--- title: Authelia --- Det mesta är hämtat från: [https://thehomelab.wiki/books/dns-reverse-proxy/page/setup-authelia-to-work-with-nginx-proxy-manager](https://thehomelab.wiki/books/dns-reverse-proxy/page/setup-authelia-to-work-with-nginx-proxy-manager) * **./config/configuration.yml** ```yaml ############################################################################## # Authelia configuration # ############################################################################## host: 0.0.0.0 port: 9091 # if you need this changed make sure it reflects also in the docker-compose.yml log_level: debug jwt_secret: bdbb82d7c204a795d962540f3d243483 default_redirection_url: https://authelia.svenman.net totp: issuer: svenman.net period: 30 skew: 1 #duo_api: ## If you want push notifictions of login attempts you can pay for this feature # hostname: api-123456789.example.com # integration_key: ABCDEF # secret_key: yet-another-long-string-of-characters-and-numbers-and-symbols authentication_backend: disable_reset_password: false file: path: /config/users_database.yml # Make sure this file exists password: algorithm: argon2id iterations: 1 salt_length: 16 parallelism: 8 memory: 64 access_control: default_policy: deny rules: # Rules applied to everyone - domain: authelia.svenman.net policy: bypass - domain: svenman.net resources: "^/zonezero/" policy: one_factor - domain: svenman.net policy: bypass - domain: heimdall.svenman.net policy: one_factor session: name: authelia_session # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE secret: ddd1df9b73343df7600faf9cd1dec30b expiration: 3600 # 1 hour inactivity: 7200 # 2 hours domain: svenman.net # Needs to be your root domain redis: host: authelia_redis_1 port: 6379 # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE # password: authelia regulation: max_retries: 5 find_time: 2m ban_time: 10m theme: dark # options: dark, light storage: local: path: /config/db.sqlite3 notifier: filesystem: filename: /config/notification.txt # smtp: # username: # password: # host: # port: # 25 non-ssl, 443 ssl, 587 tls # sender: # subject: "[Authelia] {title}" # disable_require_tls: false # set to true if your domain uses no tls or ssl only # disable_html_emails: false # set to true if you don't want html in your emails # tls: # server_name: # skip_verify: false # minimum_version: TLS1.2 ``` * **./comfig/users_database.yml** ```yaml ############################################################### # Users Database # ############################################################### # This file can be used if you do not have an LDAP set up. # List of users users: joakim: displayname: "Joakim Svensson" password: "$argon2id$v=19$m=65536,t=1,p=8$aGtkQVhYVkJiVkUxVVFneg$OvKt030Ok+TkBlWon1MJqbjw6t9WRDWrFIE9A+ISXhM" email: js@joakim.pw groups: - admins - dev friend: displayname: "Hack me if you can" password: "$argon2id$v=19$m=65536,t=1,p=8$bU5wOVJleEl0RUVTeVYrcQ$eB0cZ3roI+yMHx+m6JtHw4M1n4wShfhLg7fPb25wmbY" email: js@joakim.pw groups: - admins - dev ``` För att generera lösenorden kör: ```bash docker run authelia/authelia:latest authelia hash-password 'testAuthelia' ``` * **docker-compose.yaml** ```yaml version: '3.3' services: authelia: # image: authelia/authelia image: authelia/authelia:4.31 volumes: - ./config:/config ports: - 9091:9091 restart: unless-stopped healthcheck: disable: true environment: - TZ=America/Stockholm depends_on: - redis redis: image: redis:alpine volumes: - ./redis:/data expose: - 6379 restart: unless-stopped environment: - TZ=America/Stockholm ``` /etc/nginx/sites-enabled/authelia.svenman.net ```json server { listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; include snippets/wildcard.svenman.net.conf; if ($http_x_forwarded_proto = "http") { return 301 https://$server_name$request_uri; } server_name bazarr.svenman.net; location / { set $upstream_authelia http://192.168.6.31:9091; proxy_pass $upstream_authelia; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; } } ``` /etc/nginx/sites-enabled/svenman.net ```json server { listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; include snippets/wildcard.svenman.net.conf; if ($http_x_forwarded_proto = "http") { return 301 https://$server_name$request_uri; } server_name svenman.net; location /authelia { internal; set $upstream_authelia http://192.168.6.31:9091/api/verify; #ADD YOUR IP AND PORT OF AUTHELIA proxy_pass_request_body off; proxy_pass $upstream_authelia; proxy_set_header Content-Length ""; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; client_body_buffer_size 128k; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 4 32k; send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; } location / { set $upstream_svenman http://192.168.6.31:8041; #CHANGE NAME AND IP AND PORT proxy_pass $upstream_svenman; #change name of the service auth_request /authelia; auth_request_set $target_url $scheme://$http_host$request_uri; auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; error_page 401 =302 https://authelia.svenman.net/?rd=$target_url; #change YOURDOMAIN.COM to your domain client_body_buffer_size 128k; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; set_real_ip_from 192.168.1.0/16; real_ip_header X-Forwarded-For; real_ip_recursive on; } } ```