Configuration File

In your appdata/authelia folder you will find configuration.yml

You MUST edit this file to suit your environment. We strongly suggest you watch our video along with this guide to help you understand how it all works.

The sample provided in this guide has been tested and verified to work, however, it is strongly advised to read the official docs on the configuration to ensure it meets your requirements (https://www.authelia.com/docs/configuration/)

• For secret keys, you can create a 128-bit encryption key to put in from here: https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx Remember to keep them different for the different areas which use them.

Creating Users

You have two options when deciding how you want users to exist for Authelia.

Option 1 - Using a simple YML file with the user's encrypted credentials that Authelia can read.

Option 2 - Allow Authelia to read from an LDAP database such as FreeIPA or Active Directory.

Option 1 - Using a Users Database File

In the sidebar, you will find the file named 'users_database.yml'.

1. Copy the file content into appdata/authelia/users_database.yml.

   You MUST edit this file.

2. Adjust the file to the user you would like to sign in as. For help see here: https://www.authelia.com/docs/configuration/authentication/file.html

   1. Changes include the username and display name, for example.

3. To generate the hashed password, open the terminal in Unraid

   1. Type in the following (replacing 'yourpassword' with the password you want for the user):

docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'

1. Copy the hashed password that is generated and paste it into the users_database.yml file as replacing the one in the template we provide.

2. Remember to comment out the 'ldap' section in your configuration.yml since you are not using it.

Option 2 - Using an LDAP database

If you prefer to use an LDAP database to read users from, you can do so by using the LDAP configuration in the sidebar.

1. Choose the type of LDAP you are using (i.e OpenLDAP, Active Directory or FreeIPA). We have a video guide on creating a FreeIPA server here and also a video on how to set up OpenLDAP here. --ADD-LINK-TO-VIDEO-HERE--

2. Edit the contents to suit your environment, where necessary

3. Replace the LDAP section in the Authelia configuration.yml with the new one

   1. LDAP - FreeIPA

   2. LDAP - OpenLDAP

   3. LDAP - Active Directory

   4. LDAP - LLDAP/Light LDAP

4. Remember to comment out the 'file' section, since you are not using the users_database.yml file.

OpenLDAP / phpLDAPadmin

Want to see an OpenLDAP and phpLDAPadmin section here? Let us know in Discord or in the video description!

Starting Up

At this point, you should start the Authelia container and read the logs.

Test that you can reach the WebUI of Authelia (http://SERVERIP:9091) and can log in or set up 2FA.

Combined

version: '3'
services:
  auth:
    container_name: auth    
    image: authelia/authelia:latest
    expose:
      - 9091
    volumes:
      - /opt/appdata/authelia:/config
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.entryPoints: https
    networks:
      - proxy
    restart: unless-stopped
    depends_on:
      - redis
      - mariadb

  redis:
    container_name: redis
    image: bitnami/redis:latest
    expose:
      - 6379
    volumes:
      - /opt/appdata/redis:/bitnami/
    environment:
      REDIS_PASSWORD: "YOUR_REDIS_PASSWORD"
    networks:
      - proxy
    restart: unless-stopped

  mariadb:
    container_name: mariadb
    image: linuxserver/mariadb:latest
    expose:
      - 3306
    volumes:
      - /opt/appdata/mariadb:/config
    environment:
      MYSQL_ROOT_PASSWORD: "YOUR_MYSQL_ROOT_PASSWORD"
      MYSQL_ROOT_USER: root
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_PASSWORD: "YOUR_MYSQL_USER_PASSWORD"  
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Standalone

Authelia

version: '3'
services:
  auth:
    container_name: auth    
    image: authelia/authelia:latest
    ports:
      - 9091:9091
    volumes:
      - /opt/appdata/authelia:/config
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.entryPoints: https
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Redis

version: '3'
services:
  redis:
    container_name: redis
    image: bitnami/redis:latest
    expose:
      - 6379
    volumes:
      - /opt/appdata/redis:/bitnami/
    environment:
      REDIS_PASSWORD: "YOUR_REDIS_PASSWORD"
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

MariaDB

version: '3'
services:
  mariadb:
    container_name: mariadb
    image: linuxserver/mariadb:latest
    expose:
      - 3306
    volumes:
      - /opt/appdata/mariadb:/config
    environment:
      MYSQL_ROOT_PASSWORD: "YOUR_MYSQL_ROOT_PASSWORD"
      MYSQL_ROOT_USER: root
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_PASSWORD: "YOUR_MYSQL_USER_PASSWORD"  
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Traefik

For protecting your apps using Traefik as the reverse proxy, please see our guide on Traefik here

