Skip to content

authelia#

description:#

Authelia is an authentication application which allows for a comprehensive and flexible configuration of authentication rules. Generally, I enforce single factor authentication for traffic originating within the home network, and 2FA for traffic coming from the internet.

Authelia has many built in security measures such as throttling requests in the case of incorrect password attempts to reduce the possibility of brute force attacks of passwords.

authelia image

Rules can be setup for any combination of categories such as:
- Domain (mysite.example.com, *.example.com)
- User (bob, john)
- Group (admin, dev)
- Network (192.168.0.0/24)
- Resource (/api/overview, /user/bob)

For each rule you can control the level of authentication required:
- Deny access
- Bypass authentication
- 1FA (single factor ie: password)
- 2FA (two factor authentication ie: token via email or mobile app. or a physical key like Yubikey).

source and credits: docker image - authelia/authelia from Authelia

usage#

Authelia works in conjunction with Traefik for the authentication of applications and retains a session cookie for a predetermined time. Once the cookie expires the login page is re-presented and following a successful login, the application can continue. The Authelia login page can be reached locally at http://localhost:9091 or at or it is just called inline for an application when required.

dependencies#

preparation: create folders for persistent storage outside of the docker container.

  1. authelia
  2. customise config file to recognize your domain

installation#

create a stack in portainer with the following code.

 version: '2'

 services:
   apache:
     container_name: authelia
     image: authelia/authelia
     restart: unless-stopped
     networks:
       - web
     volumes:
       - /var/lib/docker/volumes/myconfigs/_data/authelia:/config
     labels:
       - traefik.enable=true
       - traefik.http.routers.authelia.rule=Host(`login.example.com`)
       - traefik.http.routers.authelia.entrypoints=websecure
       - traefik.http.routers.authelia.middlewares=authmm
       - traefik.http.routers.authelia.tls=true
       - traefik.http.routers.authelia.tls.certresolver=le

       - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.example.com
       - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups
       - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
       - traefik.http.middlewares.authmm.headers.accesscontrolalloworiginlist=https://example.com,https://login.example.com,https://traefik.example.com

 networks:
     web:
         external:
           name: web

tips#

When maintaining the configuration file, be vigilant about spaces around the configuration lines. After updating the configuration, you need to restart the container and should always check it has started. Miss-aligned configuration will generate errors which are highlighted in the container log. There is a web UI in the making for managing the configuration which I expect will help.