Hi,
Here is my working configuration.
Uses DUO as 2FA, OpenLDAP for usernames, passwords and group membership.
No mongodb or redis.
Assume you have linuxserver.io letsencrypt container installed, configured (using subdomains for this example) and issuing certificates.
Assume you have a DUO account (free for 10 users) and users/mobiles already enrolled.
No IPV6 only IPV4.
Authelia, Letsencrypt, Heimdall all installed on the same docker host.
OpenLDAP - create a group called admin and add the users you want/need.
Below is the docker-compose file normally created/found in
/opt/docker-compose.yml
Please adjust the volume paths to suit your own config.
Change the network to your defined network in docker.
Port must be the same as the one you will define in the Authelia config.yml
file.
# ----------------------------------------
# Authelia
# ----------------------------------------
authelia:
image: clems4ever/authelia:latest
container_name: authelia
hostname: authelia
volumes:
- /docker/containers/authelia/config/config.yml:/etc/authelia/config.yml
- /docker/containers/authelia/config/store:/var/lib/authelia/store
environment:
- NODE_TLS_REJECT_UNAUTHORIZED=0
networks:
- nginx
ports:
- 9090:9090
restart: unless-stopped
The /docker/containers/authelia/config/store:/var/lib/authelia/store
will hold the databases of registered users, authenticated methods etc.
If is not defined on a persistent volume all data will be lost if Authelia container image is removed and will require all users to register again.
Login to your DUO account and create a new application - use the Partner Auth API
template.
Enter the DUO api details in the file below.
This is the Authelia config file (config.yml
) - minimal version. Adjust for your config.
###############################################################
# Authelia configuration #
###############################################################
port: 9090
logs_level: debug
duo_api:
hostname: xxxxxxxxxxxxxxxxxxxxxxxxxx
integration_key: xxxxxxxxxxxxxxxxxxxxxxx
secret_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ldap:
url: ldap://ldap.example.com
base_dn: dc=example,dc=com
additional_users_dn: cn=users
users_filter: uid={0}
additional_groups_dn: ou=groups
groups_filter: (&(memberuid={0})(objectclass=posixGroup))
group_name_attribute: cn
mail_attribute: mail
user: cn=xxxxxxxx,dc=example,dc=com
password: xxxxxxxxxxxxxxxx
access_control:
default_policy: deny
rules:
- domain: '*.example.com'
subject: 'group:admin' #same group as you created in OpenLDAP
policy: two_factor
session:
name: XXXXXXXXXXXXXX_authelia_session_idXXXXXXXXXXXXXXXX #this needs to have the same in the cookie in `authelia_sso_params`
secret: XXXXXXXXXXXX_top_secret_XXXXXXXXXXXX
expiration: 3600000 # 1 hour
inactivity: 300000 # 5 minutes
domain: example.com
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /var/lib/authelia/store
smtp:
username: test
password: password
secure: XXXX #true or false
host: your mail server ip here
port: your mail server port here
sender: authelia@example.com
In /config/nginx/
in letsencrypt
create a new folder called authelia
Inside this folder create the following files and content in each file (modify per your requirements)
proxy_params
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $http_x_forwarded_host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
default_headers
add_header Cache-Control "no-store";
add_header Pragma "no-cache";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
authelia_sso_params - remeber to specify same cookie name as in the session
section in Authelia’s config.yml
(authelia.session.id is the default)
auth_request /.check-auth;
auth_request_set $target_url $scheme://$http_host$request_uri;
error_page 401 =302 https://authelia.example.com/#/?rd=$target_url;
set $new_cookie $http_cookie;
if ($http_cookie ~ "(.*)(?:^|;)\s*authelia\.session\.id=[^;]+(.*)") {
set $new_cookie $1$2;
}
proxy_set_header Cookie $new_cookie;
authelia_check-auth_block_internal_api
location = /.check-auth {
internal;
proxy_set_header Host $host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
resolver 127.0.0.11 valid=30s;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9090/api/verify;
}
authelia_check-auth_block_external_api
location = /.check-auth {
internal;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Content-Length "";
proxy_pass_request_body off;
resolver 127.0.0.11 valid=30s;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9090/api/verify;
}
(I know the above 2 files are identical but thats how I got it to work)
Next Authelia itself needs a subdomain definition. In /config/nginx/proxy-confs
create the file below:
authelia.subdomain.conf
server {
listen 80;
server_name authelia.example.com;
location / {
include /config/nginx/authelia/default_headers;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
server_name authelia.*;
include /config/nginx/ssl.conf;
location = /api/verify {
include /config/nginx/authelia/default_headers;
include /config/nginx/authelia/proxy_params;
resolver 127.0.0.11 valid=30s;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9090/api/verify;
}
location /secondfactor/totp/identity/finish {
include /config/nginx/authelia/default_headers;
include /config/nginx/authelia/proxy_params;
resolver 127.0.0.11 valid=30s;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9090;
proxy_intercept_errors on;
if ($request_method !~ ^(POST)$){
error_page 401 = /error/401;
error_page 403 = /error/403;
error_page 404 = /error/404;
}
}
location / {
include /config/nginx/authelia/default_headers;
include /config/nginx/authelia/proxy_params;
resolver 127.0.0.11 valid=30s;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9090;
proxy_intercept_errors on;
if ($request_method !~ ^(POST)$){
error_page 401 = /error/401;
error_page 403 = /error/403;
error_page 404 = /error/404;
}
}
}
And finally lets assume you want to protect your heimdall
page.
In /config/nginx/proxy-confs
create the heimdall subdomain cofig file:
heimdall.subdomain.conf
# make sure that your dns has a cname set for heimdall
server {
listen 80;
server_name heimdall.*;
location / {
include authelia/default_headers;
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
root /config/www;
index index.html index.htm index.php;
server_name heimdall.*;
include /config/nginx/ssl.conf;
include /config/nginx/authelia/authelia_check-auth_block_internal_api;
location / {
include /config/nginx/authelia/default_headers;
include /config/nginx/authelia/authelia_sso_params;
include /config/nginx/authelia/proxy_params;
resolver 127.0.0.11 valid=30s;
set $upstream_heimdall heimdall;
proxy_pass https://$upstream_heimdall:443;
proxy_redirect off;
}
}
Navigate to your Authelia webpage (https://authelia.example.com) and enroll your first user.
Then go to your heimdall page (https://heimdall.example.com) and login.
To protect additional pages follow the heimdall
example and adjust accordingly.
Hope this helps someone.
Thanks to chbmb for helping with how to include Authelia config into the letsencrypt/nginx application structure/configuration.