====== Authelia ======
[[https://www.authelia.com/|Authelia]] is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.
This is **not** simple stuff and it require some understanding of what you are doing: just copy-pasting configurations and finger-crossing will **not** work and only //lead to frustration.//
I strongly suggest you read the very good [[https://www.authelia.com/integration/prologue/get-started|Get Started]] page and the linked references before you proceed.
===== Installation =====
First of all, your NGINX must be compiled with **auth_request** module, but if you followed my NGINX guide ([[selfhost:nginx|here]]), you are all set.
While Authelia support docker images, there is really **no** reason to use a container since it's a single executable that you can simply download and start. So let's install on bare-metal!
As usual, let's create a dedicated user:
useradd -m authelia
in this case, you should let the home folder be under the **/home/authelia** since this is an authentication service, you want to have it always working even if the **/media** folder doesn't mount for any reason.
Now it's time to download the latest release from [[https://github.com/authelia/authelia/releases|https://github.com/authelia/authelia/releases]] and install it under user **bin** folder:
su - authelia
wget https://github.com/authelia/authelia/releases/download/vX.Y.Z/authelia-vX.Y.Z-linux-amd64.tar.gz
mkdir bin config db logs
cd bin
tar xvf ../authelia-vX.Y.Z-linux-amd64.tar.gz
===== Configuration =====
You need to copy the provided example configuration and edit to your needs:
cp bin/config-example.yml configuration.yml
As an example, here is my configuration.yml, split into separate sections because it's very long:
---
theme: 'auto'
server:
address: 'tcp://127.0.0.1:9071/' # port 9071, default would collide with another service
endpoints:
<<< see below >>>
log:
<<< see below >>>
telemetry:
metrics:
enabled: false
totp:
disable: false
webauthn:
disable: false
identity_validation:
reset_password:
jwt_secret: '<<< put a good secret here >>>>'
authentication_backend:
<<< see below >>>
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
zxcvbn:
enabled: false
min_score: 3
privacy_policy:
enabled: false
require_user_acceptance: false
policy_url: ''
access_control:
<<< see below >>>
session:
secret: '<<< another, different, secret here >>>>'
cookies:
-
domain: 'mydomain.com'
authelia_url: 'https://login.mydomain.com'
default_redirection_url: 'https://mydomain.com'
name: 'authelia_session'
same_site: 'lax'
inactivity: '5m'
expiration: '14h'
remember_me: '1M'
storage:
<<< see below >>>
notifier:
<<< see below >>>
identity_providers:
oidc:
<<< see below >>>
...
This file has a few assumptions, for example you need to create **login.mydomain.com** in your NGINX configuration, create the subdomain in your domain DNS, and generate the corrispective HTTPS certificate. Authelia will **not** work otherwise, by design.
=== Access Control ===
This section is used to define how to access domains, and with which policy. I use single factor at this time, so:
access_control:
default_policy: 'deny'
rules:
- domain: '*.mydomain.com'
policy: 'one_factor'
=== Authentication Backend ===
I choose to store passwords and users in a yaml text file, for my few users this is perfect and simple enough:
password_reset:
disable: false
file:
path: '/home/authelia/config/users_database.yml'
watch: true
See below on how to add/create users.
=== Storage ===
Due to my very limited use case (less than 10 users) i am using SQLite3 as storage backend:
storage:
encryption_key: '<<< put a good string here >>>>'
local:
path: '/home/authelia/db/db.sqlite3'
=== Notifier ===
Authelia support both on-flie notifier, which is pretty simple to setup, or email based notifier. While email requires you to setup a dedicated email address for Authelia, it will allow users to reset their password without your actions, which might be desirable.
File based, simple, notifier:
notifier:
disable_startup_check: true
filesystem: # Using email notifier is probably better: TBD
filename: '/home/authelia/config/notification.txt'
SMTP / email notifier:
notifier:
disable_startup_check: true
smtp:
address: 'smtp://mail.mydomain.com:587'
username: 'authelia@mydomain.com'
password: '<<< put email password here >>>'
sender: 'Authelia '
Note the **disable_startup_check**: you should set it to true to prevent authelia to crash at boot if network is not yet reachable.
