Authelia
Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.
This is not simple stuff and it require some understanding of what you are doing: just copy-pasting configurations and finger-crossing will not work and only lead to frustration.
I strongly suggest you read the very good Get Started page and the linked references before you proceed.
Installation
First of all, your NGINX must be compiled with auth_request module, but if you followed my NGINX guide (here), you are all set.
While Authelia support docker images, there is really no reason to use a container since it's a single executable that you can simply download and start. So let's install on bare-metal!
As usual, let's create a dedicated user:
useradd -m authelia
in this case, you should let the home folder be under the /home/authelia since this is an authentication service, you want to have it always working even if the /media folder doesn't mount for any reason.
Now it's time to download the latest release from https://github.com/authelia/authelia/releases and install it under user bin folder:
su - authelia wget https://github.com/authelia/authelia/releases/download/vX.Y.Z/authelia-vX.Y.Z-linux-amd64.tar.gz mkdir bin config db logs cd bin tar xvf ../authelia-vX.Y.Z-linux-amd64.tar.gz
Configuration
You need to copy the provided example configuration and edit to your needs:
cp bin/config-example.yml configuration.yml
As an example, here is my configuration.yml, split into separate sections because it's very long:
- configuration.yml
--- theme: 'auto' server: address: 'tcp://127.0.0.1:9071/' # port 9071, default would collide with another service endpoints: <<< see below >>> log: <<< see below >>> telemetry: metrics: enabled: false totp: disable: false webauthn: disable: false identity_validation: reset_password: jwt_secret: '<<< put a good secret here >>>>' authentication_backend: <<< see below >>> password_policy: standard: enabled: false min_length: 8 max_length: 0 require_uppercase: true require_lowercase: true require_number: true require_special: true zxcvbn: enabled: false min_score: 3 privacy_policy: enabled: false require_user_acceptance: false policy_url: '' access_control: <<< see below >>> session: secret: '<<< another, different, secret here >>>>' cookies: - domain: 'mydomain.com' authelia_url: 'https://login.mydomain.com' default_redirection_url: 'https://mydomain.com' name: 'authelia_session' same_site: 'lax' inactivity: '5m' expiration: '14h' remember_me: '1M' storage: <<< see below >>> notifier: <<< see below >>> identity_providers: oidc: <<< see below >>> ...
This file has a few assumptions, for example you need to create login.mydomain.com in your NGINX configuration, create the subdomain in your domain DNS, and generate the corrispective HTTPS certificate. Authelia will not work otherwise, by design.
Access Control
This section is used to define how to access domains, and with which policy. I use single factor at this time, so:
access_control:
default_policy: 'deny'
rules:
- domain: '*.mydomain.com'
policy: 'one_factor'
Authentication Backend
I choose to store passwords and users in a yaml text file, for my few users this is perfect and simple enough:
password_reset:
disable: false
file:
path: '/home/authelia/config/users_database.yml'
watch: true
See below on how to add/create users.
Storage
Due to my very limited use case (less than 10 users) i am using SQLite3 as storage backend:
storage:
encryption_key: '<<< put a good string here >>>>'
local:
path: '/home/authelia/db/db.sqlite3'
Notifier
Authelia support both on-flie notifier, which is pretty simple to setup, or email based notifier. While email requires you to setup a dedicated email address for Authelia, it will allow users to reset their password without your actions, which might be desirable.
File based, simple, notifier:
notifier:
disable_startup_check: true
filesystem: # Using email notifier is probably better: TBD
filename: '/home/authelia/config/notification.txt'
SMTP / email notifier:
notifier:
disable_startup_check: true
smtp:
address: 'smtp://mail.mydomain.com:587'
username: 'authelia@mydomain.com'
password: '<<< put email password here >>>'
sender: 'Authelia <authelia@mydomain.com>'
Note the disable_startup_check: you should set it to true to prevent authelia to crash at boot if network is not yet reachable.
Endpoints
Please note the endpoints configuration below: i have created two different endpoints:
- standard: which will be used by all supported services
- basic: which will be needed by some protocols like WebDAV and such
endpoints:
authz:
normal: # This is used for the non-basic auth
implementation: 'AuthRequest'
authn_strategies:
- name: 'CookieSession'
basic: # this enables basic auth for services that don't uspport anything else
implementation: 'AuthRequest'
authn_strategies:
- name: 'HeaderAuthorization'
schemes:
- 'Basic'
This is different from the stock authelia configuration files and requires one important change to the NGINX snippets below, which i will point out. Do not forget to edit the snippets where indicated.
Log
Moving logging to a separate file, remember to logrotate it, because it will grow a lot over time:
log: level: 'debug' format: 'text' file_path: '/var/log/authelia/authelia.log'
For the log file, you need to create and set permissions to /var/log/authelia:
mkdir /var/log/authelia chown authelia:authelia /var/log/authelia chmod 750 /var/log/authelia
OIDC Provider
Setting up Authelia as OIDC Provider is useful to support services that support this protocol, like Jellyfin. See here for more details.
Add the following section to your configuration.yml:
identity_providers:
oidc:
hmac_secret: '<<see below>>'
jwks:
- key_id: 'main'
use: 'sig'
key: |
-----BEGIN PRIVATE KEY-----
... <<< see below >>> ...