NGINX Proxy Manager

Configuring the Authelia Proxy

1. Copy the data in NGINX Config - Authelia and head to your NPM dashboard > Hosts > Proxy Hosts

2. Select Add Proxy Host

   • Details:

     • Domain name: auth.example.com (or whatever CNAME you set in your DNS for Authelia)

     • Scheme: http

     • Forward Hostname / IP: Name of your Authelia container (must be on the same custom docker network as NPM, otherwise use server IP)

     • Port: 9091

     • Turn ON: Cache Assets, Block Common Exploits

   • SSL:

     • Request new SSL certificate

     • Turn ON: Force SSL, HTTP/2 Support, HSTS Enabled (if using, i.e. in Cloudflare)

     • Email address: used to create Let’s Encrypt cert.

     • Select I Agree and Save.

     • Alternatively, see our guide on using Cloudflare Origin Certs

3. Test that you can reach the WebUI of Authelia selecting the new proxy or typing in its address. i.e. 'auth.example.com'

4. If all the above is working as intended; Edit proxy host 'auth.example.com'

   • Advanced

     • Under Custom Nginx Configuration, paste the config you customized from NGINX Config - Authelia

5. Save and confirm you can still access the WebUI via the URL.

To protect an endpoint (i.e. sonarr)

1. Edit proxy host 'sonarr.example.com'

   • Advanced

     • Under Custom Nginx Configuration, paste the config from NGINX Config - Endpoint and customize as necessary.

2. (Optional) Now that Authelia is acting as your single sign-on security you can now disable any in-app security/logins. Disabling the in-app login will still be secure as Authelia will be protecting it but will prevent you from having to log in twice for every app and remember all of the usernames and passwords etc.

Understanding Rules

The rules section in the Authelia configuration file have some important notes to consider:

• Rules are read by Authelia from top to bottom

  • Therefore, you should practice putting the most restrictive rules last.

  • A catch-all wildcard rule at the very end will safeguard you by applying a default policy on anything you have enabled Authelia on, without needing a specific rule.

• There may be times when you want to allow certain apps to be covered by single-factor authentication, and others to be covered by two-factor authentication.

• You can specify the user, groups, or both that can access a particular resource.

• You can restrict access to a particular subfolder of a URL rather than the entire URL. For example, if you want to protect the Admin page of an application but not the main page itself.

• You may have a combination of all the above if you so choose.

For a more in-depth look at access control, please see the official Authelia docs here.

########## EXAMPLE RULES #############

access_control:
  default_policy: deny
  rules:
    ## bypass rule
    - domain: 
        - "auth.domain.com"
      policy: bypass
    ## bypass api / triggers
    - domain: "*.domain.com"
      resources:
        - "^/api([/?].*)?$"
        - "^/identity.*$"
        - "^/triggers.*$"
        - "^/meshagents.*$"
        - "^/meshsettings.*$"
        - "^/agent.*$"
        - "^/control.*$"
        - "^/meshrelay.*$"
        - "^/wl.*$"
      policy: bypass
    ## block admin
    - domain: "bitwarden.domain.com"
      resources:
        - "^*/admin.*$"
      policy: one_factor
    ## bypass rule
    - domain:
        - "bitwarden.domain.com"
      policy: bypass
    ## two factor login - admin
    - domain: 
        - "proxy.domain.com"
        - "ipa.domain.com"
        - "opn.domain.com"
      subject: 
        - "group:admins"
      policy: two_factor
    ## one factor login - moderators
    - domain:
        - "sonarr.domain.com"
        - "radarr.domain.com"
        - "nzbhydra.domain.com"
        - "sabnzbd.domain.com"
        - "torrent.domain.com"
        - "domain.com"
      subject: 
        - "group:moderators"
        - "group:admins"
      policy: one_factor
    ## one factor login - requesters
    - domain:
        - "petio.domain.com"
        - "overseerr.domain.com"
      subject: 
        - "group:requesters"
        - "group:admins"
      policy: one_factor
    ## one factor login - catch all 
    - domain: "*.domain.com"
      subject: 
        - "group:admins"
      policy: one_factor

Bypass for APIs

In the above, you may notice that certain rules are allowing API endpoints. This is important when you want to protect an application that uses API communications to send and receive data and do not want it to be hindered by Authelia.

A classic example is Sonarr or Radarr. These applications need the API to talk to other applications and since they are unable to 'sign in' to Authelia themselves, we need to tell Authelia that:

1. We want to protect sonarr.domain.com with Authelia

2. However, we want to bypass Authelia for traffic coming in and out of the API endpoint of Sonarr

Here's how that would look (extracted from the example above):

    ## bypass api / triggers
    - domain: "*.domain.com"
      resources:
        - "^/api([/?].*)?$"
      policy: bypass

Again, remember the hierarchy. We want the bypass to be above any restrictive rules so that Authelia knows that bypassing this endpoint comes first.

