Repository

Looks good to me!

User Tools

Site Tools


kb:internet:services:auth:start

Authentication proxy

Changelog

  • 2024-08-06: Init

Authelia

Bootstrapped example

Deploy one of their bundles using "docker-compose", preferably the local bundle because most of the services are self-contained.

  • If deploying on Debian 12.2 VM, will likely need to install Docker and Docker Compose from the official channels instead.
  • Username and password is initialized directly in the setup. Use the default domain, i.e. "example.com".
/etc/hosts
127.0.0.1  authelia.example.com
127.0.0.1  public.example.com
127.0.0.1  traefik.example.com
127.0.0.1  secure.example.com

public.example.com

Date: 2024-08-07 12:47:49.357510118 +1000 AEST m=+5484.362701983
Recipient: {Justin justin@example.com}
Subject: Confirm your identity
Hi Justin,

This email has been sent to you in order to validate your identity. Purpose: Confirm your identity.

If you did not initiate the process your credentials might have been compromised and you should:
1. Visit the revocation link
2. Reset your password or other login credentials
3. Contact an Administrator

To confirm your identity please use the following single-use code: JKXHF2TM

This email was generated by a user with the IP 172.18.0.1.

The following link can be utilized to revoke the code (this is a logged event): https://authelia.example.com/revoke/one-time-code?id=eYkSjbBXRfWg7rm56AOQhg

Configuration:

server:
  address: 'tcp://:9091'

log:
  level: 'debug'

totp:
  issuer: 'authelia.com'

identity_validation:
  reset_password:
    jwt_secret: 'a_very_important_secret'

authentication_backend:
  file:
    path: '/config/users_database.yml'

access_control:
  default_policy: 'deny'
  rules:
    - domain: 'public.example.com'
      policy: 'bypass'
    - domain: 'traefik.example.com'
      policy: 'one_factor'
    - domain: 'secure.example.com'
      policy: 'two_factor'

session:
  secret: 'insecure_session_secret'

  cookies:
    - name: 'authelia_session'
      domain: 'example.com'  # Should match whatever your root protected domain is
      authelia_url: 'https://authelia.example.com'
      expiration: '1 hour'  # 1 hour
      inactivity: '5 minutes'  # 5 minutes
      default_redirection_url: 'https://public.example.com'

regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'

storage:
  encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
  local:
    path: '/config/db.sqlite3'

notifier:
  filesystem:
    filename: '/config/notification.txt'
...
users:
  jj:
    disabled: false
    displayname: "jjj"
    password: "$argon2id$v=19$m=65536,t=3,p=4$DWPNnxDaOrFfKoynyJZCig$xoxPNfuzDv0EofMVvi1OMf2zm4/3sBnMG3N/wcW+Sq4"
    email: jj@example.com
    groups:
      - admins
      - dev
authelia crypto hash generate argon2 --password $PASSWORD | sed 's/Digest: //g'
if [[ $(id -u)  != 0 ]]; then
git checkout $(git describe --tags `git rev-list --tags --max-count=1`)

If the policy is set to deny, then the request returns a 403 Forbidden instead.

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
      - 'traefik.http.routers.authelia.entrypoints=https'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.tls.options=default'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth'  # yamllint disable-line rule:line-length
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
    expose:
      - 9091
  secure:
    image: traefik/whoami
    container_name: secure
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
      - 'traefik.http.routers.secure.entrypoints=https'
      - 'traefik.http.routers.secure.tls=true'
      - 'traefik.http.routers.secure.tls.options=default'
      - 'traefik.http.routers.secure.middlewares=authelia@docker'

Docker installation on Debian VM:

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -SL https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
echo 'docker compose --compatibility "$@"' | sudo tee -a /usr/local/bin/docker-compose && sudo chmod +x /usr/local/bin/docker-compose

git clone https://github.com/authelia/authelia.git
cd authelia
git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
cd examples/compose/local
./setup.sh
kb/internet/services/auth/start.txt · Last modified: 4 months ago ( 7 August 2024) by justin