Let's Install - Authelia (In Depth)- Authorization and Authentication Server

8 months ago   •   9 min read

By Sycotix
Table of contents

Last time we did a brief overview of the install for Authelia. Today, we'll be going a little deeper and going through each step together. We hope this helps make your installation a little easier.

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy to let them know whether queries should pass through. Unauthenticated users are redirected to Authelia Sign-in portal instead.

<


IBRACORP - https://ibracorp.io

YouTube: https://youtube.com/c/IBRACORP

Discord - https://discord.gg/VWAG7rZ

GitHub - https://github.com/ibracorp

unRAID Forum - http://bit.ly/2MwDPTV

Twitter - https://twitter.com/IBRACORP_IO

===============================

Disclaimer: we are in no way offically affiliated with the product below. We simply try to connect their work to a wider audience. We are not responsible or liable for any damages as result of following these instructions and are provided only for reference and assistance.


Table of Contents

  1. Authelia on unRAID
  2. References
  3. Redis
  4. MySQL & MariaDB
  5. Authelia
  6. NGINX Proxy Manager
  7. Protecting Endpoints
  8. FAQ
    1. Worflow
    2. Infinite Login Screen
    3. Let's Encrypt
    4. LDAP
    5. DUO 2FA
    6. Authelia Interface
    7. Startup Order
    8. File Permissions

Authelia on unRAID

The instructions below are for installing the following on unRAID using Docker:

We assume your environment has the following already setup and working:

  • NGINX Proxy Manager
  • Domain with the following subdomains (where 'example' is your domain and 'service' is the endpoint you want protected (i.e. monitorr.example.com)
    • Adjust/Create your own CNAMES where required.
      • example.com
      • auth.example.com
      • service.example.com

This will not cover how to configure LDAP (see bottom), Traefik or Let’s Encrypt, however there are plenty of resources on how to do this, including the official docs of Authelia.


REFERENCES

To make modifying easier we have tried to replace commonly required changes with a placeholder. This allows a quick Find/Replace in something like Notepad++ (which is highly recommended).
All are explained in their respective steps later in this guide:

  • YOURPASSWORD - Password which you have set, with respect the section you are reading. i.e. MySQL password could be different to your Redis password.
  • YOURSECRET - A secret generated in 128-bit. You can use this site to generate them:
  • YOURDOMAIN - Your own domain name
  • SERVERIP - Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50
  • CONTAINERPORT - Port the container being proxied is running on in unRAID. i.e. Monitorr could be using 480
  • CONTAINERNAME - Name of the container to be proxied. i.e. 'monitorr'
  • CONTAINERIP - IP address of the container.

Redis

Authelia requires the Redis container to work (as referenced in the configuration.yml)

  1. In unRAID, visit the apps tab

  2. Search for and install 'redis'. We are using the bitnami/redis container as it has parameters mapped for a password, which we will need to add into configuration.yml later.

  3. In the template installation screen:

     Network Type: The network you host your containers on so that they can communicate.
     PORT: 6379
     ALLOW_EMPTY_PASSWORD: no
     PASSWORD: YOURPASSWORD
    

MYSQL/MariaDB

Authelia requires a MYSQL/MariaDB database container to work (as referenced in the configuration.yml)
IF YOU DO NOT ALREADY HAVE SQL INSTALLED:

  1. In unRAID, visit the apps tab

  2. Search for and install 'mariadb'. We are using the linuxserver/mariadb container.

  3. In the template installation screen:

     	Network Type: The network you host your containers on so that they can communicate.
     	PORT: 3306
     	MYSQLROOTPASSWORD: YOURPASSWORD
    
  4. Under Docker tab in unRAID, left click the mariadb container, select Console

  5. Create our user:

    • Enter the following then hit enter:

      mysql -uroot -p
      
    • Enter the password you set in the container settings then type:

      CREATE USER 'authelia' IDENTIFIED by 'YOURPASSWORD';
      

    This password will be referenced in configuration.yml

  6. Create our database:

    • Enter the following then hit enter:

      CREATE DATABASE IF NOT EXISTS authelia;
      
  7. Allow privileges to the database:

    • Enter the following then hit enter:

      GRANT ALL PRIVILEGES ON authelia.* TO 'authelia' IDENTIFIED BY 'YOURPASSWORD';
      

      This is the password you created for the user above.

