authelia
The following page documents how I did setup a service in docker-compose to use authelia for authentication via traefik 2.0
environment
I use the following entries for this setup in my /etc/environment
file
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
PUID=1000
PGID=1000
TZ="Europe/Zurich"
DOMAINNAME="example.com"
DNS=1.1.1.1
GOPATH=/usr/bin/go
EMAIL=mail@example.com
Install golang
I found a setup guide that shows how to install golang on ubuntu 18.04 based on a ppa. I did the following steps
sudo add-apt-repository ppa:longsleep/golang-backports
sudo apt-get update
sudo apt-get install golang-go
Basic traefik 2.0 setup
My basic traefik 2.0 setup was based on the traefik 2.0 intoduction blog post. While configuring I just stumble upon one issue.
Full docker-compose
version: '3.7'
services:
traefik:
container_name: traefik
domainname: ${DOMAINNAME}
image: traefik
restart: unless-stopped
command:
- --api.insecure=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --log.level=DEBUG
- --entrypoints.websecure.address=:443
- --certificatesresolvers.le.acme.email=${EMAIL}
- --certificatesresolvers.le.acme.storage=/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./users:/users
networks:
- default
- discovery
dns:
- ${DNS}
my-app:
image: containous/whoami:v1.3.0
command:
- --port=8082
networks:
- discovery
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-app.rule=Host(`my-app.${DOMAINNAME}`)"
- "traefik.http.services.my-app.loadbalancer.server.port=8082"
- "traefik.http.routers.my-app.middlewares=authme"
- "traefik.http.middlewares.authme.forwardauth.address=http://authelia:9091"
- "traefik.http.middlewares.authme.forwardauth.trustforwardheader=true"
- "traefik.http.middlewares.authme.forwardauth.authresponseheaders=X-Forwarded-User"
- "traefik.http.middlewares.authme.forwardauth.address=http://authelia:8080/api/verify?rd=https://auth.${DOMAINNAME}/%23/"
- "traefik.http.routers.my-app.tls.certresolver=le"
- "traefik.http.routers.my-app.entrypoints=websecure"
authelia:
image: clems4ever/authelia:master
container_name: authelia
restart: always
volumes:
- ./authelia/config.minimal.yml:/etc/authelia/config.yml:ro
- ./authelia/users_database.yml:/etc/authelia/users_database.yml:rw
- authelia:/tmp/authelia
- ${GOPATH}:/go
environment:
- TZ=${TZ}
- NODE_TLS_REJECT_UNAUTHORIZED=1
labels:
- "traefik.enable=true"
- "traefik.http.routers.auth.rule=Host(`auth.${DOMAINNAME}`)"
- "traefik.http.routers.auth.entrypoints=web"
- "traefik.http.services.auth.loadbalancer.server.port=8080"
- "traefik.http.routers.auth.tls.certresolver=le"
- "traefik.http.routers.auth.entrypoints=websecure"
expose:
- 8080
networks:
- discovery
volumes:
authelia:
networks:
discovery:
authelia config
This is the users_database.yml
sample that contains a user testuser
with password test
users:
testuser: ## I have set the password below to 'test' for you
password: '{CRYPT}$6$rounds=500000$Bui4ldW5hXOI9qwJ$IUHQPCusUKpTs/OrfE9UuGb1Giqaa5OZA.mqIpH.Hh8RGFsEBHViCwQDx6DfkGUiF60pqNubFBugfTvCJIDNw1'
email: your@email.address
groups:
- admins
- dev
This is my config.minimal.yml
for this sample, its all base on a working sample for traefik that I found googeling.
###############################################################
# Authelia minimal configuration #
###############################################################
#logs_level: debug
# The secret used to generate JWT tokens when validating user identity by
# email confirmation.
jwt_secret: supersecret
authentication_backend:
file:
path: /etc/authelia/users_database.yml
session:
secret: change_this_for_your_server
domain: personal.domain
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
local:
path: /etc/authelia/storage
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
issuer: personal.domain
# Access Control
#
# Access control is a set of rules you can use to restrict user access to certain
# resources.
access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
default_policy: one_factor
rules:
- domain: public.personal.domain
policy: bypass
- domain: httpbin.personal.domain
policy: bypass
- domain: auth.cusack.cloud
policy: bypass
- domain: firewall.personal.domain
policy: two_factor
- domain: proxmox.personal.domain
policy: two_factor
# resources:
# - '^/api/.*$'
# - '^/notifications/.*$'
policy: bypass
# - domain: who.example.com
# policy: two_factor
# Configuration of the authentication regulation mechanism.
regulation:
# Set it to 0 to disable max_retries.
max_retries: 5
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
find_time: 120
# The length of time before a banned user can login again.
ban_time: 180
# Configuration of session cookies
#
# The session cookies identify the user once logged in.
session:
# The name of the session cookie. (default: authelia_session).
name: authelia_session
# The secret to encrypt the session cookie.
secret: change_this_for_your_server
# The time in ms before the cookie expires and session is reset.
expiration: 604800000 # 1 week
# The inactivity time in ms before the session is reset.
inactivity: 300000 # 5 minutes
# The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain on the issuer.
domain: personal.domain
# Default redirection URL
#
# Note: this parameter is optional. If not provided, user won't
# be redirected upon successful authentication.
#default_redirection_url: https://authelia.example.domain
#notifier:
# For testing purpose, notifications can be sent in a file
# filesystem:
# filename: /tmp/authelia/notification.txt
notifier:
smtp:
# username:
# password:
secure: false
host: mail
port: 25
sender: docker@your-mail-server
No Comments