LogoLogo
HomeDiscordYouTubeDisclaimer
  • Authelia (Archived)
    • v4.33.0+ Upgrade
  • Configuration Files
    • Authelia Config File
    • Authelia Portal
    • Protected Endpoint
    • Users Database
    • AD Config
  • 🎯DO I NEED AN UPDATE?
    • Update Me!
  • ❗DISCLAIMER
    • Read Our Disclaimer
Powered by GitBook
On this page
  • Assumptions
  • References
  • Redis
  • MYSQL/MariaDB
  • Authelia
  • NGINX Proxy Manager (NPM)
  • To protect an endpoint (i.e. sonarr)
  • FAQ
  • Workflow
  • No/infinite native login screen on an endpoint
  • Let'sEncrypt
  • LDAP
  • Duo 2FA
  • Access the Authelia Interface
  • Startup Order
  • Insufficient Permissions to Edit Config File
  • Rules
  • Final Words

Was this helpful?

Export as PDF

Authelia (Archived)

Nextv4.33.0+ Upgrade

Last updated 3 years ago

Was this helpful?

WARNING

THIS DOCUMENTATION IS NOW ARCHIVED AND HAS BEEN REPLACED BY AN UPDATED VERSION HERE. WE HAVE KEPT THIS DOCUMENT FOR HISTORICAL REFERENCING ONLY.

Assumptions

We assume your environment has the following already set up and working:

  • NGINX Proxy Manager

  • Domain with the following subdomains (where 'example' is your domain and 'service' is the endpoint you want to be protected (i.e. monitorr.example.com)

    • Adjust/Create your own CNAMES where required.

      • example.com

      • auth.example.com

      • service.example.com

This will not cover how to configure Traefik or Let’s Encrypt, however, there are plenty of resources on how to do this, including the official docs of Authelia.

References

To make modifying easier we have tried to replace commonly required changes with a placeholder. This allows a quick Find/Replace in something like Notepad++ (which is highly recommended). All are explained in their respective steps later in this guide:

  • YOURPASSWORD - Password which you have set, with respect to the section you are reading. i.e. MySQL password could be different from your Redis password.

  • YOURSECRET - A secret generated in 128-bit. You can use this site to generate them:

  • YOURDOMAIN - Your own domain name

  • SERVERIP - Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50

  • CONTAINERPORT - Port the container being proxied is running on in unRAID. i.e. Monitorr could be using 480

  • CONTAINERNAME - Name of the container to be proxied. i.e. 'monitorr'

  • CONTAINERIP - IP address of the container.

Redis

Authelia requires the Redis container to work (as referenced in the configuration.yml)

  1. In unRAID, visit the apps tab

  2. Search for and install 'redis'. We are using the bitnami/redis container as it has parameters mapped for a password, which we will need to add into configuration.yml later.

  3. In the template installation screen:

    Network Type: The network you host your containers on so that they can communicate.
    PORT: 6379
    ALLOW_EMPTY_PASSWORD: no
    PASSWORD: YOURPASSWORD

TIP

Currently the "remember me" function in Authelia does not work properly with Redis set as default. You will need to add an extra path mapping in Redis to fix that.

In the template, click "Add another Path, Port, Variable, Label or Device" and add the following path:

Container Path: /bitnami/

Host Path: /mnt/user/appdata/redis/bitnami/

MYSQL/MariaDB

Authelia requires an MYSQL/MariaDB database container to work (as referenced in the configuration.yml)

If you do not already have MariaDB installed, then follow the next 3 steps. If you already have MariaDB installed then skip to the next section where you will create the database for Authelia.

  1. In unRAID, visit the apps tab

  2. Search for and install 'mariadb'. We are using the linuxserver/mariadb container.

  3. In the template installation screen:

        Network Type: The network you host your containers on so that they can communicate.
        PORT: 3306
        MYSQLROOTPASSWORD: YOURPASSWORD

Once installed, follow these steps to create our user and database for Authelia.

  1. Under the Docker tab in unRAID, left-click the MariaDB container, select Console

  2. Create our user:

    • Enter the following then hit enter:

      mysql -uroot -p
    • Enter the password you set in the container settings then type:

      CREATE USER 'authelia' IDENTIFIED by 'YOURPASSWORD';

      This password will be referenced in configuration.yml

  3. Create our database:

    • Enter the following then hit enter:

      CREATE DATABASE IF NOT EXISTS authelia;
  4. Allow privileges to the database:

    • Enter the following then hit enter:

      GRANT ALL PRIVILEGES ON authelia.* TO 'authelia' IDENTIFIED BY 'YOURPASSWORD';

      This is the password you created for the user above.

    • Enter the following then hit enter:

      quit
  5. You can now close the terminal window

Authelia

    • The container will stop after the first run as the config file is missing and will be created automatically.

    • You should not need to change any settings unless the host port (default: 9091) will clash with any other containers.

