Standalone

Authelia

version: '3'
services:
  auth:
    container_name: auth    
    image: authelia/authelia:latest
    ports:
      - 9091:9091
    volumes:
      - /opt/appdata/authelia:/config
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.entryPoints: https
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Redis

version: '3'
services:
  redis:
    container_name: redis
    image: bitnami/redis:latest
    expose:
      - 6379
    volumes:
      - /opt/appdata/redis:/bitnami/
    environment:
      REDIS_PASSWORD: "YOUR_REDIS_PASSWORD"
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

MariaDB

version: '3'
services:
  mariadb:
    container_name: mariadb
    image: linuxserver/mariadb:latest
    expose:
      - 3306
    volumes:
      - /opt/appdata/mariadb:/config
    environment:
      MYSQL_ROOT_PASSWORD: "YOUR_MYSQL_ROOT_PASSWORD"
      MYSQL_ROOT_USER: root
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_PASSWORD: "YOUR_MYSQL_USER_PASSWORD"  
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Feature List

• Several second-factor methods:
• Password reset with identity verification using email confirmation.

• Access restriction after too many invalid authentication attempts.

• Fine-grained access control using rules which match criteria like subdomain, user, user group membership, request URI, the request method, and network.

• The choice between one-factor and two-factor policies per-rule.

• Support of basic authentication for endpoints protected by the one-factor policy.

• Highly available using a remote database and Redis as a highly available KV store.

• Kubernetes Support:

Placeholders

To assist you in building your configuration, we have used frequent placeholders for you to easily find and replace with your own specific information. This allows a quick Find/Replace in your preferred text editor.

• YOURPASSWORD - Password which you have set, with respect to the section you are reading. i.e. MySQL passwords should be different from your Redis password.

• YOURSECRET - A secret 128-bit encryption key. You can use this site to generate them:
• YOURDOMAIN - Your own domain name

• SERVERIP - Local IP address of your host server. i.e. 192.168.1.50

• CONTAINERPORT - Port the container is running on.

• CONTAINERNAME - Name of the container to be proxied. i.e. 'monitorr'

• CONTAINERIP - IP address of the container.

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.

Support Us

Our work sometimes takes months to research and develop. If you want to help support us please consider:

Thank you for being part of our community!

Unraid Docker Template

Authelia / Sycotix's Repository / Security

Dependencies

• Reverse-Proxy such as or

• File editors such as Notepad++ or

• Domain with the following subdomains

  • NOTE: You may change these but keep in mind you must adapt it throughout the guide. (app.example.com is simply any app you want to protect with Authelia, i.e. sonarr.example.com).

    • example.com

    • auth.example.com

    • app.example.com

Code-Server

We strongly suggest using Code-Server to help you edit your configuration files and validate everything is correctly formatted.

YAML is extremely sensitive, and Code-Server, along with the YAML plugin, can be extremely helpful to save a lot of time troubleshooting. (Trust us, we've been helping members with Authelia for over a year!)

You can follow our guide .

Redis

1. In Unraid, visit the apps tab

2. It has parameters mapped for a password, which we will need to add into configuration.yml later.
3. In the template installation screen:

   2. Set a strong password (it will be used by Authelia later)

   3. Add the appdata path as per the below

MariaDB

If you do not already have MariaDB installed, then follow the next 3 steps. If you already have MariaDB installed then skip to the next section where you will create the database for Authelia.

1. In Unraid, visit the apps tab

2. Search for and install 'mariadb'. We are using the linuxserver/mariadb container.
3. In the template installation screen:

   2. Set a strong password

Once installed, follow these steps to create our user and database for Authelia.

Adminer

Command-Line

If you want to use the command-line to create the database then please do the following:

1. Under the Docker tab in Unraid, left-click the MariaDB container, select Console

2. Create our user:

   • Enter the following then hit enter:
   • Enter the password you set in the container settings then type:

     This password will be referenced in the Authelia configuration.yml

3. Create our database:

   • Enter the following then hit enter:
4. Allow privileges to the database:

   • Enter the following then hit enter:

     This is the password you created for the user above.

   • Enter the following then hit enter:
5. You can now close the terminal window

Authelia

1. Head to the Community Applications store in Unraid

2. Search for and click to install Authelia from Sycotix's Repository

4. Enter the host port you want to map for the WebUI. By default it is 9091. Only change it if this port is already in use.

