2 Factor Auth and Single Sign On with Authelia
Вставка
- Опубліковано 11 чер 2024
- Authelia is an open source Single Sign On and 2FA companion for reverse proxies. It helps you secure your endpoints with single factor and 2 factor auth. It works with nginx, traefik, and HA proxy. Today, we'll configure Authelia with Portainer and Traefik and have 2 Factor up and running with brute force protection!
Video Notes: technotim.live/posts/authelia...
Support me on Patreon: / technotim
Sponsor me on GitHub: github.com/sponsors/timothyst...
Subscribe on Twitch: / technotim
Become a UA-cam member: / @technotim
Merch Shop: l.technotim.live/shop
Gear Recommendations: l.technotim.live/gear
Get Help in Our Discord Community: l.technotim.live/discord
2nd channel: / @technotimtalks
(Affiliate links may be included in this description. I may receive a small commission at no cost to you.)
00:00 - What is Authelia?
01:52 - Authelia configurations
02:43 - Their Docker Compose Example
04:14 - Our Docker Compose File
07:48 - Authelia Configuration File
09:14 - Users Database
11:08 - Password Hashing Algorithm
11:55 - More Configuration
14:46 - Notification Service
16:56 - Spin up your services on your service
18:12 - Authelia Sign In Screen
18:59 - Adding Auth to Containers
20:14 - Adding Auth to External Services
21:51 - Authelia 2 Factor Screen
22:34 - Getting Notification from File
23:11 - 2FA for the first time
23:32 - What do you think of Authelia?
24:37 - Stream Highlight - How's the Hair???
Traefik Tutorial:
• Put Wildcard Certifica...
Thank you for watching!
#Authelia #Traefik #Portainer
"Hyperchan" is from Harris Heller's album Rose.
l.technotim.live/sb-music-lic... - Наука та технологія
Are you using 2 Factor Auth yet???
very soon to be now with your help !
The kind of users I have to deal at work get lost trying to convert Excel to CSV. If I implement 2FA, most of them will simple commit suicide but not before I lose my job :-)
Thank you Tim! I wanted to do this for a long time but I couldn’t get it to work!
Always wanted to, but needed a platform to interact with. Giving this a good look in my lab!
Well yes! I also ditched Lastpass with Bitwarden (using an instance of Vaultwarden) as my TOTP and password manager.
I've wanted to learn about authelia forever. thanks Tim!
Happy to help!
Love your channel, Tim! Have learned so much from it, and it's opened my eyes to lots of cool open-source stuff I didn't know existed. I discovered your channel looking for Kubernetes tutorials! Keep up the great work 👍
Great to hear!
Awesome channel. I just started learning Kubernetes and I'm glued to your videos at 1 AM on a Saturday morning. Thanks for all of the great primers
Thank you!
This video could not have come at a better time! Thank you so much Tim. Love the content as always!
Glad you enjoyed it!
Thanks for the inspiration Tim. I'm using Nginx, but your configs got me 80% of the way there, and the Authelia docs are pretty solid as well. The 2-factor setup is really smooth! 👍
Thank you! NP! Nice work!
Hi Ed, I was wondering if you could share how you got this working with NGINX. I have NGINX proxy manager already set up and working and would love to use Authelia instead of the basic authentication provided by NGINX.
Tim- thanks for the informative and detailed video.
Thanks for everything you do, Tim, you've gotten me so far in my container & home labbing journey so far to increase my skills. After doing digging into tons of potential options for MFA in front of my containers, Authelia has seemed to massively be changed compared to this review & example setup. Do you think you could look at doing a follow-up with the updated options / potential changes to the configuration options & install process?
Thanks Tim. Traefik clouds the mind to think about at first.. but watching this video a few times and going through their guides it made a lot more sense.
I've watched hundreds of self-hosted tutorials and this was by far the cleanest and easiest to understand! Good shit!
Thank you! I have plenty of self-hosted videos!
a great tutorial, many thanks Tim. it really helped me to get Authelia up and running and protecting NPM endpoints... the look of wonderment & satisfaction on your face at 23:16 was something i experienced as well. I feel a blast of accompanying techno music would not have been out of place at this juncture.