    • Enter the following then hit enter:

      quit
      
  8. You can now close the terminal window

Authelia

  1. Install Authelia via the Community Apps plugin in unRAID. Original template was created by (big thanks) lilfade (https://github.com/lilfade)

    • The container will stop after first run as the config file is missing and will be created automatically.
    • You should not need to change any settings unless the host port (default: 9091) will clash with any other containers.
  2. In your appdata/authelia folder you will find:

     configuration.yml
    

You MUST edit this file to suit your domain, gmail (or other smtp) and environment. The sample provided in this repo has been tested and works, however, it is strongly advised to read the official docs on the configuration to ensure it meets your requirements (https://www.authelia.com/docs/configuration/)

  1. Configure the file as required. We have placed our confirmed working config in this repo. Remember the placeholders which will need to be changed (listed at the top of this document).

  2. You will notice that LDAP has been commented out for this setup to use file backend instead. LDAP is beyond the scope of this document.

    • In our repo you will find the file named 'users_database.yml'.
    • Copy this file into your appdata/authelia folder.
      You MUST edit this file.

    At this point you should start the Authelia container and read the logs. Test that you can reach the webui of Authelia (http://SERVERIP:9091) and can log in or setup 2FA.

NGINX Proxy Manager (NPM)

The templates provided in this repo assume you have created a CNAME subdomain in your DNS for 'auth.example.com' and have a subdomain already working for your endpoint such as 'radarr.example.com'.

  1. Modify the data inside 'Authelia Portal.conf' and 'Protected Endpoint.conf'. If no ports were changed in any of the above config, you should only need to change:

    • 'Authelia Portal.conf':

      • 'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50
    • 'Protected Endpoint.conf':

      • 'SERVERIP' = Local IP address of your unRAID server the containers run on. i.e. 192.168.1.50
      • 'CONTAINERNAME' = Name of the container to be proxied. i.e. 'monitorr'
      • 'CONTAINERIP' = IP address of the container.
      • 'YOURDOMAIN' = Your own domain name.
  2. Copy the data and head to your NPM dashboard > Hosts > Proxy Hosts

  • WARNING - if you use Cloudflare as the DNS for your domain, you must change the setting of the subdomain in Cloudflare to bypass proxy ONLY for this step. Seems to be fixed now.
  1. Select Add Proxy Host
    • Details:
      • Domain name: auth.example.com (or whatever CNAME you set in your DNS)
      • Scheme: http
      • Forward Hostname / IP: Local IP address of your unRAID server
      • Port: 9091
      • Turn ON: Cache Assets, Block Common Exploits
    • SSL:
      • Request new SSL certificate
      • Turn ON: Force SSL, HTTP/2 Support, HSTS Enabled (if using, i.e. in Cloudflare)
      • Email address: used to create Let’s Encrypt cert.
      • Select I Agree and Save.

REMINDER: after this is successful, return to Cloudflare and turn the proxy against auth.example.com back ON, or your server IP will be public.

  1. Test that you can reach the webui of Authelia selecting the new proxy or typing in its address. i.e. 'auth.example.com'

    • NB: For some reason in the current version of NPM as of writing this (v2.2.4) the SSL settings turn off after initial creation. Go back into the SSL
      settings of 'auth.example.com' and turn them back on then save again.
  2. If all the above is working as intended; Edit proxy host 'auth.example.com'

    • Advanced
      • Under Custom Nginx Configuration, paste the config you customised from 'Authelia Portal.conf'
  3. Save and confirm you can still access the webui via the URL.

To protect an endpoint (i.e. sonarr)

  1. Edit proxy host 'sonarr.example.com'
    • Advanced
      • Under Custom Nginx Configuration, paste the config you customised from 'Protected Endpoint.conf'
  2. (Optional) If using services which use API to communicate with eachother such as Radarr, Sonarr or Lidarr, you may also need to add a location for the API in order to disable the authorization else it may fail to connect. Settings below are relevant to Sonarr and it's sister products. Be sure to check the docs of the service you are configuring.
    • Edit proxy host 'sonarr.example.com'
      - Custom Locations

            Location: /api
            Scheme: http
            Forward Hostname/IP: SERVERIP/api
            Forward Port: 8686
            Select gear icon: auth_request off;
      
    • Confirm you can connect to the API by using, for example, Ombi. TV > Sonarr > Test connection.