-----END PRIVATE KEY-----
enable_client_debug_messages: false
minimum_parameter_entropy: 8
enforce_pkce: 'public_clients_only'
enable_pkce_plain_challenge: false
enable_jwt_access_token_stateless_introspection: false
discovery_signed_response_alg: 'none'
discovery_signed_response_key_id: ''
require_pushed_authorization_requests: false
authorization_policies:
policy_name:
default_policy: 'one_factor'
rules:
- policy: 'deny'
subject: 'group:services'
lifespans:
access_token: '1h'
authorize_code: '1m'
id_token: '1h'
refresh_token: '90m'
cors:
endpoints:
- 'authorization'
- 'token'
- 'revocation'
- 'introspection'
allowed_origins:
- 'https://mydomain.com'
allowed_origins_from_client_redirect_uris: false
To generate hmac_secret use the following command:
/home/authelia/bin/authelia-linux-amd64 crypto rand --length 64 --charset alphanumeric
To generate the PRIVATE KEY use the following command:
openssl genrsa -out private.pem 4096 && cat private.pem
You can delete the generated files afterward.
OIDC Client
Each OIDC client must have it's own section in the Authelia configuration file. See here for an example.
identity_providers:
oidc:
<< omissis, see OIDC Providers above >>
clients:
- client_id: ' <<< see below >>>'
client_name: 'Jellyfin'
client_secret: '<<< see below >>>'
public: false
authorization_policy: 'two_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://client.example.com/sso/OID/redirect/authelia'
scopes:
- 'openid'
- 'profile'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
To generate the client_id:
./home/authelia/bin/authelia-linux-amd64 crypto rand --length 72 --charset rfc3986
To generate client_secret:
/home/authelia/bin/authelia-linux-amd64 crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
Customization
If you want to customize the look & feel of the login dialog, you can replace the logo and the favicon.
In your configuration path add the line:
server: asset_path: '/home/authelia/config/assets'
and drop in that folder two files:
- favicon.ico (must be an ico)
- logo.png (must be a png)
Logout
You can logout by going to the URL https://login.mydomain.com/logout.
NGINX support files
From this point onward, always refer to Authelia documentation to understand what i am doing.
This is the associated NGINX config file /etc/nginx/mydomain/login/login.conf:
- login.conf
server { server_name login.mydomain.com; listen 443 ssl; listen 8443 ssl; http2 on; access_log /var/log/nginx/login.mydomain.com_access_log main; error_log /var/log/nginx/login.mydomain.com_error_log info; location / { include com.mydomain/authelia_proxy.conf; proxy_pass http://127.0.0.1:9071; } location = /api/verify { proxy_pass http://127.0.0.1:9071; } location /api/authz/ { proxy_pass http://127.0.0.1:9071; } }
In addition to this one, you need also che following specific NGINX config files:
- The /etc/nginx/com.mydomain/authelia_proxy.conf: see here
- The /etc/nginx/com.mydomain/authelia_location.conf: see here
- The /etc/nginx/com.mydomain/authelia_location-basic.conf: see here
- The /etc/nginx/com.mydomain/authelia_authrequest.conf: see here
- The /etc/nginx/com.mydomain/authelia_authrequest-basic.conf: see here
Now, you need to edit the authelia_location.conf and replace the first line to match the standard endpoint defined above:
set $upstream_authelia http://127.0.0.1:9071/api/authz/normal;
And, similarly, you need to edit the authelia_location-basic.conf and replace the first line to match the basic endpoint defined above:
set $upstream_authelia http://127.0.0.1:9071/api/authz/basic;
I have added the specific endpoints (normal / basic) to the URL..
Enable Authelia in NGINX
Well, you can enable Authelia support in any subdomain you want by simply adding the following three lines to your NGINX configurations:
# The following goes in the server section:
include "org.gardiol/authelia_location.conf";
# The following two can go either in specific location section, or directly in the server section to protect ALL locations:
include "org.gardiol/authelia_proxy.conf";
include "org.gardiol/authelia_authrequest.conf";
Adding and editing users
Since i choose file based storage, adding and editing users is a simple matter of editing the following text file /home/authelia/config/users_database.yml. If missing, create it from the following example:
- users_database.yml
> # yamllint disable rule:line-length --- ############################################################### # Users Database # ############################################################### # This file can be used if you do not have an LDAP set up. users: myuser: disabled: false displayname: "Name Surname" password: " << see below >>" email: myuser@mydomain.com groups: - admins - dev ... # yamllint enable rule:line-length
To create passwords, you can use the Authelia binary itself:
/home/authelia/bin/authelia-linux-amd64 crypto hash generate --help
then copy & paste the password hash inside the above yaml file. Authelia should pickup autmatically the change without the need to reload.
I will be working on an automatic synchronization between /etc/passwd users and Authelia users to keep all the authentications in sync in the future.
Autostart
Create the following file as /etc/init.d/authelia:
- authelia
#!/sbin/openrc-run # Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 description="Authelia - authenticator" pidfile="/run/authelia.pid" command_background=true command="/home/authelia/bin/authelia-linux-amd64" command_args="--config /home/authelia/configuration.yml" command_user="authelia:authelia" depend() { need net }
Make it executable, and enable on boot:
chmod +x /etc/init.d/authelia rc-update add authelia default /etc/init.d/authelia start
Update
Download a new binary, replace old, restart service!