EXCELLENT !! I've been following the smart home tutorial and although being very detailed frankly has been very hard for me with the additions of Authelia and the mass of information to digest, going out to the internet for help has been a voyage of discovery with the realisation that I'm not alone in the pursuit. Perfect timing and again many thanks for taking the time. :D
You're very welcome!
Nice! would be cool if you could make a video on how to implement authelia in a k3s / k8s cluster.
great video, thanks. just learned Traefik-love it, now going to setup authelia, needed just this video
ok, you convinced me.... i'll migrate all of my vms to docker and authelia.
Thank you very much for all the time you dedicate to making your super useful and super clear videos...
perfect tutorial and clear step by step thank you, TIM excellent job
Good work Tim! Really helpful to be honest since I’ve had problems setting this up but unfortunately I don’t use traefik for reverse proxy. Id love to see a version with npm instead of traefik!
After your amazing video about SSL with traefik i followed this one, man, i learn so much with you, i can't say enough thank you... Tyvm!
Thank you!!!
Another amazing video! My todo today is to use Authelia to protect my K3S based containers. Thanks again!!
I convinced you are doing some QA before you release the final version from a video. It's not possible you to be so anticipated to every possible individual need. Congrats man, you are doing really good
I set up and QA everything before I create any tutorial. It's rare that I just wing it and do it live :)
Thank you for all your content ! I am hoping eventually someone does a similar video for Nginyx Proxy Manager and Authelia instead of Traefik.
Great video as always, thanks a lot Tim !
Glad you enjoyed it
amazing content, just what i need . regards from spain bro! :D
Thanks TechnoTim, I simplified the configuration of my middleware thanks to you. I followed smarthomebeginner's but you should also see how others have set it up.
Personally I've simplified my configuration.yml file to the bare minimum by indicating only the required options and leaving the non-required options by default.
Just what I was looking for! Nice
Tim missing from youtube for 3 weeks? --> Tim is working on big stuff, well explained as always! :D
Thank you! Yup, always working on the next thing! This one took a little longer than expected!
@@TechnoTim compare it with Pomerium :)
Thanks! very good explanation.
Incredible, will definitely try this
Thanks for another great video!
So, are you saying that by implementing Authelia, I can disable "native" auth of the protected endpoint? Or would you still recommend doing auth of the app you're trying to get to. In other words. if I were to put portainer behind authelia, would you still enable auth in portainer?
Thanks!
Impressive! What I was looking for.
Glad you liked it!
Very interesting Video
No beating around the bush
Excellent !!!
I was able to setup Authelia with Traffic using this video
Excellent!
Awesome, thanks for sharing your files.
That's what I have postponed for the last week! Now I will set it up!
Amazing! Thanks so much! You made this too easy.
You are so welcome!
I was thinking setup 2FA auth is hard on Authelia but comes out it is too simple, thanks for the video
Awesome video!! Thanks!
Thanks a lot, was able to create a Kubernetes deployment with this in a few hours ;)
Glad I could help!
great vid, would love to see a k8s + traefik implementation too
Hey I like this! Gonna give it a go in my lab. 🤔
I like the video and I like content.. I miss the old day TT videos and this one is like that (sorry for feeling nostalgic). So does this now mean you abandoned Rancher completely? Just docker and Portainer? Because this would mean that the rest of us will need to “augment” some of the config - not that this is a problem but just a thought.. I followed much of your tech tips and choices and am in proccess of lab upgrade and ofc thinking ahead and including your choices :) thx again for great soft choice and excellent video! Keep it up!
Thank you so much! Didn't abandon it at all! I still run Rancher and Kubernetes at home as well as Docker and Portainer (I always have). just trying to show love to both sides of the aisle!
@@TechnoTim thx a million for reply! I look forward to future vids! Sometimes I have your videos playing in background :D so that I do not forget anything 🤷♂️🙃
This works great, added 2FA to the traefik dashboard.
I like you bro !! keep up !
