Authelia: Open source SSO and MFA in Docker
Quick Summary
- I want to introduce you to a solution called Authelia that allows you to self-host your authentication solution, and it is relatively easy to set up.
- Let’s look at Authelia open-source SSO and MFA in Docker using a Docker Compose configuration.
- .
If you are looking at securing your home lab or other environment, two-factor authentication is the way to go. However, is there a way to self-host your two-factor authentication and SSO technologies? Yes, there is! I want to introduce you to a solution called Authelia that allows you to self-host your authentication solution, and it is relatively easy to set up. Also, it is officially supported to work with reverse proxies like Traefik. Let’s look at Authelia open-source SSO and MFA in Docker using a Docker Compose configuration.
Table of contents
- Introduction to Authelia
- Authelia’s Key Features
- Authelia: Installation and Configuration
- Registering your device
- Testing 2FA after registering a device
- Proxy Support in Authelia
- Security Measures in Authelia
- Community Support and Development
- Licensing and Costs
- Leveraging Authelia for Access Management
- Embracing the Authelia Community
- Frequently Asked Questions about Authelia
- Wrapping up
- Other links you may like
Introduction to Authelia
Authelia is an open-source authentication and authorization solution that can integrate with your existing reverse proxies so you can easily enable self-hosted two-factor authentication for your self-hosted web apps.
It offers features such as two-factor authentication and single sign-on and stands out with its capability to offer minimal external dependencies. It is an efficient choice for access management that can be quickly stood up.
Authelia project URL: Authelia – The Single Sign-On Multi-Factor portal for web apps
Authelia’s Key Features
One key aspect of Authelia is its support for several second-factor methods. With the ability to provide two-factor authentication, it adds an extra layer of security. Beyond the basic authentication process, Authelia authentication provides additional factor authentication measures for heightened identity verification.
Another critical feature is its support for file-based user storage and SQLite-based configuration storage. You can also integrate with an LDAP backend, enabling easy user group membership management that most likely already exists in most organizations.
Authelia’s strength in access management also includes its fine-grained access control. This feature allows for precise access restriction and supports bypass authentication under specific conditions.
Authelia: Installation and Configuration
The Authelia authentication layer works in harmony with Docker Compose. To get started, you can clone the git repository and set up the Docker Compose.yml file. This file acts as a guide for your local compose bundle.
Configuring Authelia requires careful attention to the config file. Commands like docker-compose up can be run following command line interactions. With Docker Compose, Authelia benefits from reverse proxy support. How proxy support Authelia works is particularly interesting as it allows the service to work effectively with reverse proxies, enabling more efficient traffic management.
Let’s look at setting up Authelia using Docker Compose. I based my initial configuration on the documentation found here:
Docker-compose.yml
In the example, configuration for Authelia exists along with Heimdall and Nextcloud. Below is my docker-compose file modified for my environment.
Be sure to replace the following:
hostnames
trusted IPs and ranges
---
version: "3.8"
networks:
net:
driver: bridge
services:
traefik:
container_name: traefik
image: traefik:v2.9
restart: always
command:
- '--api=true'
- '--api.dashboard=true'
- '--api.insecure=false'
- '--pilot.dashboard=false'
- '--global.sendAnonymousUsage=false'
- '--global.checkNewVersion=false'
- '--log=true'
- '--log.level=DEBUG'
- '--log.filepath=/config/traefik.log'
- '--providers.docker=true'
- '--providers.docker.exposedByDefault=false'
- '--entryPoints.http=true'
- '--entryPoints.http.address=:8080/tcp'
- '--entryPoints.http.http.redirections.entryPoint.to=https'
- '--entryPoints.http.http.redirections.entryPoint.scheme=https'
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
- '--entryPoints.http.forwardedHeaders.trustedIPs=10.1.149.0/24,192.168.1.0/24,fc00::/7'
- '--entryPoints.http.proxyProtocol.trustedIPs=10.1.149.0/24,192.168.1.0/24,fc00::/7'
- '--entryPoints.http.forwardedHeaders.insecure=false'
- '--entryPoints.http.proxyProtocol.insecure=false'
- '--entryPoints.https=true'
- '--entryPoints.https.address=:8443/tcp'
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
- '--entryPoints.https.forwardedHeaders.trustedIPs=10.1.149.0/24,192.168.1.0/24,fc00::/7'
- '--entryPoints.https.proxyProtocol.trustedIPs=10.1.149.0/24,192.168.1.0/24,fc00::/7'
- '--entryPoints.https.forwardedHeaders.insecure=false'
- '--entryPoints.https.proxyProtocol.insecure=false'
networks:
net: {}
ports:
- "80:8080"
- "443:8443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${PWD}/data/traefik:/config
