Authelia (Archived)

Assumptions

We assume your environment has the following already set up and working:

• NGINX Proxy Manager

• Domain with the following subdomains (where 'example' is your domain and 'service' is the endpoint you want to be protected (i.e. monitorr.example.com)

  • Adjust/Create your own CNAMES where required.

    • example.com

    • auth.example.com

    • service.example.com

This will not cover how to configure Traefik or Let’s Encrypt, however, there are plenty of resources on how to do this, including the official docs of Authelia.

References

To make modifying easier we have tried to replace commonly required changes with a placeholder. This allows a quick Find/Replace in something like Notepad++ (which is highly recommended). All are explained in their respective steps later in this guide:

• YOURPASSWORD - Password which you have set, with respect to the section you are reading. i.e. MySQL password could be different from your Redis password.

• YOURSECRET - A secret generated in 128-bit. You can use this site to generate them:
• YOURDOMAIN - Your own domain name

• SERVERIP - Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50

• CONTAINERPORT - Port the container being proxied is running on in unRAID. i.e. Monitorr could be using 480

• CONTAINERNAME - Name of the container to be proxied. i.e. 'monitorr'

• CONTAINERIP - IP address of the container.

Redis

Authelia requires the Redis container to work (as referenced in the configuration.yml)

1. In unRAID, visit the apps tab

2. Search for and install 'redis'. We are using the bitnami/redis container as it has parameters mapped for a password, which we will need to add into configuration.yml later.

3. In the template installation screen:

    Network Type: The network you host your containers on so that they can communicate.
    PORT: 6379
    ALLOW_EMPTY_PASSWORD: no
    PASSWORD: YOURPASSWORD

MYSQL/MariaDB

Authelia requires an MYSQL/MariaDB database container to work (as referenced in the configuration.yml)

If you do not already have MariaDB installed, then follow the next 3 steps. If you already have MariaDB installed then skip to the next section where you will create the database for Authelia.

1. In unRAID, visit the apps tab

2. Search for and install 'mariadb'. We are using the linuxserver/mariadb container.

3. In the template installation screen:

        Network Type: The network you host your containers on so that they can communicate.
        PORT: 3306
        MYSQLROOTPASSWORD: YOURPASSWORD

Once installed, follow these steps to create our user and database for Authelia.

1. Under the Docker tab in unRAID, left-click the MariaDB container, select Console

2. Create our user:

   • Enter the following then hit enter:

     Copy

     mysql -uroot -p

   • Enter the password you set in the container settings then type:

     Copy

     CREATE USER 'authelia' IDENTIFIED by 'YOURPASSWORD';

     This password will be referenced in configuration.yml

3. Create our database:

   • Enter the following then hit enter:

     Copy

     CREATE DATABASE IF NOT EXISTS authelia;

4. Allow privileges to the database:

   • Enter the following then hit enter:

     Copy

     GRANT ALL PRIVILEGES ON authelia.* TO 'authelia' IDENTIFIED BY 'YOURPASSWORD';

     This is the password you created for the user above.

   • Enter the following then hit enter:

     Copy

     quit

5. You can now close the terminal window

Authelia

1. • The container will stop after the first run as the config file is missing and will be created automatically.

   • You should not need to change any settings unless the host port (default: 9091) will clash with any other containers.

3. Configure the file as required. We have placed our confirmed working config in this repo. Remember the placeholders which will need to be changed (listed at the top of this document).

   • Remember to keep them different for the different areas which use them.

4. You will notice that LDAP has been commented out for this setup to use file backend instead. LDAP is beyond the scope of this document.

   • In our repo, you will find the file named 'users_database.yml'.

   • Copy this file into your appdata/authelia folder. You MUST edit this file.

     • Copy

         Plain input text: your desired password
         Salt: 16
         Parallelism: 8 (or twice your CPU cores)
         Memory Cost: 1024
         Iterations: 1
         Hash length: 32
         Algorithm: Argon2id

       Select Generate Hash

NGINX Proxy Manager (NPM)

The templates provided in this repo assume you have created a CNAME subdomain in your DNS for 'auth.example.com' and have a subdomain already working for your endpoint such as 'radarr.example.com'.

Modify the data inside 'Authelia Portal.conf' and 'Protected Endpoint.conf'. If no ports were changed in any of the above configs, you should only need to change:

• 'Authelia Portal.conf':

  • 'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50

• 'Protected Endpoint.conf':

  • 'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50

  • 'CONTAINERNAME' = Name of the container to be proxied. i.e. 'monitorr'

  • 'CONTAINERIP' = IP address of the container.

  • 'YOURDOMAIN' = Your own domain name.

1. Copy the data and head to your NPM dashboard > Hosts > Proxy Hosts

2. Select Add Proxy Host

   • Details:

     • Domain name: auth.example.com (or whatever CNAME you set in your DNS)

     • Scheme: http

     • Forward Hostname / IP: Local IP address of your unRAID server

     • Port: 9091

     • Turn ON: Cache Assets, Block Common Exploits

   • SSL:

     • Request new SSL certificate

     • Turn ON: Force SSL, HTTP/2 Support, HSTS Enabled (if using, i.e. in Cloudflare)

     • Email address: used to create Let’s Encrypt cert.

     • Select I Agree and Save.

3. Test that you can reach the WebUI of Authelia selecting the new proxy or typing in its address. i.e. 'auth.example.com'

   • NB: For some reason in the current version of NPM as of writing this (v2.2.4) the SSL settings turn off after initial creation. Go back into the SSL

     settings of 'auth.example.com' and turn them back on then save again.