Thanks Tim, very interesting 🤔
Glad you enjoyed it
God dammit, I would like to have known about this about 6 months ago. Right now, I do use organizr for main login against an LDAP backend, which then creates a JWT-cookie for accessing other services. That actually took me some time, especially since Organizr's default JWT checking is slow, so I coded a "middleware" for checking the cookie my own. Authelia would just have had this out of the box :/
Tim keeps finding ways to save us money
I think it would be worth doing up updated version on this using OIDC SSO. It seems like it has come a long way
Hi Tim, great video thanks. Just wondering how you dealt with using Heimdall and the hosted pages behind it? Will the added authelia layer stop the enhanced features that Heimdall uses?
If you put a proxy between, it will. otherwise you will need to call the unproxied call, if you can
Woooow 🤩🤩🤩I just setup reverse proxy for my homelab and this 🤩🤩🤩
Nice!
Nice video! I'll give it a try with my lab apps! If anyone already tweaked the script for Nginx Proxy Manager instead of Traefik, I'd like to get your advices! Thanks in advance and keep up the good work!
Thanks for the very clear tutorial ! As always :)
Could we deepdive in how to setup the OpenID Connect part when it will be officially released by Authelia ?
You can do it now with Proxmox 7 and OpenID connect for Authelia!
That interesting tools, but I remember before you mentioned you used Keycloak for SSO in your lab! I hope you can make a video on that tools as well and if possible you compare them from your opinion and experience.
Thanks! I did mention Keycloak for Rancher Auth but I am using GitHub for that. This is my identity provider internally (rather than using an external provider).
Great video Tim! Thanks. Any pointers as to how to get this working with NGINX proxy manager ?
Thank you! Not sure, I use traefik!
Could you go into the openID stuff and also are you able to log into applications that have their own user/pass by only inputting it into Authelia (and it somehow forwarding that on?)
That's what I'm interested in, when for example protecting proxmox like that, if you don't have already active session for proxmox, it would ask you first for Authelia authentication , and after that proxmox would ask for user once again via it's own authentication by default
Same question.
same question
You can do it now with Proxmox 7 and OpenID connect for Authelia!
Thank you much. Was able to get Traefik up and running from your previous video, and now Authelia for authenticating my services. Awesome. One missing piece though. Could you do a video on a Cloudflare zero trust tunnel connecting into Traefik-- using Authelia as the traefik dashboard authenticator. I know I could just point Cloudflare DNS at my home gateway, but I like the idea of their Zero Trust tunnel allowing one to not open ports on one's router. Thanks again.
Thanks pretty cool
This sounds amazing, I am going to deploy this on my homelab as well. Just wondering, what would happen if you use it with, for example, the nextcloud desktop app? I don't think It should be able to connect anymore
it will break all associated apps because the apps are not used to dual layer of authentication. I think you are looking for a solution such as LDAP. I will love to see a video on LDAP by Tim
Thanks for this.
Is there a way to use this for Nextcloud and Home Assistant, such that the Mobile Apps still work?
Thanks
Thank yo so much!
Hello, nice video. I have a question about single sign-on. I understand that Authelia is protecting your access to the Proxmox website but how did it log you into Proxmox? Doesn’t Proxmox have it’s own credentials and log in page?
You can do it now with Proxmox 7 and OpenID connect for Authelia!
Great video. I've been using authelia for a year and yes it's super awesome because it's so easy. But there's one thing I hope you can cover in the future, it's to set authelia to authenticate services that have its own signin page. I always wanted to try it but it's complicated, the service need to support header authentication or something like that (that's why the compose file has the headers in the traefik middleware section). Also, I think you missed out one important part in the configuration, it's the time your session should end. It's important not to set your session to last forever in your cookies, the default is 30days if I remember correctly. 😁
Thank you!
You can do it now with Proxmox 7 and OpenID connect for Authelia!
@@TechnoTim waiting for your tutorial for that 😁
Have you considered using the dynamic configuration of traefik instead of the static one? I find the use of labels per docker-compose file confusing and obscure. See Li Yangs video 'Understand File Provider in Traefik 2'
Thanks for the great episode with useful examples
That's a great idea!
Thanks!
Thank you!