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.cloud.local`)'
- 'traefik.http.routers.api.entryPoints=https'
- 'traefik.http.routers.api.tls=true'
- 'traefik.http.routers.api.service=api@internal'
- 'traefik.http.routers.api.middlewares=authelia@docker'
authelia:
container_name: authelia
image: authelia/authelia
restart: unless-stopped
networks:
net: {}
expose:
- 9091
volumes:
- ${PWD}/data/authelia/config:/config
environment:
TZ: "America/Chicago"
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`auth.cloud.local`)'
- 'traefik.http.routers.authelia.entryPoints=https'
- 'traefik.http.routers.authelia.tls=true'
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://auth.cloud.local'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
nextcloud:
container_name: nextcloud
image: linuxserver/nextcloud
restart: unless-stopped
networks:
net: {}
expose:
- 443
volumes:
- ${PWD}/data/nextcloud/config:/config
- ${PWD}/data/nextcloud/data:/data
environment:
PUID: "1000"
PGID: "1000"
TZ: "Australia/Melbourne"
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.nextcloud.rule=Host(`nextcloud.cloud.local`)'
- 'traefik.http.routers.nextcloud.entryPoints=https'
- 'traefik.http.routers.nextcloud.tls=true'
- 'traefik.http.routers.nextcloud.middlewares=authelia@docker'
heimdall:
container_name: heimdall
image: linuxserver/heimdall
restart: unless-stopped
networks:
net: {}
expose:
- 443
volumes:
- ${PWD}/data/heimdall/config:/config
environment:
PUID: "1000"
PGID: "1000"
TZ: "Australia/Melbourne"
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.heimdall.rule=Host(`heimdall.cloud.local`)'
- 'traefik.http.routers.heimdall.entryPoints=https'
- 'traefik.http.routers.heimdall.tls=true'
- 'traefik.http.routers.heimdall.middlewares=authelia@docker'
You can run the docker-compose up -d command to bring up the workloads in the Docker compose file. However, you will most likely see the Authelia container error out in a boot loop. This is because the configuration file is created with the default/example code.
Check the status of your docker-compose containers using:
docker-compose ps
Authelia config file
Below is my configuration file that I have modified and created under the following path:
<your path>/data/authelia/configThe example code includes the following. Note the following changes I have made:
Create a jwt_secret value
Change the default_redirection_url
Under the section AUTHELIA_SESSION_SECRET_FILE, make sure to change the domain to match the protected root domain
Under the access_control: section, note that we have listed the resources we want to protect underneath and if we want to use one_factor or two_factor.
- Configure the notification.txt file location if you are not setting up proper email forwarding and only want to capture the registration messaging in a file instead, which is great for testing and home lab POCs.
---
###############################################################
# Authelia configuration #
###############################################################
server:
host: 0.0.0.0
port: 9091
log:
level: debug
theme: dark
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: yourjwtsecret
default_redirection_url: https://auth.cloud.local
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: nextcloud.cloud.local
policy: one_factor
- domain: heimdall.cloud.local
policy: two_factor
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: cloud.local # Should match whatever your root protected domain is
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: a_very_important_secret # Now required
local:
path: /config/db.sqlite3
notifier:
# smtp:
# username: test
# # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
# password: password
# host: mail.example.com
# port: 25
# sender: [email protected]
filesystem:
filename: /config/notification.txt
...User database config file
The next piece of the puzzle is creating the user database configuration file. This file houses the user configuration database that Authelia will use if you are not tying your authentication configuration into LDAP. Below the password is “Authelia”.
---
# Users
users:
testuser:
displayname: "Test User"
password: "$argon2id$v=19$m=65536,t=3,p=4$hGazLuz31MzVX8Zp3HELaw$J+vU/hXNrTglUCE4bM9tBXTF2G4G+hE6NACLpp0emDg"
email: [email protected]
groups:
- admins
- dev
...You may ask how you get the argon2id hashed password. Great question!
Creating the argon2id hashed password
To create the argon2id hashed password, you can use a special-purpose container from Authelia that allows creating a hashed version of your chosen password to use in your configuration file.
You can find the documentation for creating the special password hash here: Passwords – Reference – Authelia. Replace ‘password’ below with your chosen password, and it will display the hash for the password which you can copy into your users config file.
docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'password'Registering your device
Once you have plugged in your hashed password in the user database config, you can restart your docker-compose deployment and you should be good to use the password contained in the user configuration database file.
Now, browse to your Authelia host.
Click the register device link.
