Authelia
Open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications.
Video [IBRACORP Video Tutorial - Coming Soon]
Useful Links
Related Videos
- Traefik Reverse Proxy Setup
- SWAG Reverse Proxy Setup
Thank you for choosing to collaborate with IBRACORP π
Please read our disclaimer https://docs.ibracorp.io/disclaimer
Creditsβ
Role | Contributor |
---|---|
Writer / Producer | Sycotix |
Video Recording and Voice | Sycotix |
Contributor | North |
Testing / Proofreading | Hawks, DiscDuck |
Feature Listβ
Advanced Authentication and Authorization Features
- Two-Factor Authentication Methods:
- Security Key (U2F)
- Time-based One-Time Password (TOTP)
- Mobile Push Notifications
- Password Reset with email confirmation
- Access Restriction after multiple failed login attempts
- Fine-grained Access Control for different applications and routes
- Kubernetes Support for container orchestration
- OpenID Connect Support (Beta)
- Multiple Backend Support (File, LDAP, Active Directory)
- Session Management with configurable timeouts
- Reverse Proxy Integration (Traefik, nginx, HAProxy)
Prerequisitesβ
Required Components
- Docker and Docker Compose installed
- Reverse proxy (Traefik or SWAG recommended)
- External network named "proxy" created
- Redis for session storage
- Database (MariaDB/MySQL or PostgreSQL)
- SMTP server for email notifications (optional but recommended)
- Domain name with SSL certificate
Installationβ
Docker Composeβ
Complete Authelia Stack with Redis and MariaDB
Create a docker-compose.yml
file:
version: '3'
services:
authelia:
container_name: authelia
image: authelia/authelia:latest
expose:
- 9091
volumes:
- /opt/appdata/authelia:/config
environment:
- TZ=America/New_York
labels:
- traefik.enable=true
- traefik.http.routers.authelia.rule=Host(`auth.yourdomain.com`)
- traefik.http.routers.authelia.entrypoints=https
- traefik.http.routers.authelia.tls=true
- traefik.http.routers.authelia.tls.certresolver=cloudflare
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.yourdomain.com
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
networks:
- proxy
restart: unless-stopped
depends_on:
- redis
- mariadb
redis:
container_name: authelia-redis
image: bitnami/redis:latest
expose:
- 6379
volumes:
- /opt/appdata/authelia/redis:/bitnami/redis/data
environment:
- REDIS_PASSWORD=YOUR_REDIS_PASSWORD
- REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL
networks:
- proxy
restart: unless-stopped
mariadb:
container_name: authelia-mariadb
image: linuxserver/mariadb:latest
expose:
- 3306
volumes:
- /opt/appdata/authelia/mariadb:/config
environment:
- MYSQL_ROOT_PASSWORD=YOUR_MYSQL_ROOT_PASSWORD
- MYSQL_DATABASE=authelia
- MYSQL_USER=authelia
- MYSQL_PASSWORD=YOUR_MYSQL_USER_PASSWORD
- TZ=America/New_York
networks:
- proxy
restart: unless-stopped
networks:
proxy:
external: true
Installation Steps
-
Create the directory structure:
mkdir -p /opt/appdata/authelia
-
Create the environment file with your passwords:
# Generate secure passwords
REDIS_PASSWORD=$(openssl rand -base64 32)
MYSQL_ROOT_PASSWORD=$(openssl rand -base64 32)
MYSQL_USER_PASSWORD=$(openssl rand -base64 32) -
Update the docker-compose.yml with your domain and passwords
-
Start the Docker containers:
docker compose up -d
-
Check container status:
docker compose logs authelia
Configurationβ
Authelia Configuration Fileβ
Create /opt/appdata/authelia/configuration.yml
:
# Authelia Configuration
theme: dark
jwt_secret: YOUR_JWT_SECRET_HERE
default_redirection_url: https://yourdomain.com
server:
host: 0.0.0.0
port: 9091
log:
level: info
totp:
issuer: yourdomain.com
authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
rules:
- domain: auth.yourdomain.com
policy: bypass
- domain: "*.yourdomain.com"
policy: one_factor
session:
name: authelia_session
secret: YOUR_SESSION_SECRET_HERE
expiration: 3600
inactivity: 300
domain: yourdomain.com
redis:
host: redis
port: 6379
password: YOUR_REDIS_PASSWORD
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
mysql:
host: mariadb
port: 3306
database: authelia
username: authelia
password: YOUR_MYSQL_USER_PASSWORD
notifier:
smtp:
username: your-email@gmail.com
password: your-app-password
host: smtp.gmail.com
port: 587
sender: your-email@gmail.com
subject: "[Authelia] {title}"
User Databaseβ
Create /opt/appdata/authelia/users_database.yml
:
users:
admin:
displayname: "Administrator"
password: "$argon2id$v=19$m=65536,t=3,p=4$GENERATED_HASH_HERE"
email: admin@yourdomain.com
groups:
- admins
- dev
user:
displayname: "User"
password: "$argon2id$v=19$m=65536,t=3,p=4$GENERATED_HASH_HERE"
email: user@yourdomain.com
groups:
- dev
Generate Password Hashesβ
-
Access the Authelia container:
docker exec -it authelia authelia hash-password
-
Enter your desired password when prompted
-
Copy the generated hash to your users_database.yml file
Configuration Stepsβ
-
Update Configuration Files: Replace all placeholder values with your actual domain, passwords, and email settings
-
Generate Secrets: Use secure random strings for JWT and session secrets:
openssl rand -base64 64
-
Restart Authelia: After configuration changes:
docker compose restart authelia
-
Test Access: Navigate to
https://auth.yourdomain.com
and verify the login page loads -
Configure Protected Services: Add Authelia middleware to your other services in Traefik
Protecting Services with Autheliaβ
Traefik Labels Exampleβ
Add these labels to services you want to protect:
labels:
- traefik.http.routers.app.middlewares=authelia@docker
Advanced Access Controlβ
Customize access rules in configuration.yml
:
access_control:
rules:
- domain: admin.yourdomain.com
policy: two_factor
subject: "group:admins"
- domain: app.yourdomain.com
policy: one_factor
subject: "group:dev"
- domain: public.yourdomain.com
policy: bypass
Special Thanksβ
- Authelia Development Team for creating this excellent authentication solution
- ClΓ©ment Michaud and the Authelia community for their comprehensive documentation
- To our fantastic Discord community and our Admins DiscDuck and Hawks for their input and testing
Please support the developers and creators involved in this work to help show them some love. β€οΈ
Final Wordsβ
We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.
Support Usβ
Our work sometimes takes months to research and develop.
If you want to help support us please consider:
- Liking and Subscribing to our Youtube channel
- Joining our Discord server
- Becoming a paid member on our IBRACORP website
- Donating via Paypal
Thank you for being part of our community!