Home Adding authentication to services using authelia, traefik
Post
Cancel

Adding authentication to services using authelia, traefik

Posted 2022-06-16 4 min read

Adding Single Sign On and 2 Factor Auth (TOTP) using Authelia middleware for traefik

Traefik

  • You can check this section on how to install traefik.

Authelia

  • Add a DNS record for auth.example.com pointing to the server running traefik.

  • This is how your directory for authelia will look like:

    1
2
3
4
5
6
7
8
9

    authelia/
├── config
│   ├── configuration.yml
│   ├── db.sqlite3
│   ├── notification.txt
│   └── users_database.yml
└── docker-compose.yml

1 directory, 5 files

  • Use docker-compose.yml as mentioned below. (Make a directory named authelia and copy the file to that directory)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

version: "3"

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./config:/config
    networks:
      - traefik_default
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authelia.rule=Host(`auth.example.com`)"
      - "traefik.http.routers.authelia.entrypoints=websecure"
      - "traefik.http.routers.authelia.tls=true"
      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.example.com"
      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
    # expose:
    #   - 9091
    restart: unless-stopped
    environment:
      - TZ=Asia/Kolkata
    healthcheck:
      disable: true
networks:
  traefik_default:
    external: true

  • Create a config folder inside authelia main folder.

  • Add the below yaml to configuration.yml file in config folder.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

---
###############################################################
#                   Authelia configuration                    #
###############################################################

server:
  host: 0.0.0.0
  port: 9091
log:
  level: debug
theme: dark
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: a_long_character_string_like_this_with_any_number_and_characters
default_redirection_url: https://auth.example.com
totp:
  issuer: authelia.com

# duo_api:
#  hostname: api-123456789.example.com
#  integration_key: ABCDEF
#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
#  secret_key: 1234567890abcdefghifjkl

authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      salt_length: 16
      parallelism: 8
      memory: 64

access_control:
  default_policy: deny
  rules:
    # Rules applied to everyone
    - domain: a.example.com
      policy: bypass
    - domain:
        - example.com
      subject:
        - "user:<Username>"
        - "user:<Username>"
        #- "group:<Group_Name>"
        #- "group:<Group_Name>"
        # [,] this is AND above one is OR
      policy: one_factor
    - domain:
        - b.example.com
        - c.example.com
      subject:
        - "user:<Username>"
      policy: two_factor
    # - domain: pve1.local.example.com
    #   policy: two_factor

session:
  name: authelia_session
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
  secret: unsecure_session_secret
  expiration: 3600 # 1 hour
  inactivity: 300 # 5 minutes
  domain: example.com # Should match whatever your root protected domain is

  # redis:
  #   host: redis
  #   port: 6379
  #   # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
  #   # password: authelia

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300

storage:
  encryption_key: a_long_character_string_like_this_with_any_number_and_characters # Now required
  local:
    path: /config/db.sqlite3

notifier:
  #smtp:
  #  username: name
  #  # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
  #  password: password
  #  host: smtp.gmail.com
  #  port: 25
  #  sender: authelia@example.com
  filesystem:
    filename: /config/notification.txt

  • You will get forgot password, TOTP genration link in your email if you have configured an email notifier. If you have not configured an email notifier, you will get a link in your /config/notification.txt. Same goes for the other notifications like 2 Factor Auth (TOTP).

  • Add the below yaml to users_database.yml file to config folder.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

---
###############################################################
#                         Users Database                      #
###############################################################

# This file can be used if you do not have an LDAP set up.

# List of users
users:
  username_1:
    displayname: "name_1"
    # Password is Authelia, generate your own hash using argon2id algorithm
    password: "$argon2id$v=19$m=65536,t=1,p=8$cUI4a0E3L1laYnRDUXl3Lw$ZsdsrdadaoVIaVj8NltA8x4qVOzT+/r5GF62/bT8OuAs"
    email: <email>
      - admins_group
      - dev_group

  username_2:
    displayname: "name_2"
    # Password is Authelia, generate your own hash using argon2id algorithm
    password: "$argon2id$v=19$m=65536,t=1,p=8$cUI4a0E3L1laYnRDUXl3Lw$ZsdsrdadaoVIaVj8NltA8x4qVOzT+/r5GF62/bT8OuAs"
    email: <email>
      - dashboard
  • Generate the hashed password for users using the following command.
1

docker run authelia/authelia:latest authelia hash-password 'yourpassword'
  • Replace the password with the generated hash.

Enable authelia for services

Docker

  • Add the below line to docker-compose.yml file for the docker service you want to get behind authentication.
1
2

labels:
  - "traefik.http.routers.traefik.middlewares=authelia@docker"

Services outside docker

  • Below shown is an example of how to enable authelia for services outside docker. You have to add the below line to your traefik’s config file.
1
2
3
4
5

middlewares:
  #order matters
  authelia:
    forwardAuth:
      address: "http://authelia:9091/api/verify?rd=https://auth.example.com"

  • Now add this middleware to your service’s routers section. Check this section for more details.

  • Example:

1
2
3
4
5
6
7
8
9
10
11
12
13

http:
  routers:
    # Define a connection between requests and services
    to-whoami:
      entryPoints:
        - "websecure"
      rule: "Host(`example.com`) && PathPrefix(`/whoami/`)"
      # If the rule matches, applies the middleware
      middlewares:
        - authelia
        - services-user
      tls: {}
      service: whoami
homelab, domain, cloudflare, traefik, authelia
homelab domain cloudflare traefik authelia sso totp
This post is licensed under CC BY 4.0 by the author.
Contents