=== Endpoints ===
Please note the **endpoints** configuration below: i have created two different endpoints:
* standard: which will be used by all supported services
* basic: which will be needed by some protocols like WebDAV and such
endpoints:
authz:
normal: # This is used for the non-basic auth
implementation: 'AuthRequest'
authn_strategies:
- name: 'CookieSession'
basic: # this enables basic auth for services that don't uspport anything else
implementation: 'AuthRequest'
authn_strategies:
- name: 'HeaderAuthorization'
schemes:
- 'Basic'
This is **different** from the stock authelia configuration files and **requires** one important change to the NGINX snippets below, which i will point out. Do not forget to edit the snippets where indicated.
=== Log ===
Moving logging to a separate file, remember to //logrotate// it, because it will grow a lot over time:
log:
level: 'debug'
format: 'text'
file_path: '/var/log/authelia/authelia.log'
For the log file, you need to create and set permissions to **/var/log/authelia**:
mkdir /var/log/authelia
chown authelia:authelia /var/log/authelia
chmod 750 /var/log/authelia
=== OIDC Provider ===
Setting up Authelia as OIDC Provider is useful to support services that support this protocol, like Jellyfin. See [[https://www.authelia.com/configuration/identity-providers/openid-connect/provider/|here]] for more details.
Add the following section to your configuration.yml:
identity_providers:
oidc:
hmac_secret: '<>'
jwks:
- key_id: 'main'
use: 'sig'
key: |
-----BEGIN PRIVATE KEY-----
... <<< see below >>> ...
-----END PRIVATE KEY-----
enable_client_debug_messages: false
minimum_parameter_entropy: 8
enforce_pkce: 'public_clients_only'
enable_pkce_plain_challenge: false
enable_jwt_access_token_stateless_introspection: false
discovery_signed_response_alg: 'none'
discovery_signed_response_key_id: ''
require_pushed_authorization_requests: false
authorization_policies:
policy_name:
default_policy: 'one_factor'
rules:
- policy: 'deny'
subject: 'group:services'
lifespans:
access_token: '1h'
authorize_code: '1m'
id_token: '1h'
refresh_token: '90m'
cors:
endpoints:
- 'authorization'
- 'token'
- 'revocation'
- 'introspection'
allowed_origins:
- 'https://mydomain.com'
allowed_origins_from_client_redirect_uris: false
To generate **hmac_secret** use the following command:
/home/authelia/bin/authelia-linux-amd64 crypto rand --length 64 --charset alphanumeric
To generate the **PRIVATE KEY** use the following command:
openssl genrsa -out private.pem 4096 && cat private.pem
You can delete the generated files afterward.
=== OIDC Client ===
Each OIDC client must have it's own section in the Authelia configuration file. See [[https://www.authelia.com/integration/openid-connect/jellyfin/| here]] for an example.
identity_providers:
oidc:
<< omissis, see OIDC Providers above >>
clients:
- client_id: ' <<< see below >>>'
client_name: 'Jellyfin'
client_secret: '<<< see below >>>'
public: false
authorization_policy: 'two_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://client.example.com/sso/OID/redirect/authelia'
scopes:
- 'openid'
- 'profile'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
To generate the **client_id**:
./home/authelia/bin/authelia-linux-amd64 crypto rand --length 72 --charset rfc3986
To generate **client_secret**:
/home/authelia/bin/authelia-linux-amd64 crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
=== Customization ===
If you want to customize the look & feel of the login dialog, you can replace the logo and the favicon.
In your configuration path add the line:
server:
asset_path: '/home/authelia/config/assets'
and drop in that folder two files:
* favicon.ico (must be an ico)
* logo.png (must be a png)
=== Logout ===
You can logout by going to the URL **https://login.mydomain.com/logout**.