Unraid Docker Template

Authelia / Sycotix's Repository / Security

Dependencies

• MariaDB

• Reverse-Proxy such as Traefik or NPM

• File editors such as Notepad++ or Code-Server

• Domain with the following subdomains

  • NOTE: You may change these but keep in mind you must adapt it throughout the guide. (app.example.com is simply any app you want to protect with Authelia, i.e. sonarr.example.com).

    • example.com

    • auth.example.com

    • app.example.com

Code-Server

We strongly suggest using Code-Server to help you edit your configuration files and validate everything is correctly formatted.

YAML is extremely sensitive, and Code-Server, along with the YAML plugin, can be extremely helpful to save a lot of time troubleshooting. (Trust us, we've been helping members with Authelia for over a year!)

You can follow our guide here.

Redis

1. In Unraid, visit the apps tab

2. Search for and install 'redis'. We are using the container from A75G's Repository which uses the Bitnami Redis image.

   It has parameters mapped for a password, which we will need to add into configuration.yml later.
3. In the template installation screen:

   1. Set the custom docker network

   2. Set a strong password (it will be used by Authelia later)

   3. Add the appdata path as per the below

MariaDB

If you do not already have MariaDB installed, then follow the next 3 steps. If you already have MariaDB installed then skip to the next section where you will create the database for Authelia.

1. In Unraid, visit the apps tab

2. Search for and install 'mariadb'. We are using the linuxserver/mariadb container.
3. In the template installation screen:

   1. Set the custom docker network

   2. Set a strong password

Once installed, follow these steps to create our user and database for Authelia.

Adminer

If you want a GUI option to create, manage and administer databases, we recommend using Adminer. You can find our guide on that here.

Follow our Adminer + MariaDB guide to use a GUI to help you manage databases in an easy way.

Command-Line

If you want to use the command-line to create the database then please do the following:

1. Under the Docker tab in Unraid, left-click the MariaDB container, select Console

2. Create our user:

   • Enter the following then hit enter:

     Copy

     mysql -uroot -p

   • Enter the password you set in the container settings then type:

     Copy

     CREATE USER 'authelia' IDENTIFIED by 'YOURPASSWORD';

     This password will be referenced in the Authelia configuration.yml

3. Create our database:

   • Enter the following then hit enter:

     Copy

     CREATE DATABASE IF NOT EXISTS authelia;

4. Allow privileges to the database:

   • Enter the following then hit enter:

     Copy

     GRANT ALL PRIVILEGES ON authelia.* TO 'authelia' IDENTIFIED BY 'YOURPASSWORD';

     This is the password you created for the user above.

   • Enter the following then hit enter:

     Copy

     quit

5. You can now close the terminal window

Authelia

1. Head to the Community Applications store in Unraid

2. Search for and click to install Authelia from Sycotix's Repository

3. If you are using a custom Docker network, select it in the 'Network Type' field.

4. Enter the host port you want to map for the WebUI. By default it is 9091. Only change it if this port is already in use.

5. Click Apply and wait for the container to pull down and start.

Unraid Install

Docker Compose Install

Feature List

• Several second-factor methods:
• Password reset with identity verification using email confirmation.

• Access restriction after too many invalid authentication attempts.

• Fine-grained access control using rules which match criteria like subdomain, user, user group membership, request URI, the request method, and network.

• The choice between one-factor and two-factor policies per-rule.

• Support of basic authentication for endpoints protected by the one-factor policy.

• Highly available using a remote database and Redis as a highly available KV store.

• Kubernetes Support:

Placeholders

To assist you in building your configuration, we have used frequent placeholders for you to easily find and replace with your own specific information. This allows a quick Find/Replace in your preferred text editor.

• YOURPASSWORD - Password which you have set, with respect to the section you are reading. i.e. MySQL passwords should be different from your Redis password.

• YOURSECRET - A secret 128-bit encryption key. You can use this site to generate them:
• YOURDOMAIN - Your own domain name

• SERVERIP - Local IP address of your host server. i.e. 192.168.1.50

• CONTAINERPORT - Port the container is running on.

• CONTAINERNAME - Name of the container to be proxied. i.e. 'monitorr'

• CONTAINERIP - IP address of the container.

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.

Support Us

Our work sometimes takes months to research and develop. If you want to help support us please consider:

Thank you for being part of our community!