Authentication proxy

Changelog

2024-08-06: Init

Authelia

Bootstrapped example

Deploy one of their bundles using "docker-compose", preferably the local bundle because most of the services are self-contained.

If deploying on Debian 12.2 VM, will likely need to install Docker and Docker Compose from the official channels instead.
Username and password is initialized directly in the setup. Use the default domain, i.e. "example.com".

/etc/hosts

127.0.0.1  authelia.example.com
127.0.0.1  public.example.com
127.0.0.1  traefik.example.com
127.0.0.1  secure.example.com

public.example.com

Hostname: d2fde946575d
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.5
RemoteAddr: 172.18.0.2:59724
GET / HTTP/1.1
Host: public.example.com:8889
...
X-Forwarded-For: 172.18.0.1
X-Forwarded-Host: public.example.com:8889
X-Forwarded-Port: 8889
X-Forwarded-Proto: https
X-Forwarded-Server: 8638d53ed445
X-Real-Ip: 172.18.0.1

If visited an Authelia session, the following session cookies will be sent as well:

Cache-Control: max-age=0
Cookie: authelia_session=DMj%KO3zq_JpCAt1Ba_Y!vhOLdHQGomB

If authenticated, the following will be sent as well:

Remote-Email: justin@example.com
Remote-Groups: admins,dev
Remote-Name: Justin
Remote-User: justin

Date: 2024-08-07 12:47:49.357510118 +1000 AEST m=+5484.362701983
Recipient: {Justin justin@example.com}
Subject: Confirm your identity
Hi Justin,

This email has been sent to you in order to validate your identity. Purpose: Confirm your identity.

If you did not initiate the process your credentials might have been compromised and you should:
1. Visit the revocation link
2. Reset your password or other login credentials
3. Contact an Administrator

To confirm your identity please use the following single-use code: JKXHF2TM

This email was generated by a user with the IP 172.18.0.1.

The following link can be utilized to revoke the code (this is a logged event): https://authelia.example.com/revoke/one-time-code?id=eYkSjbBXRfWg7rm56AOQhg

Configuration:

server:
  address: 'tcp://:9091'

log:
  level: 'debug'

totp:
  issuer: 'authelia.com'

identity_validation:
  reset_password:
    jwt_secret: 'a_very_important_secret'

authentication_backend:
  file:
    path: '/config/users_database.yml'

access_control:
  default_policy: 'deny'
  rules:
    - domain: 'public.example.com'
      policy: 'bypass'
    - domain: 'traefik.example.com'
      policy: 'one_factor'
    - domain: 'secure.example.com'
      policy: 'two_factor'

session:
  secret: 'insecure_session_secret'

  cookies:
    - name: 'authelia_session'
      domain: 'example.com'  # Should match whatever your root protected domain is
      authelia_url: 'https://authelia.example.com'
      expiration: '1 hour'  # 1 hour
      inactivity: '5 minutes'  # 5 minutes
      default_redirection_url: 'https://public.example.com'

regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'

storage:
  encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
  local:
    path: '/config/db.sqlite3'

notifier:
  filesystem:
    filename: '/config/notification.txt'
...

users:
  jj:
    disabled: false
    displayname: "jjj"
    password: "$argon2id$v=19$m=65536,t=3,p=4$DWPNnxDaOrFfKoynyJZCig$xoxPNfuzDv0EofMVvi1OMf2zm4/3sBnMG3N/wcW+Sq4"
    email: jj@example.com
    groups:
      - admins
      - dev

authelia crypto hash generate argon2 --password $PASSWORD | sed 's/Digest: //g'
if [[ $(id -u)  != 0 ]]; then
git checkout $(git describe --tags `git rev-list --tags --max-count=1`)

If the policy is set to deny, then the request returns a 403 Forbidden instead.

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    volumes:
      - ./authelia:/config
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
      - 'traefik.http.routers.authelia.entrypoints=https'
      - 'traefik.http.routers.authelia.tls=true'
      - 'traefik.http.routers.authelia.tls.options=default'
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth'  # yamllint disable-line rule:line-length
      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
    expose:
      - 9091
  secure:
    image: traefik/whoami
    container_name: secure
    networks:
      - net
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
      - 'traefik.http.routers.secure.entrypoints=https'
      - 'traefik.http.routers.secure.tls=true'
      - 'traefik.http.routers.secure.tls.options=default'
      - 'traefik.http.routers.secure.middlewares=authelia@docker'

Docker installation on Debian VM:

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -SL https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
echo 'docker compose --compatibility "$@"' | sudo tee -a /usr/local/bin/docker-compose && sudo chmod +x /usr/local/bin/docker-compose

git clone https://github.com/authelia/authelia.git
cd authelia
git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
cd examples/compose/local
./setup.sh