This is an old revision of the document!
Authelia
Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.
This is not simple stuff and it require some understanding of what you are doing: just copy-pasting configurations and finger-crossing will not work and only lead to frustration.
I strongly suggest you read the very good Get Started page and the linked references before you proceed.
Installation
First of all, your NGINX must be compiled with auth_request module, but if you followed my NGINX guide (here), you are all set.
While Authelia support docker images, there is really no reason to use a container since it's a single executable that you can simply download and start. So let's install on bare-metal!
As usual, let's create a dedicated user:
useradd -m authelia
in this case, you should let the home folder be under the /home/authelia since this is an authentication service, you want to have it always working even if the /media folder doesn't mount for any reason.
Now it's time to download the latest release from https://github.com/authelia/authelia/releases and install it under user bin folder:
su - authelia wget https://github.com/authelia/authelia/releases/download/vX.Y.Z/authelia-vX.Y.Z-linux-amd64.tar.gz mkdir bin config db logs cd bin tar xvf ../authelia-vX.Y.Z-linux-amd64.tar.gz
Configuration
Now you need to copy the provided example configuration and edit to your needs:
cd bin/config-example.yml configuration.yml
As an example, here is my configuration.yml, stripped to the bone:
- configuration.yml
--- theme: 'auto' server: address: 'tcp://127.0.0.1:9071/' # port 9071, default would collide with another service endpoints: authz: auth-request: implementation: 'AuthRequest' log: level: 'debug' format: 'text' file_path: '/home/authelia/logs/authelia.log' telemetry: metrics: enabled: false totp: disable: false webauthn: disable: false identity_validation: reset_password: jwt_secret: '<<< put a good secret here >>>>' authentication_backend: password_reset: disable: false file: # For simplicity, i use a file based storage for users path: '/home/authelia/config/users_database.yml' watch: true password_policy: standard: enabled: false min_length: 8 max_length: 0 require_uppercase: true require_lowercase: true require_number: true require_special: true zxcvbn: enabled: false min_score: 3 privacy_policy: enabled: false require_user_acceptance: false policy_url: '' access_control: default_policy: 'deny' rules: - domain: '*.mydomain.com' policy: 'one_factor' session: secret: '<<< another, different, secret here >>>>' cookies: - domain: 'mydomain.com' authelia_url: 'https://login.mydomain.com' default_redirection_url: 'https://mydomain.com' name: 'authelia_session' same_site: 'lax' inactivity: '5m' expiration: '14h' remember_me: '1M' storage: encryption_key: '<<< put a good string here >>>>' local: path: '/home/authelia/db/db.sqlite3' notifier: disable_startup_check: false filesystem: # Using email notifier is probably better: TBD filename: '/home/authelia/config/notification.txt' ...
This file has a few assumptions, for example you need to create login.mydomain.com in your NGINX configuration, create the subdomain in your domain DNS, and generate the corrispective HTTPS certificate. Authelia will not work otherwise, by design.
From this point onward, always refer to Authelia documentation to understand what i am doing.
This is the associated NGINX config file /etc/nginx/mydomain/login/login.conf:
- login.conf
server { server_name login.mydomain.com; listen 443 ssl; listen 8443 ssl; http2 on; access_log /var/log/nginx/login.mydomain.com_access_log main; error_log /var/log/nginx/login.mydomain.com_error_log info; location / { include com.mydomain/authelia_proxy.conf; proxy_pass http://127.0.0.1:9071; } location = /api/verify { proxy_pass http://127.0.0.1:9071; } location /api/authz/ { proxy_pass http://127.0.0.1:9071; } }
In addition to this one, you need also che following specific NGINX config files:
Enable Authelia in NGINX
Well, you can enable Authelia support in any subdomain you want by simply adding the following three lines to your NGINX configurations:
# The following goes in the server section:
include "org.gardiol/authelia_location.conf";
# The following two can go either in specific location section, or directly in the server section to protect ALL locations:
include "org.gardiol/authelia_proxy.conf";
include "org.gardiol/authelia_authrequest.conf";
Adding and editing users
Since i choose file based storage, adding and editing users is a simple matter of editing the following text file /home/authelia/config/users_database.yml. If missing, create it from the following example:
- users_database.yml
> # yamllint disable rule:line-length --- ############################################################### # Users Database # ############################################################### # This file can be used if you do not have an LDAP set up. users: myuser: disabled: false displayname: "Name Surname" password: " << see below >>" email: myuser@mydomain.com groups: - admins - dev ... # yamllint enable rule:line-length
To create passwords, you can use the Authelia binary itself:
/home/authelia/bin/authelia-linux-amd64 crypto hash generate --help
then copy & paste the password hash inside the above yaml file. Authelia should pickup autmatically the change without the need to reload.
I will be working on an automatic synchronization between /etc/passwd users and Authelia users to keep all the authentications in sync in the future.
Autostart
Create the following file as /etc/init.d/authelia:
- authelia
#!/sbin/openrc-run # Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 description="Authelia - authenticator" pidfile="/run/authelia.pid" command_background=true command="/home/authelia/bin/authelia-linux-amd64" command_args="--config /home/authelia/configuration.yml" command_user="authelia:authelia" depend() { need net }
Make it executable, and enable on boot:
Update
Download a new binary, replace old, restart service!