  1. Configure the file as required. We have placed our confirmed working config in this repo. Remember the placeholders which will need to be changed (listed at the top of this document).

    • Remember to keep them different for the different areas which use them.

  2. You will notice that LDAP has been commented out for this setup to use file backend instead. LDAP is beyond the scope of this document.

    • In our repo, you will find the file named 'users_database.yml'.

    • Copy this file into your appdata/authelia folder. You MUST edit this file.

      •   Plain input text: your desired password
          Salt: 16
          Parallelism: 8 (or twice your CPU cores)
          Memory Cost: 1024
          Iterations: 1
          Hash length: 32
          Algorithm: Argon2id

        Select Generate Hash

NGINX Proxy Manager (NPM)

The templates provided in this repo assume you have created a CNAME subdomain in your DNS for 'auth.example.com' and have a subdomain already working for your endpoint such as 'radarr.example.com'.

Modify the data inside 'Authelia Portal.conf' and 'Protected Endpoint.conf'. If no ports were changed in any of the above configs, you should only need to change:

  • 'Authelia Portal.conf':

    • 'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50

  • 'Protected Endpoint.conf':

    • 'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50

    • 'CONTAINERNAME' = Name of the container to be proxied. i.e. 'monitorr'

    • 'CONTAINERIP' = IP address of the container.

    • 'YOURDOMAIN' = Your own domain name.

  1. Copy the data and head to your NPM dashboard > Hosts > Proxy Hosts

  2. Select Add Proxy Host

    • Details:

      • Domain name: auth.example.com (or whatever CNAME you set in your DNS)

      • Scheme: http

      • Forward Hostname / IP: Local IP address of your unRAID server

      • Port: 9091

      • Turn ON: Cache Assets, Block Common Exploits

    • SSL:

      • Request new SSL certificate

      • Turn ON: Force SSL, HTTP/2 Support, HSTS Enabled (if using, i.e. in Cloudflare)

      • Email address: used to create Let’s Encrypt cert.

      • Select I Agree and Save.

  3. Test that you can reach the WebUI of Authelia selecting the new proxy or typing in its address. i.e. 'auth.example.com'

    • NB: For some reason in the current version of NPM as of writing this (v2.2.4) the SSL settings turn off after initial creation. Go back into the SSL

      settings of 'auth.example.com' and turn them back on then save again.

  4. If all the above is working as intended; Edit proxy host 'auth.example.com'

    • Advanced

      • Under Custom Nginx Configuration, paste the config you customized from 'Authelia Portal.conf'

  5. Save and confirm you can still access the WebUI via the URL.

To protect an endpoint (i.e. sonarr)

  1. Edit proxy host 'sonarr.example.com'

    • Advanced

      • Under Custom Nginx Configuration, paste the config you customized from 'Protected Endpoint.conf'

  2. (Optional) If using services that use API to communicate with each other such as Radarr, Sonarr or Lidarr, you may also need to add a location for the API in order to disable the authorization else it may fail to connect. The settings below are relevant to Sonarr and its sister products. Be sure to check the docs of the service you are configuring.

    • Edit proxy host 'sonarr.example.com'

      • Custom Locations

        Location: /api Scheme: http Forward Hostname/IP: SERVERIP/api Forward Port: 8686 Select gear icon: auth_request off;

    • Confirm you can connect to the API by using, for example, Ombi. TV > Sonarr > Test connection.

  3. (Optional) Now that Authelia is acting as your single sign on security you can now disable any in-app security/logins. Disabling the in-app login will still be secure as Authelia will be protecting it but will prevent you from having to login twice for every app and remember all of the usernames and passwords etc.

FAQ

Workflow

In theory, the workflow is:

  1. User is given either single factor or second-factor options, depending on what is set on the subdomain in the configuration.yml

Hope this is of assistance to you. Please provide feedback where required.

No/infinite native login screen on an endpoint

You may find when passing through Authelia successfully that the endpoint (i.e. Sonarr) has no login screen (if you had a login screen enabled). This is not related to Authelia, but rather NGINX. From personal experience performing the below may fix this. 1. Edit proxy host 'sonarr.example.com'

  • Advanced

    • Under Custom Nginx Configuration, paste the below in above any location blocks

      proxy_intercept_errors off;

Test again. If no change, try with it on or removed it again.

Let'sEncrypt

If you are using LinuxServer.io LE container you need to add this under the server block for its out-of-the-box Authelia support to work:

server:
  path: authelia

If you are using the LSIO LE container, there's no need to utilize Authelia as its own subdomain reverse proxy.

LDAP

If you want to use LDAP as your backend (which is recommended), here's the config we use in the Authelia YAML. Be sure to comment on the File Backend section when using this.

PLEASE NOTE

This config is based on implementation with FreeIPA as our LDAP server. If using any other services such as OpenLDAP or Active Directory, you will need to adjust the user/group attributes and filters to suit. You must also modify the domain settings below to match your environment.