5. Click Apply and wait for the container to pull down and start.

Unraid Install

Docker Compose Install

Installation

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Hawksy.

Support Us

Our work sometimes takes months to research and develop. If you want to help support us, please consider:

Thank you for being part of our community!

Understanding Rules

The rules section in the Authelia configuration file have some important notes to consider:

• Rules are read by Authelia from top to bottom

  • Therefore, you should practice putting the most restrictive rules last.

  • A catch-all wildcard rule at the very end will safeguard you by applying a default policy on anything you have enabled Authelia on, without needing a specific rule.

• There may be times when you want to allow certain apps to be covered by single-factor authentication, and others to be covered by two-factor authentication.

• You can specify the user, groups, or both that can access a particular resource.

• You can restrict access to a particular subfolder of a URL rather than the entire URL. For example, if you want to protect the Admin page of an application but not the main page itself.

• You may have a combination of all the above if you so choose.

For a more in-depth look at access control, please see the .

Bypass for APIs

In the above, you may notice that certain rules are allowing API endpoints. This is important when you want to protect an application that uses API communications to send and receive data and do not want it to be hindered by Authelia.

A classic example is Sonarr or Radarr. These applications need the API to talk to other applications and since they are unable to 'sign in' to Authelia themselves, we need to tell Authelia that:

1. We want to protect sonarr.domain.com with Authelia

2. However, we want to bypass Authelia for traffic coming in and out of the API endpoint of Sonarr

Here's how that would look (extracted from the example above):

Again, remember the hierarchy. We want the bypass to be above any restrictive rules so that Authelia knows that bypassing this endpoint comes first.

In this Authelia setup I will be configuring Authelia to have local authentication and it enforces Smart Card authentication via WedAuthn for secure remote access

This guide is created with the help of Florian Mullers guide that can be found here and has been modified with improvements

Create Secrets and Keys

Run the below command in the UnRAID console and save the output somewhere safe, we will need these later. Put the random string/ key in a file in plain text on the first line.

Create JWT Secret and save it in /mnt/user/appdata/Authelia/secrets/jwtsecret

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

Create Session Secret and save it in /mnt/user/appdata/Authelia/secrets/session

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

Storage Encryption Key and save it in /mnt/user/appdata/Authelia/secrets/storage

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

MariaDB Password and save it in /mnt/user/appdata/Authelia/secrets/mariadb

 If you already have a mariadb password, you need to write it in this file

SMTP Password and save it in /mnt/user/appdata/Authelia/secrets/smtp

 If you already have a smtp password, you need to write it in this file

OIDC HMAC Secret and save it in /mnt/user/appdata/Authelia/secrets/oidcsecret

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

OIDC Private Key

openssl genrsa -out /mnt/user/appdata/Authelia/secrets/oidc.key 4096

openssl rsa -in /mnt/user/appdata/Authelia/secrets/oidc.key -outform PEM -pubout -out /mnt/user/appdata/Authelia/secrets/oidc.pem

Set the correct privlidges

chmod 600 -R /mnt/user/appdata/Authelia/secrets/
chmod 600 /mnt/user/appdata/Authelia/secrets

Environment Variables

We need to map each of the secret files we created above and map them to an environment variable. You can find a list of all Authelia Environment Variables here

Create the below variables on the Authelia Docker container for all the secrets required. This removes the need for them to be in your configuration.yml file for more security

# basics
AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwtsecret
AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session

# storage / mysql:
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/config/secrets/storage
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/config/secrets/sql

# smtp notifications:
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp

# openid identity provider:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/config/secrets/oidcsecret
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/config/secrets/oidc.pem

# if you use LDAP for users
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/config/secrets/ldap

# if you user REDIS for session management
AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/config/secrets/redis

# if you want to enable SSL on authelia
AUTHELIA_SERVER_TLS_KEY_FILE=/config/secrets/tlskey

Once all Environment Variables are correct, your UnRAID configuration should look like the below

Configuration.yml

This guide assumes you have Authelia, Redis and SQL already running and the site is accessible from auth.<domain-name>

We will now be doing the advanced configuration to get OpenID Connect and WebAuthn working securely. We will be utilising Docker Enviroment Variables to input our Certificates, Secrets and Tokens for this

1. Refer to the OIDC - configuration.yml page for a copy of our Authelia configuration file. Please input your Authelia domain name, SMTP server and OIDC Shared Secret NOTE: OIDC Shared Secret is not working as a Environemnt Variable in Authelia v4.37.5 and needs to be put directly into the configuration.yml file in plain text

