Enabling Authelia Server Authentication

Before we can enable Traefik to forward auth requests to Authelia, we need to first reverse proxy the Authelia app through Traefik. In order to do that, we will add the minimum default two labels to proxy any app.

    labels:
      traefik.enable: true
      traefik.http.routers.app.entryPoints: https

WARNING

You must replace app with the name of your application that this label is being added to otherwise Traefik will see duplicates.

To show how this would look in your Authelia docker-compose.yml file, below is an example:

version: '3'
services:
  auth:
    container_name: auth    
    image: authelia/authelia:latest
    volumes:
      - /opt/appdata/authelia:/config
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.entryPoints: https
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

To enable Traefik to forward auth requests to Authelia for an application, we just have to simply set a label for Traefik to pick up. This label will tell Traefik to use a certain middleware for the application we are adding it to.

If you are using docker-compose then you simply need to add a single line to the compose files under labels:

    labels:
      traefik.http.routers.app.middlewares: auth@file

WARNING

You must replace app with the name of your application that this label is being added to otherwise Traefik will see duplicates.

To show you a full example, we will add the label to an existing docker-compose.yml file for Adminer.

docker-compose.yml

version: '3'

services:
  adminer:
    container_name: adminer
    image: adminer
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.adminer.entryPoints: https
      traefik.http.routers.adminer.middlewares: auth@file
    restart: unless-stopped

networks:
  proxy:
    driver: bridge
    external: true

Now while in the same directory as the docker-compose.yml file, run the command docker-compose up -d and it should recreate the container for you with the latest labels. Now when you deploy your application you will be able to visit it by going to your domain with the app name as the subdomain (APP-NAME.DOMAIN.COM).

PLEASE NOTE

You can add multiple of these labels at once before finally deploying your application.

IMPORTANT

In order to avoid Authelia redirecting into a loop, you must add this rule to your Access Control section in the Authelia configuration.yml:

## bypass rule
        - domain: 
        - "auth.domain.com"
      policy: bypass

Where auth.domainis your authelia subdomain and your root domain.

Conclusion

Traefik will now forward all traffic through Authelia to make sure that the user trying to get to your app is correctly authenticated before passing traffic on to the app.

PreviousChoosing Your App Subdomain Manually Next[BETA] Traefik Tunnel

Last updated 3 years ago

Was this helpful?

version: '3' services: auth: container_name: auth image: authelia/authelia:latest volumes: - /opt/appdata/authelia:/config labels: traefik.enable: true traefik.http.routers.authelia.entryPoints: https networks: - proxy restart: unless-stopped networks: proxy: driver: bridge external: true

version: '3' services: adminer: container_name: adminer image: adminer networks: - proxy labels: traefik.enable: true traefik.http.routers.adminer.entryPoints: https traefik.http.routers.adminer.middlewares: auth@file restart: unless-stopped networks: proxy: driver: bridge external: true