FREEIPA CONFIG HAS BEEN INTEGRATED IN THE 'CONFIGURATION.YML' FOUND AT THE TOP OF THIS PAGE.
IF YOU ARE USING ACTIVE DIRECTORY - PLEASE SEE THE FILE CALLED AD-CONFIGURATION FOR YOUR TEMPLATE AND REPLACE RELEVANT SETTINGS IN 'CONFIGURATION.YML'

Duo 2FA

These instructions were provided by ThreeFN on our Unraid forum thread (link at top).

On Duo, you actually need TWO logins. The first is your admin account that sets-up your hostname/integration_key/secret_key via Partner Auth API. Now with with you need to go into the config for the Application->PartnerAuthAPI and add a user that is THE SAME NAME as the user you have in file/ldap and then EMAIL THEM which will give you the ability to enroll the phone app to that user. Then you can enroll that in authelia when you get to that point.

Access the Authelia Interface

At any time, you can go directly to the Authelia page by typing in your URL set for it. i.e. auth.example.com.

Startup Order

If using the external database and Redis options (recommended), it's important to note that the startup order of your containers must be configured correctly. In unRAID: 1. On the Dockers page, select Advanced 2. Click and drag the rows of containers so that all database containers are higher on the list than Authelia 3. Next, besides the Autostart toggle, you can set a delay (in seconds) for the container to wait before starting the next container underneath it.

  • This is useful because it allows certain containers which take a while to start up and may have dependencies to have more time to finish.

Insufficient Permissions to Edit Config File

If you are confronted with permissions issues when trying to edit the YML file, check your permissions by opening the console in unRAID and entering the following (after the #):

ls -lah /mnt/user/appdata/Authelia/

You may see the following:

drwxrwxrwx 1 nobody users  34 Mar  5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar  5 17:19 ../
-rw------- 1 nobody users 20K Mar  5 17:20 configuration.yml

Notice the last line, where it is not allowing editing. To fix this enter the following in the console:

chmod a+rw /mnt/user/appdata/Authelia/configuration.yml

Then check the permissions again:

ls -lah /mnt/user/appdata/Authelia/

You should now see this:

drwxrwxrwx 1 nobody users  34 Mar  5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar  5 17:19 ../
-rw-rw-rw- 1 nobody users 20K Mar  5 17:20 configuration.yml

Rules

Here's an example of rules. This will allow you to bypass certain addresses, such as those for the API of Sonarr, Radarr etc. While also having a catch-all at the end.

Remember that rules are read from top to bottom by Authelia, so have the most restrictive last.

  rules:
    ## bypass api / triggers
    - domain: "*.domain.com"
      policy: bypass
      resources:
        - "^/api/.*$"
        - "^/identity/.*$"
        - "^/triggers/.*$"
        - "^/meshagents.*$"
        - "^/meshsettings.*$"
        - "^/agent.*$"
        - "^/control.*$"
        - "^/meshrelay.*$"

    ## Rules applied to everyone
    - domain: "*.domain.com"
      subject:
        - "group:admins"
      policy: one_factor

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.

Our work sometimes takes months to research and develop. If you want to help support us please consider:

Thank you for being part of our community!

Please read our disclaimer .

(Credit to user "" on the )

Install Authelia via the Community Apps plugin in unRAID. The original template was created by (big thanks) lilfade ()

In your appdata/authelia folder you will find

You MUST edit this file to suit your domain, Gmail (or other smtp), and environment. has been tested and works, however, it is strongly advised to read the official docs on the configuration to ensure it meets your requirements ()

For secret keys, you can create an 128-bit encryption key to put in from here:

Adjust the file to the user you would like to sign in as. For help see here:

For password, create one here and then replace the encrypted line with your encrypted line:

Settings for creating the password on as referenced in the configuration.yml:

At this point, you should start the Authelia container and read the logs. Test that you can reach the WebUI of Authelia () and can log in or set up 2FA.

User (listed in the users' file, but is not signed in) tries to connect to

The user is redirected to to sign in

User signs in successfully and are redirected back to origin URL

Liking and Subscribing to our

Joining our

Becoming a paid member on our

Donating via

https://docs.ibracorp.io/#disclaimer
https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx
KomaCL
Unraid forums
https://github.com/lilfade
configuration.yml
The sample provided in this repo
https://www.authelia.com/docs/configuration/
https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx
https://www.authelia.com/docs/configuration/authentication/file.html
https://argon2.online/
https://argon2.online/
http://SERVERIP:9091
https://service.domain.com
https://auth.domain.com
https://service.domain.com
Youtube channel
Discord server
IBRACORP website
Paypal
Authentication server providing two-factor and SSOAuthelia
HomeAuthelia
Logo
GitHub - authelia/authelia: The Single Sign-On Multi-Factor portal for web appsGitHub
Docker Hub
Logo
Logo
Logo