2. Create a OIDC Shared Secret, this will be shared with Cloudflare for OIDC to function.

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

1. Replace the <OIDC Secret> in the configuration.yml file with the string generated above

2. Authelia should now succesfully boot, if there is an error check the logs and troubleshoot

Template

version: '3'
services:
  openldap:
    container_name: openldap
    image: osixia/openldap:latest
    expose: 
      - 389
      - 636
    volumes:
      - /opt/appdata/openldap/certificates:/container/service/slapd/assets/certs
      - /opt/appdata/openldap/slapd/database:/var/lib/ldap
      - /opt/appdata/openldap/slapd/config:/etc/ldap/slapd.d
    environment: 
      LDAP_ORGANISATION: "YOUR_LDAP_ORGANISATION"
      LDAP_DOMAIN: "YOUR_LDAP_DOMAIN"
      LDAP_ADMIN_USERNAME: "YOUR_LDAP_ADMIN_USERNAME"
      LDAP_ADMIN_PASSWORD: "YOUR_LDAP_ADMIN_PASSWORD"
      LDAP_CONFIG_PASSWORD: "YOUR_LDAP_CONFIG_PASSWORD"
      LDAP_BASE_DN: "YOUR_LDAP_BASE_DN"
      LDAP_TLS_CRT_FILENAME: "YOUR_LDAP_TLS_CRT_FILENAME"
      LDAP_TLS_KEY_FILENAME: "YOUR_LDAP_TLS_KEY_FILENAME"
      LDAP_TLS_CA_CRT_FILENAME: "YOUR_LDAP_TLS_CA_CRT_FILENAME"
    networks:
      - proxy
    restart: unless-stopped
  
  ldapadmin:
    container_name: ldapadmin
    image: osixia/phpldapadmin:latest
    ports: 
      - "8399:80"
    labels:
      traefik.enable: true
      traefik.http.routers.ldapadmin.entryPoints: https
      traefik.http.routers.ldapadmin.middlewares: auth@file
    environment: 
      - PHPLDAPADMIN_LDAP_HOSTS=openldap
      - PHPLDAPADMIN_HTTPS=false
    volumes:
      - /opt/appdata/openldap/admin:/var/www/phpldapadmin # used to be able to make edits to the config file 
    depends_on:
      - openldap
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Example (with information filled in)

version: '3'
services:
  openldap:
    container_name: openldap
    image: osixia/openldap:latest
    expose: 
      - 389
      - 636
    volumes:
      - /opt/appdata/openldap/certificates:/container/service/slapd/assets/certs
      - /opt/appdata/openldap/slapd/database:/var/lib/ldap
      - /opt/appdata/openldap/slapd/config:/etc/ldap/slapd.d
    environment: 
      LDAP_ORGANISATION: "ibracorp"
      LDAP_DOMAIN: "ibracorp.io"
      LDAP_ADMIN_USERNAME: "admin"
      LDAP_ADMIN_PASSWORD: "SomeSuperSecurePassword"
      LDAP_CONFIG_PASSWORD: "AnotherSuperSecurePassword"
      LDAP_BASE_DN: "dc=ibracorp,dc=io"
      LDAP_TLS_CRT_FILENAME: "server.crt"
      LDAP_TLS_KEY_FILENAME: "server.key"
      LDAP_TLS_CA_CRT_FILENAME: "ibracorp.io.ca.crt"
    networks:
      - proxy
    restart: unless-stopped
  
  ldapadmin:
    container_name: ldapadmin
    image: osixia/phpldapadmin:latest
    ports: 
      - "8399:80"
    labels:
      traefik.enable: true
      traefik.http.routers.ldapadmin.entryPoints: https
      traefik.http.routers.ldapadmin.middlewares: auth@file
    environment: 
      PHPLDAPADMIN_LDAP_HOSTS: openldap
      PHPLDAPADMIN_HTTPS: false
    volumes:
      - /opt/appdata/openldap/admin:/var/www/phpldapadmin # used to be able to make edits to the config file 
    depends_on:
      - openldap
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

To have you login format inserted automatically we can edit the ldapadmin config.php file located at /opt/appdata/openldap/admin/config/config.php and adding in the following lines below to the end of the config file to automatically fill in out login information as below:

/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
   'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
   BLANK. If you specify a login_attr in conjunction with a cookie or session
   auth_type, then you can also specify the bind_id/bind_pass here for searching
   the directory for users (ie, if your LDAP server does not allow anonymous
   binds. */
// $servers->setValue('login','bind_id','');
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

To run a Cloudflare Tunnel from UnRAID you will need to manually create the docker container.