There is a problem with this approach or i'm missing something (probably the latter)
In order for this to work there is need to disable auth for all services (what if a certain service is missing that option?)
because if you don't disable then you receive 2 login screens and thats snnoying.
and if you disable the service's login screen, you can just access the service directly with the local ip and port if someone was able to gain access directly to your home network, which under certain circumstances could be easy (a malicious guest, a hacker trying to crack the wifi, weak wifi password... etc)
I'm going to try this again, i tried a few weeks ago but somewhere I failed. You know about an Authelia alternative for Kemp?
this is not SSO. it does not sign you in to your proxmox or heimdal, it just allows you to access it. its additional to the auth built in the services, SSO would integrate/replace those.
Hi Techno! Don't know if you'll see my comments but is that possible that Authelia/Crowdsec is "breaking" the auto-renew process of the cloudflare/let's encrypt certificate?
Hey Tim
Using the file backend, have you ran into Authelia crashing with an index out of range error?
Mine was only up an hour before it crashed out
I might be a little late, but I've just been following along and had a question. I can see that the link you recieve for your 2FA is an https link. Why would my authelia be sending me an http link that just leads to a blank page or 404 not found?
I wonder how this would work with apps that need to connect to the service, like the jellyfin app on mobile or TV
Are there pros and cons of this compared to the zero trust applications from cloudflare that provide a similar service? Is there a reason to do both?
Thank you again Tim, for another nice UA-cam manual. I did follow both sessions wildcard ssl and this one. And everything works 2fa and certicates docker- and external websites except Proxmox. Is something changed in the meantime? I get after waiting for 10 seconds a message “gateway Timeout” on a empty page with the correct web address and with the correct certificate. If a make a A-Record pointing too the ip+port direct its works. But not with Traefik and Authelia. Could you or someone else help me this last mile :)?
I have examples on my docs site for both authelia and traefik. There is extra config you need to do. You might have to double auth to proxmox too though. Check it out and let me know.
Can you please do a video on installing and configuring kong apigateway on rancher!!
Hi! Thank you for your video... I have one question.. after authelia authentication... you got logged as “root” on Proxmox... Proxmox authentication was previously cached? or authelia sends a “token” to proxmox for your authentication?
You can do it now with Proxmox 7 and OpenID connect for Authelia!
could you also show how to install this with the nginx proxy manager?
You should try using push notifications with DUO ! You'll be more impressed.
I second this!!
I’m trying to use 2FA with a yubikey 5 series but can’ register the yubikey. Any thoughts?
Is there any chance you could create a video about Authentik? I'm currently comparing JumpCloud and Authentik as identity sources. I'm unsure whether I should type this up on my only server, as it could lead to a chicken and egg situation if the server reboots and I'm unable to access it to fix any issues. I've had a similar experience with a VM cluster that relied on NFS Storage through FQDN when all the DNS Servers went offline... It was a terrible situation!
how to add personalized login theme? My projects requires to use customize login page for different sites
I was getting frustrated managing a bunch of different docker-compose files so I did some hunting... I just found out yesterday that you can have one docker-compose.yml file and only call one container like this:
docker-compose up -d authelia
or
docker-compose up -d --force-recreate traefik
Nice tip!
Can you do a tutorial on enabling OpenID Connect in Authelia?
Can you do a video about authentik?
I keep getting this message whenever i start the container up. I have copied all the files exactly as they are from your launchpad and still encounter an issue when the container starts up. It does not start up properly and assign a port in published ports section in portainer.
Error message: level=info msg="Initializing server for non-TLS connections on '[::]:9091' path '/'"
Super powerful. Do you have a tutorial for authelia on kubernetes? I heard it's not really supported yet.
I don't yet. They do have a helm chart but haven't implemented it yet!
What you think about OAuth Proxy?
🙌🎉🙌🎉🙌🎉
YES!
For me it doesn't work. I've set up the whole thing and as of itself, it redirects to authelia. But as soon as i try to Log in, it never accepts my username and password and the console is only spitting out "error="user_not_found""
I have used the updated version of the config from your git and edited the volumes to match where i save the stuff and it also is able to read the users file when i test with dockler exec cat
Two Auth all the things!!!
where do I point my auth subdomain at, or how do I get the IP-address of the proxy network
Hi Tim, Great tutorial. My only issue with Traefik and this setting is the limitation (or headache) that it cannot be used across multiple instances of docker hosts..i:e, if one is running 3 different docker machines on 3 different vm with 3 different IP addresses.