Registering 2FA using email or notification.txt file
If you have proper email configured, you should receive an email with the link to set up your device.
Otherwise, you can open the notification.txt file to see the URL information.
When you visit the URL, you will see a familiar QR code to setup your 2FA account in your TOTP app.
Testing 2FA after registering a device
Now you can authenticate to either your authentication URL or any of the resources protected by the Authelia authentication solution and you should be prompted for 2FA. Enter your one-time passcode.
You should see your authentication succeed.
Now you can authenticate to one of the protected resources and have it prompt for a one_factor or two_factor authentication login.
Proxy Support in Authelia
The way proxy support Authelia works is closely tied to the concept of reverse proxies. Authelia interacts seamlessly with reverse proxies, leveraging ingress controllers to streamline data flow and improve response times. This proves invaluable in ensuring optimal performance of the web portal.
Security Measures in Authelia
Security with Authelia is robust, incorporating measures to detect potential vulnerabilities and manage invalid authentication attempts. Its built-in mechanisms for password reset further contribute to its security arsenal.
The active development and bug bounty program that Authelia maintains are indicators of how the product remains secure. With its dedicated core team members and sponsorship companies contributing, Authelia’s commitment to internal security and protection against unauthorized access is apparent.
Community Support and Development
The core team behind Authelia is supported by a wider community including Matrix and Discord community members. This provides a healthy environment for active development, with beta support provided by core team members and the community alike.
Licensing and Costs
One of the advantages of Authelia is its licensing. Being an open-source authentication and authorization server, it carries near zero cost. Authelia is free to use, with the added advantage of having minimal external dependencies, reducing the need for additional expenditure on associated software or hardware.
Leveraging Authelia for Access Management
Effective access management is a cornerstone of web security. With Authelia, you have a powerful tool to help you achieve this. The single sign-on capability of Authelia provides a convenient and secure way for users to access multiple applications or services after a single login. This feature reduces the need for users to remember multiple credentials, enhancing user experience while maintaining high security.
Additionally, the concept of fine-grained access control in Authelia enables precise control over user access. Configuring the access control settings lets you decide who gets access to what resources and when. This feature is crucial when managing multiple users with different roles and access levels. Using Authelia, you can achieve an optimal balance between access and security.
Embracing the Authelia Community
The vibrant community behind Authelia plays a pivotal role in its development and success. Core team members work hand in hand with Matrix and Discord community members to maintain active development. This collaborative effort results in a continuously improving product and provides a platform where users can find support, contribute, and learn.
Participation in the community can range from active coding contributions to participation in discussions about feature enhancements and best practices. Beta support, facilitated by the core team members and other community contributors, allows testing and refining new features before they are fully launched. This iterative development process ensures Authelia’s product remains secure and at the cutting edge of authentication and authorization technology.
The community isn’t just limited to the digital realm. Sponsorship companies contributing to Authelia also play a crucial part in its success, providing the necessary resources to keep the project alive and thriving. With all these elements, the Authelia community is critical to the product’s robustness and appeal. By engaging with the community, users can leverage collective knowledge and insights to make the most out of Authelia in their own infrastructure.
Frequently Asked Questions about Authelia
1. Can Authelia bypass authentication under certain conditions?
One of Authelia’s unique features is its ability to bypass authentication under specific match criteria. This is useful for certain situations where authentication isn’t required or desirable, adding another layer of flexibility to Authelia’s capabilities.
2. How does Authelia’s proxy support work?
Authelia’s proxy support works in tandem with reverse proxies. It allows the software to manage network traffic efficiently, thereby improving response times and the overall user experience. Reverse proxies play a critical role in how proxy support Authelia works, providing a smooth traffic flow for the web portal.
3. What happens if I input invalid authentication attempts?
Authelia incorporates robust security measures that take care of invalid authentication attempts. Continuous unsuccessful attempts may lead to temporary account suspension, furthering the internal security measures of the system.
4. Can I control access with Authelia?
Yes, Authelia provides fine-grained access control, allowing you to limit user access based on specified conditions. This helps ensure proper access management and enhances the system’s overall security.
5. Is there a way to test Authelia?
Absolutely. Testing Authelia’s setup and configurations is vital for optimal security and performance. You can do this using Docker Compose in your local environment as shown in this post. Remember to keep your docker-compose.yml file updated for your local compose bundle.
Wrapping up
Authelia is an excellent open-source authentication and authorization solution. Its fine-grained access control, two-factor authentication, and single sign-on capabilities offer awesome protection for your web portal. Its support for Docker Compose, versatile proxy support, and active community development make Authelia a fantastic solution in your home lab or production environment for securing modern containerized resources.