Name: Cloudflared Tunnel

Repository: cloudflare/cloudflared:latest

Post Arguments: tunnel --no-autoupdate run --token <tunnel-token>

Icon URL: Any Icon URL you like

Your Tunnel Token can be found by creating a Tunnel within Cloudflare Zero Trust > Access > Tunnels. The token is provided in the docker run command

Once the container is running it will grab it's configuration automatically from Cloudflare and also make 4x seperate TCP/443 connections outbound using the QUIC protocol. The Cloudflare Tunnel should now have a status of "HEALTHY"

Cloudflare Access

Cloudflare access is a product within Cloudflare Zero Trust. Access allows us to share HTTP, SSH and RDP session securely via the Cloudflare Tunnel

Head to Cloudflare Zero Trust > Access > Tunnels > "your tunnel" > Configure > Public Hostname and click Add a public hostname

This configuration is letting our Cloudflare Tunnel know how to route to our Authelia instance in our network. Authelia in my network is listening on https://192.168.0.2:9091 and has a self-signed SSL certificate

Subdomain: auth.<domain-name>

Service: HTTP or HTTPS

URL: IP Address & Port Authelia is listening

NoTLSVerify: Enable this if you are using a self-signed SSL certificate as Cloudflare only trust their own root certificates

Once saved Cloudflare will automatically push this configuration to your Cloudflare Tunnel and it will immediately be accessible via the specifed domain name

auth.<domain-name> is accessible via the internet and has a valid SSL certificate

We have now configured remote access to our Authelia application hosted on UnRAID

Things to note:

• auth.<domain-name> must be accessible by any device needing to authenticate via OIDC

• This is the only site not protected via Zero Trust

• We can create Cloudflare Page Rules to restrict IP Addresses, Countries and others from accessing this site

Cloudflare Zero Trust allows users to register their own Single Sign On (SSO) provider by utilising the OpenID Connect Protocol

Configuration

Login to Cloudflare Zero Trust Portal and open Settings > Authentiation > Add New

Select OpenID Connect and input the below values

Name: Authelia

App ID: authelia

Client Secret: <OIDC Secret>

Auth URL: https://auth.<domain-name>/api/oidc/authorization

Token URL: https://auth.<domain-name>/api/oidc/token

Certificate URL: https://auth.<domain-name>/jwks.json

Once Authelia is running and Cloudflare is enabled. Click Test and attempt to login

Authelia Configuration File

In your appdata/Authelia folder, you will find configuration.yml

You MUST edit this file to suit your environment. We strongly suggest you watch our Authelia video before following along with this guide to help you understand how it all works. Make sure to use the OpenLDAP settings for your configuration.yml to work with this guide.

The sample provided in this guide has been tested and verified to work. However, it is strongly advised to read the official docs on the configuration to ensure it meets your requirements (https://www.authelia.com/docs/configuration/)

• For secret keys, you can create a 128-bit encryption key to put in from here: https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx Remember to keep them different for the different areas which use them.

Logging in to OpenLDAP

Here we are going to use the following format for the login credentials, make sure to replace domain with your domain. Add your password we created in the docker compose file and then click “Authenticate”.

cn=admin,dc=domain,dc=com

Create Admin Group

Now we will create the admin group for users. You can repeat these steps to create whatever group you like. You can then later use these groups to refine rules within the Authelia configuration.yml file.

Create Organizational Unit “Groups”

First, we will create the organizational unit. This is where all the groups will be stored. Select your domain in the left panel and some options will appear in the right panel.

Choose “Create a child entry”.

We can now select “Generic: Organizational Unit”.

We will call this organizational unit “Groups”.

Click “Create Object” and then “Commit” to save the settings. You can now see the organizational unit of groups has created.

Create “admins” Group

Now that we have the category of Groups, we will create our first group of “admins”. This is where we will add our first user too. This time, instead of selecting the top domain, we will be selecting the “groups” tab.

As before, we will now see some more options in the right-hand pane. We will select to “Create a child entry” within the groups section.

This time we will be creating a “Generic: Posix Group”.

Once you have selected this, we will type in our group name. For this example, we will use the group “admins” as our first group.