Can you show how to achieve the same perhaps with Nginx proxy manager with containers hosted on 2 or 3 different docker hosts?
It sounds like at this point you should use swarm or kubernetes, or just have traefik on one machine, and treat the other services like a remote service and create a route for them. I have route examples in the docs
@@TechnoTim Do you plan on delivering a tutorial on that? I'm sure that lots of us following you will be interested in that. I meant tutorial on how to have traefik on one machine, and treating the other services (dockers in other host machines) like a remote service and create a route for them? Thanks for everything Tim.
Great video. So...if a service already has a login of its own, will it get automatically authenticated after the authelia login is validated? Or will ask for two different logins?
You will have different sign ins unless you disable or pass the auth header
@@TechnoTim can you easily pass the auth header when using traefik?
I followed all of your directions but I am getting a 404 error on authelia. I have no idea how to fix this.
Thanks to you again i am now running Pi-hole, Traefik (automatic SSL cert of my apps), and last but not least Authelia.I wanna thank you very much for that. All are running smoothly. Two comments i want to make though; Authelia is not for multiple domains. I have multiple domains but only one i can use with Authelia. Second is that i use 2FA for Proxmox but when i pass through the 2FA, i just end up in the login screen of Proxmox asking for my username and PW. I thought with the 2FA of Authelia it was SSO with Proxmox?
Thank you! I think there’s some additional config needed for proxmox.
My main doubt with with setup is how do api calls handle the authentication. For example home assistant connecting to transmission ip, or radarr connecting to emby.
Mainly what I do is have them on an additional network named something like API, it doesn't really matter as long as the containers can access each other via direct hostname. When you go to put in the address in the API settings, you use the direct hostname as the target and your API key. I have prowlarr, radarr, sonarr, readarr, lidarr and qbittorent all handled this way. If your apps are not going through the main entrypoint, you shouldn't be caught by the authentication.
you can rename external networks. i usually declare my external traefik network and declare the name underneath since docker likes to rename duplicate network names like “traefik_traefik”
Thank you!
Heimdall is not redirecting to the Authelia Login screen and instead, displays a 401 error. However, if I login into Authelia, I can then access my Heimdall front page. I appreciate this is an older video, but any suggestions would be welcome please.
Solved my own mistake, I had not updated the Traefik data/config.yml file with the correct Authelia settings. Working fine after I did this.
were you able to pass Authelia login info to proxmox?
I didn't see a Proxmox Login screen in your video, and you are logged in as root@pam, but Authelia docs say it doesn't support PAM yet. Was this just cut out, or did you have a login token still active?
For things that support Active Directory / LDAP login, does Authelia pass this info along in order to complete the login to the service?
You can do it now with Proxmox 7 and OpenID connect for Authelia!
@@TechnoTim Excellent news! 👏 just got done setting up my RKE2 cluster so maybe it's time to get on that authentication game
14:40 will sqlite be fine for like 100-200 users or should I choose something else?
I would choose something else, especially if this is something critical so you can easily back up the db.
My ISP modem (which I require) doesn't have NAT Reflection. Any hope of using external domains linked internally?
yes, transparent DNS server that forwards external queries upstream and resolves local rebinds.
I can't seem to get it working with duo mobile. 40301 error code
Yet another great video of you. This is what is was looking for but...... At the moment, i am using the reverse proxy of my Synology NAS. For that reason, i can't install another reverse proxy since ports 80 and 443 are forwarded to my Synology NAS for Let's Encrypt certification. I would love to use this solution if i know how to solve that problem with the ports 80 and 443 that are claimed by my Synology NAS.
I think you could put another between. Incoming 80/443 go to new reverse proxy, and then it forwards to your synology. It does complicate thing.
@@TechnoTim Thanks for the answer. I think I'm gonna remove the reverse proxy of the Synology completely and do my certification stuff on the new reverse proxy. In that case, i don't have to worry about ports 80 and 443 for Synology. That would make things less complicated.