FAQ

Workflow

In theory the workflow is:

  1. User (listed in the users file, but is not signed in) tries to connect to https://service.domain.com

  2. User is redirected to https://auth.domain.com to sign in

  3. User is given either single factor or second factor options, depending what is set on the subdomain in the configuration.yml

  4. User signs in successfully and is redirected back to origin URL https://service.domain.com

Hope this is of assistance to you. Please provide feedback where required.

No/infinite native login screen on endpoint

You may find when passing through Authelia successfully that the endpoint (i.e. Sonarr) has no login screen (if you had a login screen enabled).
This is not related to Authelia, but rather NGINX. From personal experience performing the below may fix this.

  1. Edit proxy host 'sonarr.example.com'
    • Advanced
      • Under Custom Nginx Configuration, paste the below in above any location blocks

        proxy_intercept_errors off;

Test again. If no change, try with it on or removed again.

Let'sEncrypt

If you are using LinuxServer.io LE container you need to add this under the server block for its out-of-the-box Authelia support to work:

server:
path: authelia

If you are using the LSIO LE container, there's no need to utilize Authelia as its own subdomain reverse proxy.

LDAP

If you want to use LDAP as your backend (which is recommended), here's the config we use in the Authelia YAML. Be sure to comment out the File Backend section when using this.

NOTE: This config is based on implementation with FreeIPA as our LDAP server. If using any other server such as OpenLDAP or Active Directory, you will need to adjust the user/group attributes and filters to suit.
You must also modify the domain settings below to match your environment.

FREEIPA CONFIG HAS BEEN INTEGRATED IN THE 'CONFIGURATION.YML' FOUND AT THE TOP OF THIS PAGE.
IF YOU ARE USING ACTIVE DIRECTORY - PLEASE SEE THE FILE CALLED AD-CONFIGURATION FOR YOUR TEMPLATE AND REPLACE RELEVANT SETTINGS IN 'CONFIGURATION.YML'

Duo 2FA

These instructions were provided by ThreeFN on our Unraid forum thread (link at top).

On Duo, you actually need TWO logins. The first is your admin account that sets-up your hostname/integration_key/secret_key via Partner Auth API. Now with with you need to go into the config for the Application->PartnerAuthAPI and add a user that is THE SAME NAME as the user you have in file/ldap and then EMAIL THEM which will give you the ability to enroll the phone app to that user. Then you can enroll that in authelia when you get to that point.

Access the Authelia Interface

At any time, you can go directly to the Authelia page by typing in your URL set for it. i.e. auth.example.com.

Startup Order

If using the external database and Redis options (recommended), it's important to note that the startup order of your containers must be configured correctly.
In unRAID:

  1. On the Dockers page, select Advanced
  2. Click and drag the rows of containers so that all database containers are higher on the list than Authelia
  3. Next, beside the Autostart toggle, you can set a delay (in seconds) for the container to wait before starting the next container underneath it.
    • This is useful because it allows certain containers which take a while to start up and may have dependencies to have more time to finish.

Insufficient Permissions to Edit Config File

If you are confronted with permissions issues when trying to edit the YML file, check your permissions by opening the console in unRAID and entering the following (after the #):

[email protected]:~# ls -lah /mnt/user/appdata/Authelia/

You may see the following:

drwxrwxrwx 1 nobody users  34 Mar  5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar  5 17:19 ../
-rw------- 1 nobody users 20K Mar  5 17:20 configuration.yml

Notice the last line, where it is not allowing editing.
To fix this enter the following in the console:

[email protected]:~# chmod a+rw /mnt/user/appdata/Authelia/configuration.yml 

Then check the permissions again:

[email protected]:~# ls -lah /mnt/user/appdata/Authelia/

You should now see this:

drwxrwxrwx 1 nobody users  34 Mar  5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar  5 17:19 ../
-rw-rw-rw- 1 nobody users 20K Mar  5 17:20 configuration.yml

Spread the word

Keep reading