Now click Create Object and Commit. You will see in the left-hand side under groups that the group “admins” has now created.

Create Users

Below, we will add our first user to the organization. We will also add this user to the admins group. You can repeat this process to create as many users as you like.

Create Organizational Unit “Users”

Select the top-level domain.

On the right-hand side, choose to create another child entry.

Same as with the “groups”, we created, we are going to create another organizational unit.

This time we will call it “Users”. This will be where we will store all of our users that we add to the organization.

Click Create Object and Commit. You will now see this added to the tree under the main domain. Click this newly created Users tab.

Select to create a child entry under the Users organizational unit.

This time, we will add the “Generic: User Account”.

Here we will fill in all the details about the user. Make sure to use all lower case for the “User ID”, this allows the username field to be case-insensitive when logging in via Authelia. When selecting the crypt for the password, choose the sha256crypt for better security. Under GID Number, we will be selecting the group to add the user too, for our first user we will be adding them to the “admins” group we just created.

Now select Create Object and Commit.

You have now added your first user. To utilize the “Forgot password” feature of Authelia, we can also add more attribute fields to the user. For this feature, we will need the user's email added to the user record. Click “Add new attribute”.

On the dropdown, choose "Email".

Add the user's email and the click “Update Object”.

Click “update object” again to confirm. You have now added your new user to the admins group that you can use to log into Authelia.

Need to know

This configuration drops the need for Traekfik or Nginx Proxy Manager and is completely managed by Cloudflare Zero Trust and their Cloudflared Tunnel (HTTPs/ QUIC Protocol)

At the end of this you will be able to securely access your HTTP, SSH and RDP session remotely via Cloudflare anywhere in the world

Prerequisites

• UnRAID

• Domain name registered with Cloudflare

• Cloudflared Tunnel running (not legacy Argo Tunnel)

• NO Traefik or Nginx Proxy Manager needed

Support Us

Our work sometimes takes months to research and develop. If you want to help support us, please consider:

Thank you for being part of our community!

Cloudflare Zero Trust allows users to register their own Single Sign On (SSO) provider by utilising the OpenID Connect Protocol. We can now protect our self hosted applications with Authelia

Access Configuration

To reverse proxy an application behind Cloudflare Access. We need to create an "Application" within the Cloudflare Zero Trust dashboard

Naviagate to Access > Applications > Add an Application > Self-Hosted. Enter the domain name you wish the application to have. Cloudflare will automatically create the DNS Record

Follow the Policies and Authentication pages and set the settings you would like to configure for the specific application

Click Save

Tunnel Configuration

We now need to tell Cloudflare how to route to our self-hosted application. Navigate to Access > Tunnels > Tunnel-Name > Configure > Public Hostname > Add a Public Hostname

Once saved, Cloudflare will automatically push the configuration to our Tunnel and the site should be immediatelly accessible via Cloudflare Zero Trust and protected by Authelia via OpenID Connect

Cloudflare Page Rules

I have enabled a few extra features in the Cloudflare Dashboard to disable the Cloudflare CDN Cache. I was noticing with cache enabled it was affecting certain applications

Cloudflare SSL

I have enforced Full (Strict) SSL Encryption. This can be done under SSL/TLS > Overview

Under SSL/TLS > Edge Certificates, I have enabled the below

Always use HTTPS: Enabled

HTTP Strict Transport Security (HSTS): Enabled

Minimum TLS Version: TLS 1.3

Automatic HTTPS Rewrites: Enabled

Cloudflare WAF

Utilising Cloudflare WAF (Web Application Firewall) I have only allowed connections originating from Australia access. This drastically reduced connections to my site and improved security

This config is using the 'authelia' user - so you will need to create one in FreeIPA

Additionally read through this config and everywhere you see 'dc=domain' be sure to update that with your site - aka ibracorp as the apex domain for ibracorp.io -- i SUSPECT that you would need to adjust the 'dc=com' to dc=org or dc=io pending your top level domain

Configuration Template

Note: Host lines may need to be updated to match the exact name of your container if you do not have the same as whats in the example file. Alternatively you can also you the IP for the service instead. See below for examples of alternative setups.

Rule Examples

This configuration was created with the help of Florian Muller's excellent guide which can be viewed

First, follow the guide if you have not done so already.

In your , now replace the file/LDAP section with the below and fill in the details accordingly, remembering to replace domain with your domain details. If you are running the openldap container outside the docker network, you will have to replace openldap in the url section for the openldap container IP.