sa6anw
/
sa6anw.se
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sa6anw.se/docs/zonezero/authelia.md

305 lines
9.7 KiB
Markdown
Raw Blame History

---
title: Authelia
---
Det mesta är hämtat från:
[https://thehomelab.wiki/books/dns-reverse-proxy/page/setup-authelia-to-work-with-nginx-proxy-manager](https://thehomelab.wiki/books/dns-reverse-proxy/page/setup-authelia-to-work-with-nginx-proxy-manager)
* **./config/configuration.yml**
```yaml
##############################################################################
# Authelia configuration #
##############################################################################
host: 0.0.0.0
port: 9091 # if you need this changed make sure it reflects also in the docker-compose.yml
log_level: debug
jwt_secret: bdbb82d7c204a795d962540f3d243483
default_redirection_url: https://authelia.svenman.net
totp:
issuer: svenman.net
period: 30
skew: 1
#duo_api: ## If you want push notifictions of login attempts you can pay for this feature
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# secret_key: yet-another-long-string-of-characters-and-numbers-and-symbols
authentication_backend:
disable_reset_password: false
file:
path: /config/users_database.yml # Make sure this file exists
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: authelia.svenman.net
policy: bypass
- domain: svenman.net
resources: "^/zonezero/"
policy: one_factor
- domain: svenman.net
policy: bypass
- domain: heimdall.svenman.net
policy: one_factor
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: ddd1df9b73343df7600faf9cd1dec30b
expiration: 3600 # 1 hour
inactivity: 7200 # 2 hours
domain: svenman.net # Needs to be your root domain
redis:
host: authelia_redis_1
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia
regulation:
max_retries: 5
find_time: 2m
ban_time: 10m
theme: dark # options: dark, light
storage:
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt
# smtp:
# username: <your-user@your-email-domain.org>
# password: <your-user-email-password-for-smtp>
# host: <your-email-host-url-or-ip>
# port: <your-email-port-for-smtp> # 25 non-ssl, 443 ssl, 587 tls
# sender: <sender@your-email-domain.org>
# subject: "[Authelia] {title}"
# disable_require_tls: false # set to true if your domain uses no tls or ssl only
# disable_html_emails: false # set to true if you don't want html in your emails
# tls:
# server_name: <your-email-host-url-or-ip>
# skip_verify: false
# minimum_version: TLS1.2
```
* **./comfig/users_database.yml**
```yaml
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
joakim:
displayname: "Joakim Svensson"
password: "$argon2id$v=19$m=65536,t=1,p=8$aGtkQVhYVkJiVkUxVVFneg$OvKt030Ok+TkBlWon1MJqbjw6t9WRDWrFIE9A+ISXhM"
email: js@joakim.pw
groups:
- admins
- dev
friend:
displayname: "Hack me if you can"
password: "$argon2id$v=19$m=65536,t=1,p=8$bU5wOVJleEl0RUVTeVYrcQ$eB0cZ3roI+yMHx+m6JtHw4M1n4wShfhLg7fPb25wmbY"
email: js@joakim.pw
groups:
- admins
- dev
```
För att generera lösenorden kör:
```bash
docker run authelia/authelia:latest authelia hash-password 'testAuthelia'
```
* **docker-compose.yaml**
```yaml
version: '3.3'
services:
authelia:
# image: authelia/authelia
image: authelia/authelia:4.31
volumes:
- ./config:/config
ports:
- 9091:9091
restart: unless-stopped
healthcheck:
disable: true
environment:
- TZ=America/Stockholm
depends_on:
- redis
redis:
image: redis:alpine
volumes:
- ./redis:/data
expose:
- 6379
restart: unless-stopped
environment:
- TZ=America/Stockholm
```
/etc/nginx/sites-enabled/authelia.svenman.net
```json
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/wildcard.svenman.net.conf;
if ($http_x_forwarded_proto = "http") {
return 301 https://$server_name$request_uri;
}
server_name bazarr.svenman.net;
location / {
set $upstream_authelia http://192.168.6.31:9091;
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
}
```
/etc/nginx/sites-enabled/svenman.net
```json
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/wildcard.svenman.net.conf;
if ($http_x_forwarded_proto = "http") {
return 301 https://$server_name$request_uri;
}
server_name svenman.net;
location /authelia {
internal;
set $upstream_authelia http://192.168.6.31:9091/api/verify; #ADD YOUR IP AND PORT OF AUTHELIA
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_svenman http://192.168.6.31:8041; #CHANGE NAME AND IP AND PORT
proxy_pass $upstream_svenman; #change name of the service
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://authelia.svenman.net/?rd=$target_url; #change YOURDOMAIN.COM to your domain
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
set_real_ip_from 192.168.1.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
}
```
Reference in New Issue View Git Blame Copy Permalink