4. If all the above is working as intended; Edit proxy host 'auth.example.com'

   • Advanced

     • Under Custom Nginx Configuration, paste the config you customized from 'Authelia Portal.conf'

5. Save and confirm you can still access the WebUI via the URL.

To protect an endpoint (i.e. sonarr)

1. Edit proxy host 'sonarr.example.com'

   • Advanced

     • Under Custom Nginx Configuration, paste the config you customized from 'Protected Endpoint.conf'

2. (Optional) If using services that use API to communicate with each other such as Radarr, Sonarr or Lidarr, you may also need to add a location for the API in order to disable the authorization else it may fail to connect. The settings below are relevant to Sonarr and its sister products. Be sure to check the docs of the service you are configuring.

   • Edit proxy host 'sonarr.example.com'

     • Custom Locations

       Location: /api Scheme: http Forward Hostname/IP: SERVERIP/api Forward Port: 8686 Select gear icon: auth_request off;

   • Confirm you can connect to the API by using, for example, Ombi. TV > Sonarr > Test connection.

3. (Optional) Now that Authelia is acting as your single sign on security you can now disable any in-app security/logins. Disabling the in-app login will still be secure as Authelia will be protecting it but will prevent you from having to login twice for every app and remember all of the usernames and passwords etc.

FAQ

Workflow

In theory, the workflow is:

3. User is given either single factor or second-factor options, depending on what is set on the subdomain in the configuration.yml

Hope this is of assistance to you. Please provide feedback where required.

No/infinite native login screen on an endpoint

You may find when passing through Authelia successfully that the endpoint (i.e. Sonarr) has no login screen (if you had a login screen enabled). This is not related to Authelia, but rather NGINX. From personal experience performing the below may fix this. 1. Edit proxy host 'sonarr.example.com'

• Advanced

  • Under Custom Nginx Configuration, paste the below in above any location blocks

    proxy_intercept_errors off;

Test again. If no change, try with it on or removed it again.

Let'sEncrypt

If you are using LinuxServer.io LE container you need to add this under the server block for its out-of-the-box Authelia support to work:

server:
  path: authelia

If you are using the LSIO LE container, there's no need to utilize Authelia as its own subdomain reverse proxy.

LDAP

If you want to use LDAP as your backend (which is recommended), here's the config we use in the Authelia YAML. Be sure to comment on the File Backend section when using this.

FREEIPA CONFIG HAS BEEN INTEGRATED IN THE 'CONFIGURATION.YML' FOUND AT THE TOP OF THIS PAGE.
IF YOU ARE USING ACTIVE DIRECTORY - PLEASE SEE THE FILE CALLED AD-CONFIGURATION FOR YOUR TEMPLATE AND REPLACE RELEVANT SETTINGS IN 'CONFIGURATION.YML'

Duo 2FA

These instructions were provided by ThreeFN on our Unraid forum thread (link at top).

On Duo, you actually need TWO logins. The first is your admin account that sets-up your hostname/integration_key/secret_key via Partner Auth API. Now with with you need to go into the config for the Application->PartnerAuthAPI and add a user that is THE SAME NAME as the user you have in file/ldap and then EMAIL THEM which will give you the ability to enroll the phone app to that user. Then you can enroll that in authelia when you get to that point.

Access the Authelia Interface

At any time, you can go directly to the Authelia page by typing in your URL set for it. i.e. auth.example.com.

Startup Order

If using the external database and Redis options (recommended), it's important to note that the startup order of your containers must be configured correctly. In unRAID: 1. On the Dockers page, select Advanced 2. Click and drag the rows of containers so that all database containers are higher on the list than Authelia 3. Next, besides the Autostart toggle, you can set a delay (in seconds) for the container to wait before starting the next container underneath it.

• This is useful because it allows certain containers which take a while to start up and may have dependencies to have more time to finish.

Insufficient Permissions to Edit Config File

If you are confronted with permissions issues when trying to edit the YML file, check your permissions by opening the console in unRAID and entering the following (after the #):

ls -lah /mnt/user/appdata/Authelia/

You may see the following:

drwxrwxrwx 1 nobody users  34 Mar  5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar  5 17:19 ../
-rw------- 1 nobody users 20K Mar  5 17:20 configuration.yml

Notice the last line, where it is not allowing editing. To fix this enter the following in the console:

chmod a+rw /mnt/user/appdata/Authelia/configuration.yml

Then check the permissions again:

ls -lah /mnt/user/appdata/Authelia/

You should now see this:

drwxrwxrwx 1 nobody users  34 Mar  5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar  5 17:19 ../
-rw-rw-rw- 1 nobody users 20K Mar  5 17:20 configuration.yml

Rules

Here's an example of rules. This will allow you to bypass certain addresses, such as those for the API of Sonarr, Radarr etc. While also having a catch-all at the end.

  rules:
    ## bypass api / triggers
    - domain: "*.domain.com"
      policy: bypass
      resources:
        - "^/api/.*$"
        - "^/identity/.*$"
        - "^/triggers/.*$"
        - "^/meshagents.*$"
        - "^/meshsettings.*$"
        - "^/agent.*$"
        - "^/control.*$"
        - "^/meshrelay.*$"

    ## Rules applied to everyone
    - domain: "*.domain.com"
      subject:
        - "group:admins"
      policy: one_factor

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.

Our work sometimes takes months to research and develop. If you want to help support us please consider:

Thank you for being part of our community!