==== NGINX support files ====
From this point onward, always refer to [[https://www.authelia.com/integration/proxies/nginx/|Authelia documentation]] to understand what i am doing.
This is the associated NGINX config file **/etc/nginx/mydomain/login/login.conf**:
server {
server_name login.mydomain.com;
listen 443 ssl;
listen 8443 ssl;
http2 on;
access_log /var/log/nginx/login.mydomain.com_access_log main;
error_log /var/log/nginx/login.mydomain.com_error_log info;
location / {
include com.mydomain/authelia_proxy.conf;
proxy_pass http://127.0.0.1:9071;
}
location = /api/verify {
proxy_pass http://127.0.0.1:9071;
}
location /api/authz/ {
proxy_pass http://127.0.0.1:9071;
}
}
In addition to this one, you need also che following specific NGINX config files:
* The **/etc/nginx/com.mydomain/authelia_proxy.conf**: see [[https://www.authelia.com/integration/proxies/nginx/#proxyconf|here]]
* The **/etc/nginx/com.mydomain/authelia_location.conf**: see [[https://www.authelia.com/integration/proxies/nginx/#authelia-locationconf|here]]
* The **/etc/nginx/com.mydomain/authelia_location-basic.conf**: see [[https://www.authelia.com/integration/proxies/nginx/#authelia-location-basicconf|here]]
* The **/etc/nginx/com.mydomain/authelia_authrequest.conf**: see [[https://www.authelia.com/integration/proxies/nginx/#authelia-authrequestconf|here]]
* The **/etc/nginx/com.mydomain/authelia_authrequest-basic.conf**: see [[https://www.authelia.com/integration/proxies/nginx/#authelia-authrequest-basicconf|here]]
Now, you need to edit the **authelia_location.conf** and replace the first line to match the __standard endpoint__ defined above:
set $upstream_authelia http://127.0.0.1:9071/api/authz/normal;
And, similarly, you need to edit the **authelia_location-basic.conf** and replace the first line to match the __basic endpoint__ defined above:
set $upstream_authelia http://127.0.0.1:9071/api/authz/basic;
I have added the specific endpoints (normal / basic) to the URL..
===== Enable Authelia in NGINX =====
Well, you can enable Authelia support in any subdomain you want by simply adding the following three lines to your NGINX configurations:
# The following goes in the server section:
include "org.gardiol/authelia_location.conf";
# The following two can go either in specific location section, or directly in the server section to protect ALL locations:
include "org.gardiol/authelia_proxy.conf";
include "org.gardiol/authelia_authrequest.conf";
===== Adding and editing users =====
Since i choose file based storage, adding and editing users is a simple matter of editing the following text file **/home/authelia/config/users_database.yml**. If missing, create it from the following example:
>
# yamllint disable rule:line-length
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
users:
myuser:
disabled: false
displayname: "Name Surname"
password: " << see below >>"
email: myuser@mydomain.com
groups:
- admins
- dev
...
# yamllint enable rule:line-length
To create passwords, you can use the Authelia binary itself:
/home/authelia/bin/authelia-linux-amd64 crypto hash generate --help
then copy & paste the password hash inside the above yaml file. Authelia should pickup autmatically the change without the need to reload.
I will be working on an automatic synchronization between **/etc/passwd** users and Authelia users to keep all the authentications in sync in the future.
===== Autostart =====
Create the following file as **/etc/init.d/authelia**:
#!/sbin/openrc-run
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
description="Authelia - authenticator"
pidfile="/run/authelia.pid"
command_background=true
command="/home/authelia/bin/authelia-linux-amd64"
command_args="--config /home/authelia/configuration.yml"
command_user="authelia:authelia"
depend() {
need net
}
Make it executable, and enable on boot:
chmod +x /etc/init.d/authelia
rc-update add authelia default
/etc/init.d/authelia start
===== Update =====
Download a new binary, replace old, restart service!