Authelia
Last updated
Last updated
<
IBRACORP - https://ibracorp.io YouTube: https://youtube.com/c/IBRACORP Discord - https://discord.gg/VWAG7rZ GitHub - https://github.com/ibracorp unRAID Forum - http://bit.ly/2MwDPTV Twitter - https://twitter.com/IBRACORP_IO
===============================
Disclaimer: we are in no way offically affiliated with the product below. We simply try to connect their work to a wider audience. We are not responsible or liable for any damages as result of following these instructions and are provided only for reference and assistance.
The instructions below are for installing the following on unRAID using Docker:
Authelia
Website: https://www.authelia.com/
Docker Hub: https://hub.docker.com/r/authelia/authelia
We assume your environment has the following already setup and working:
NGINX Proxy Manager
Domain with the following subdomains (where 'example' is your domain and 'service' is the endpoint you want protected (i.e. monitorr.example.com)
Adjust/Create your own CNAMES where required.
example.com
auth.example.com
service.example.com
This will not cover how to configure LDAP (see bottom), Traefik or Let’s Encrypt, however there are plenty of resources on how to do this, including the official docs of Authelia.
To make modifying easier we have tried to replace commonly required changes with a placeholder. This allows a quick Find/Replace in something like Notepad++ (which is highly recommended). All are explained in their respective steps later in this guide:
YOURPASSWORD - Password which you have set, with respect the section you are reading. i.e. MySQL password could be different to your Redis password.
YOURSECRET - A secret generated in 128-bit. You can use this site to generate them:
YOURDOMAIN - Your own domain name
SERVERIP - Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50
CONTAINERPORT - Port the container being proxied is running on in unRAID. i.e. Monitorr could be using 480
CONTAINERNAME - Name of the container to be proxied. i.e. 'monitorr'
CONTAINERIP - IP address of the container.
Authelia requires the Redis container to work (as referenced in the configuration.yml) 1. In unRAID, visit the apps tab 2. Search for and install 'redis'. We are using the bitnami/redis container as it has parameters mapped for a password, which we will need to add into configuration.yml later. 3. In the template installation screen:
Authelia requires a MYSQL/MariaDB database container to work (as referenced in the configuration.yml) IF YOU DO NOT ALREADY HAVE SQL INSTALLED: 1. In unRAID, visit the apps tab 2. Search for and install 'mariadb'. We are using the linuxserver/mariadb container. 3. In the template installation screen:
Under Docker tab in unRAID, left click the mariadb container, select Console
Create our user:
Enter the following then hit enter:
Enter the password you set in the container settings then type:
This password will be referenced in configuration.yml
Create our database:
Enter the following then hit enter:
Allow privileges to the database:
Enter the following then hit enter:
This is the password you created for the user above.
Enter the following then hit enter:
You can now close the terminal window
Install Authelia via the Community Apps plugin in unRAID. Original template was created by (big thanks) lilfade (https://github.com/lilfade)
The container will stop after first run as the config file is missing and will be created automatically.
You should not need to change any settings unless the host port (default: 9091) will clash with any other containers.
In your appdata/authelia folder you will find:
You MUST edit this file to suit your domain, gmail (or other smtp) and environment. The sample provided in this repo has been tested and works, however, it is strongly advised to read the official docs on the configuration to ensure it meets your requirements (https://www.authelia.com/docs/configuration/)
Configure the file as required. We have placed our confirmed working config in this repo. Remember the placeholders which will need to be changed (listed at the top of this document).
For secret keys, you can create a 128-bit encryption to put in from here: https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx
Remember to keep them different for the different areas which use them.
You will notice that LDAP has been commented out for this setup to use file backend instead. LDAP is beyond the scope of this document.
In our repo you will find the file named 'users_database.yml'.
Copy this file into your appdata/authelia folder. You MUST edit this file.
Adjust the file to the user you would like to sign in as. For help see here: https://www.authelia.com/docs/configuration/authentication/file.html
For password, create one here and then replace the encrypted line with your encrypted line: https://argon2.online/
Settings for creating the password on https://argon2.online/ as referenced in the configuration.yml:
Select Generate Hash
At this point you should start the Authelia container and read the logs. Test that you can reach the webui of Authelia (http://SERVERIP:9091) and can log in or setup 2FA.
The templates provided in this repo assume you have created a CNAME subdomain in your DNS for 'auth.example.com' and have a subdomain already working for your endpoint such as 'radarr.example.com'. 1. Modify the data inside 'Authelia Portal.conf' and 'Protected Endpoint.conf'. If no ports were changed in any of the above config, you should only need to change:
'Authelia Portal.conf':
'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50
'Protected Endpoint.conf':
'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50
'CONTAINERNAME' = Name of the container to be proxied. i.e. 'monitorr'
'CONTAINERIP' = IP address of the container.
