In this Authelia setup I will be configuring Authelia to have local authentication and it enforces Smart Card authentication via WedAuthn for secure remote access
This guide is created with the help of Florian Mullers guide that can be found here and has been modified with improvements
Run the below command in the UnRAID console and save the output somewhere safe, we will need these later. Put the random string/ key in a file in plain text on the first line.
Create JWT Secret and save it in /mnt/user/appdata/Authelia/secrets/jwtsecret
Create Session Secret and save it in /mnt/user/appdata/Authelia/secrets/session
Storage Encryption Key and save it in /mnt/user/appdata/Authelia/secrets/storage
MariaDB Password and save it in /mnt/user/appdata/Authelia/secrets/mariadb
SMTP Password and save it in /mnt/user/appdata/Authelia/secrets/smtp
OIDC HMAC Secret and save it in /mnt/user/appdata/Authelia/secrets/oidcsecret
OIDC Private Key
We need to map each of the secret files we created above and map them to an environment variable. You can find a list of all Authelia Environment Variables here
Create the below variables on the Authelia Docker container for all the secrets required. This removes the need for them to be in your configuration.yml file for more security
Once all Environment Variables are correct, your UnRAID configuration should look like the below
This guide assumes you have Authelia, Redis and SQL already running and the site is accessible from auth.<domain-name>
We will now be doing the advanced configuration to get OpenID Connect and WebAuthn working securely. We will be utilising Docker Enviroment Variables to input our Certificates, Secrets and Tokens for this
Refer to the OIDC - configuration.yml page for a copy of our Authelia configuration file. Please input your Authelia domain name, SMTP server and OIDC Shared Secret NOTE: OIDC Shared Secret is not working as a Environemnt Variable in Authelia v4.37.5 and needs to be put directly into the configuration.yml file in plain text
Create a OIDC Shared Secret, this will be shared with Cloudflare for OIDC to function.
Replace the <OIDC Secret> in the configuration.yml file with the string generated above
Authelia should now succesfully boot, if there is an error check the logs and troubleshoot
Cloudflare Zero Trust allows users to register their own Single Sign On (SSO) provider by utilising the OpenID Connect Protocol
Login to Cloudflare Zero Trust Portal and open Settings > Authentiation > Add New
Select OpenID Connect and input the below values
Name: Authelia
App ID: authelia
Client Secret: <OIDC Secret>
Auth URL: https://auth.<domain-name>/api/oidc/authorization
Token URL: https://auth.<domain-name>/api/oidc/token
Certificate URL: https://auth.<domain-name>/jwks.json
Once Authelia is running and Cloudflare is enabled. Click Test and attempt to login
Cloudflare Zero Trust allows users to register their own Single Sign On (SSO) provider by utilising the OpenID Connect Protocol. We can now protect our self hosted applications with Authelia
To reverse proxy an application behind Cloudflare Access. We need to create an "Application" within the Cloudflare Zero Trust dashboard
Naviagate to Access > Applications > Add an Application > Self-Hosted. Enter the domain name you wish the application to have. Cloudflare will automatically create the DNS Record
Follow the Policies and Authentication pages and set the settings you would like to configure for the specific application
Click Save
We now need to tell Cloudflare how to route to our self-hosted application. Navigate to Access > Tunnels > Tunnel-Name > Configure > Public Hostname > Add a Public Hostname
Once saved, Cloudflare will automatically push the configuration to our Tunnel and the site should be immediatelly accessible via Cloudflare Zero Trust and protected by Authelia via OpenID Connect
Cloudflare Tunnel and Cloudflare Zero Trust go hand in hand. This is the secure tunnel into your network and the mechanism that will allow you secure remote access
To run a Cloudflare Tunnel from UnRAID you will need to manually create the docker container.
Name: Cloudflared Tunnel
Repository: cloudflare/cloudflared:latest
Post Arguments: tunnel --no-autoupdate run --token <tunnel-token>
Icon URL: Any Icon URL you like
Your Tunnel Token can be found by creating a Tunnel within Cloudflare Zero Trust > Access > Tunnels. The token is provided in the docker run command
Once the container is running it will grab it's configuration automatically from Cloudflare and also make 4x seperate TCP/443 connections outbound using the QUIC protocol. The Cloudflare Tunnel should now have a status of "HEALTHY"
Cloudflare access is a product within Cloudflare Zero Trust. Access allows us to share HTTP, SSH and RDP session securely via the Cloudflare Tunnel
Head to Cloudflare Zero Trust > Access > Tunnels > "your tunnel" > Configure > Public Hostname and click Add a public hostname
This configuration is letting our Cloudflare Tunnel know how to route to our Authelia instance in our network. Authelia in my network is listening on https://192.168.0.2:9091 and has a self-signed SSL certificate
Subdomain: auth.<domain-name>
Service: HTTP or HTTPS
URL: IP Address & Port Authelia is listening
NoTLSVerify: Enable this if you are using a self-signed SSL certificate as Cloudflare only trust their own root certificates
Once saved Cloudflare will automatically push this configuration to your Cloudflare Tunnel and it will immediately be accessible via the specifed domain name
auth.<domain-name> is accessible via the internet and has a valid SSL certificate
We have now configured remote access to our Authelia application hosted on UnRAID
auth.<domain-name> must be accessible by any device needing to authenticate via OIDC
This is the only site not protected via Zero Trust
We can create Cloudflare Page Rules to restrict IP Addresses, Countries and others from accessing this site
OpenID Connect is an authentication protocol that works with the OAuth2.0 framework. This protocol allows the use of Single Sign On (SSO) for sites that support OIDC Providers
This configuration drops the need for Traekfik or Nginx Proxy Manager and is completely managed by Cloudflare Zero Trust and their Cloudflared Tunnel (HTTPs/ QUIC Protocol)
At the end of this you will be able to securely access your HTTP, SSH and RDP session remotely via Cloudflare anywhere in the world
UnRAID
Domain name registered with Cloudflare
Cloudflared Tunnel running (not legacy Argo Tunnel)
NO Traefik or Nginx Proxy Manager needed
Our work sometimes takes months to research and develop. If you want to help support us, please consider:
Liking and Subscribing to our YouTube channel
Joining our Discord server
Becoming a paid member on our IBRACORP website
Donating via PayPal
This page has a few extra steps to configure if wanted
I have enabled a few extra features in the Cloudflare Dashboard to disable the Cloudflare CDN Cache. I was noticing with cache enabled it was affecting certain applications
I have enforced Full (Strict) SSL Encryption. This can be done under SSL/TLS > Overview
Under SSL/TLS > Edge Certificates, I have enabled the below
Always use HTTPS: Enabled
HTTP Strict Transport Security (HSTS): Enabled
Minimum TLS Version: TLS 1.3
Automatic HTTPS Rewrites: Enabled
Utilising Cloudflare WAF (Web Application Firewall) I have only allowed connections originating from Australia access. This drastically reduced connections to my site and improved security