'YOURDOMAIN' = Your own domain name.
Copy the data and head to your NPM dashboard > Hosts > Proxy Hosts
WARNING - if you use Cloudflare as the DNS for your domain, you must change the setting of the subdomain in Cloudflare to bypass proxy ONLY for this step. Seems to be fixed now.
Select Add Proxy Host
Details:
Domain name: auth.example.com (or whatever CNAME you set in your DNS)
Scheme: http
Forward Hostname / IP: Local IP address of your unRAID server
Port: 9091
Turn ON: Cache Assets, Block Common Exploits
SSL:
Request new SSL certificate
Turn ON: Force SSL, HTTP/2 Support, HSTS Enabled (if using, i.e. in Cloudflare)
Email address: used to create Let’s Encrypt cert.
Select I Agree and Save.
REMINDER: after this is successful, return to Cloudflare and turn the proxy against auth.example.com back ON, or your server IP will be public.
Test that you can reach the webui of Authelia selecting the new proxy or typing in its address. i.e. 'auth.example.com'
NB: For some reason in the current version of NPM as of writing this (v2.2.4) the SSL settings turn off after initial creation. Go back into the SSL
settings of 'auth.example.com' and turn them back on then save again.
If all the above is working as intended; Edit proxy host 'auth.example.com'
Advanced
Under Custom Nginx Configuration, paste the config you customised from 'Authelia Portal.conf'
Save and confirm you can still access the webui via the URL.
Edit proxy host 'sonarr.example.com'
Advanced
Under Custom Nginx Configuration, paste the config you customised from 'Protected Endpoint.conf'
(Optional) If using services which use API to communicate with eachother such as Radarr, Sonarr or Lidarr, you may also need to add a location for the API in order to disable the authorization else it may fail to connect. Settings below are relevant to Sonarr and it's sister products. Be sure to check the docs of the service you are configuring.
Edit proxy host 'sonarr.example.com'
Custom Locations
Location: /api Scheme: http Forward Hostname/IP: SERVERIP/api Forward Port: 8686 Select gear icon: auth_request off;
Confirm you can connect to the API by using, for example, Ombi. TV > Sonarr > Test connection.
In theory the workflow is:
User (listed in the users file, but is not signed in) tries to connect to https://service.domain.com
User is redirected to https://auth.domain.com to sign in
User is given either single factor or second factor options, depending what is set on the subdomain in the configuration.yml
User signs in successfully and is redirected back to origin URL https://service.domain.com
Hope this is of assistance to you. Please provide feedback where required.
You may find when passing through Authelia successfully that the endpoint (i.e. Sonarr) has no login screen (if you had a login screen enabled). This is not related to Authelia, but rather NGINX. From personal experience performing the below may fix this. 1. Edit proxy host 'sonarr.example.com'
Advanced
Under Custom Nginx Configuration, paste the below in above any location blocks
proxy_intercept_errors off;
Test again. If no change, try with it on or removed again.
If you are using LinuxServer.io LE container you need to add this under the server block for its out-of-the-box Authelia support to work:
If you are using the LSIO LE container, there's no need to utilize Authelia as its own subdomain reverse proxy.
If you want to use LDAP as your backend (which is recommended), here's the config we use in the Authelia YAML. Be sure to comment out the File Backend section when using this.
NOTE: This config is based on implementation with FreeIPA as our LDAP server. If using any other server such as OpenLDAP or Active Directory, you will need to adjust the user/group attributes and filters to suit. You must also modify the domain settings below to match your environment.
These instructions were provided by ThreeFN on our Unraid forum thread (link at top).
On Duo, you actually need TWO logins. The first is your admin account that sets-up your hostname/integration_key/secret_key via Partner Auth API. Now with with you need to go into the config for the Application->PartnerAuthAPI and add a user that is THE SAME NAME as the user you have in file/ldap and then EMAIL THEM which will give you the ability to enroll the phone app to that user. Then you can enroll that in authelia when you get to that point.
At any time, you can go directly to the Authelia page by typing in your URL set for it. i.e. auth.example.com.
If using the external database and Redis options (recommended), it's important to note that the startup order of your containers must be configured correctly. In unRAID: 1. On the Dockers page, select Advanced 2. Click and drag the rows of containers so that all database containers are higher on the list than Authelia 3. Next, beside the Autostart toggle, you can set a delay (in seconds) for the container to wait before starting the next container underneath it.
This is useful because it allows certain containers which take a while to start up and may have dependencies to have more time to finish.
If you are confronted with permissions issues when trying to edit the YML file, check your permissions by opening the console in unRAID and entering the following (after the #):
You may see the following:
Notice the last line, where it is not allowing editing. To fix this enter the following in the console:
Then check the permissions again:
You should now see this:
