January 3, 2025 in Guides by Brynn Crowley8 minutes
In this guide we will walk through setting up Authelia with Traefik as the reverse proxy. This guide aims to provide an opinionated way to setup Authelia that is fully supported by the Authelia team.
Security Note
This guide is a temporary solution while we work to improve our “Getting Started” section of the website. It is likely this guide will not be updated for future versions. At such a time, a deprecation notice will be posted.
This is not a demo. If you would like an all-in-one demo, please take a look at our local bundle.
This guide makes a few assumptions. These assumptions may require adaptation in more advanced and complex scenarios. We can not reasonably have examples for every advanced configuration option that exists. Some of these values can be automatically replaced with documentation variables.
We make the following assumptions:
authelia
in the URL if:
9091
in the URL if:
example.com
domain:The first thing we want to do is set up the file structure. Which should look something like this:
π project
β£ π authelia
β β£ π config
β β β£ π configuration.yml
β β β π users.yml
β β π secrets
β£ π compose.yml
β π traefik
β£ π config
β β£ π dynamic.yml
β β π traefik.yml
β£ π data
β β π acme.json
β£ π logs
β π secrets
Note
We’ll focus on the minimal configuration needed to work with Authelia. For advanced Traefik features and configurations, consult their documentation.
Next, we’ll set up Traefik as our reverse proxy. For detailed Traefik documentation, refer to the official Traefik docs.
services:
traefik:
image: 'traefik:latest'
container_name: 'traefik'
restart: 'unless-stopped'
security_opt:
- 'no-new-privileges=true'
networks:
proxy:
aliases:
- 'auth.example.com'
authelia: {}
ports:
- '80:80'
- '443:443'
environment:
TZ: 'America/Los_Angeles' ## see below
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- './traefik/config/traefik.yml:/traefik.yml:ro'
- './traefik/config/dynamic.yml:/dynamic.yml:ro'
- './traefik/data/:/data'
- './traefik/logs:/logs'
labels:
traefik.enable: 'true'
traefik.http.routers.dashboard.rule: 'Host(`traefik.example.com`)'
traefik.http.routers.dashboard.entrypoints: 'https'
traefik.http.routers.dashboard.middlewares: 'authelia@docker'
traefik.http.routers.dashboard.service: 'api@internal'
whoami:
image: 'traefik/whoami'
restart: 'unless-stopped'
container_name: 'whoami'
labels:
traefik.enable: 'true'
traefik.http.routers.whoami.rule: 'Host(`whoami.example.com`)'
traefik.http.routers.whoami.entrypoints: 'https'
networks:
proxy: {}
## Other Services Go Here
networks:
proxy:
external: true
name: 'proxy'
authelia:
name: 'authelia'
Note: Timezone strings can be found here.
Now we configure Traefik. The following files contain the minimal Traefik configuration needed for Authelia integration:
## Base Traefik configuration
api:
dashboard: true
debug: false
insecure: false
log:
level: 'INFO'
accessLog:
filePath: '/logs/access.log'
entryPoints:
http:
address: ':80'
http:
redirections:
entryPoint:
to: 'https'
scheme: 'https'
permanent: true
https:
address: ':443'
http:
tls:
certResolver: 'myresolver'
providers:
docker:
endpoint: 'unix:///var/run/docker.sock'
exposedByDefault: false
file:
filename: '/dynamic.yml'
certificatesResolvers:
myresolver:
acme:
storage: '/data/acme.json'
httpChallenge:
entryPoint: 'http'
tls:
options:
default:
minVersion: 'VersionTLS12'
cipherSuites:
- 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
- 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
- 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
- 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
- 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305'
- 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305'
## This file can be used to define dynamic routers/services/middlewares.
Note
These are minimal configurations focused on Authelia integration. Adjust them according to your needs using Traefik’s documentation.
This configuration sets up Authelia’s core service and configures forward authentication with Traefik. The portal will be available at auth.example.com
. It also defines a new whoami container that will be protected by authelia.
The docker compose services defined below should be added to the existing compose.yml created for traefik and whoami.
authelia:
image: 'authelia/authelia:4.38'
container_name: 'authelia'
volumes:
- './authelia/secrets:/secrets:ro'
- './authelia/config:/config'
- './authelia/logs:/var/log/authelia/'
networks:
authelia: {}
labels:
## Expose Authelia through Traefik
traefik.enable: 'true'
traefik.docker.network: 'authelia'
traefik.http.routers.authelia.rule: 'Host(`auth.example.com`)'
traefik.http.routers.authelia.entrypoints: 'https'
## Setup Authelia ForwardAuth Middlewares
traefik.http.middlewares.authelia.forwardAuth.address: 'http://authelia:9091/api/authz/forward-auth'
traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader: 'true'
traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders: 'Remote-User,Remote-Groups,Remote-Name,Remote-Email'
environment:
TZ: 'America/Los_Angeles'
X_AUTHELIA_CONFIG_FILTERS: 'template'
whoami-secure:
image: 'traefik/whoami'
restart: 'unless-stopped'
container_name: 'whoami-secure'
labels:
traefik.enable: 'true'
traefik.http.routers.whoami-secure.rule: 'Host(`whoami-secure.example.com`)'
traefik.http.routers.whoami-secure.entrypoints: 'https'
traefik.http.routers.whoami-secure.middlewares: 'authelia@docker'
networks:
proxy: {}
There are a couple docker networks that need to be created.
The proxy
network contains Traefik and can be used to connect any additional containers to the Traefik proxy.
It is created by running the following command:
docker network create proxy \
--opt "com.docker.network.bridge.name"="br-docker-proxy"
The authelia
network contains the containers required for Authelia to function and connects Authelia to Traefik over a separate network.
While not included in this guide, it would include the storage provider (PostgresSQL or MySQL), session provider (Redis), and LDAP authentication backend. This network does not need to be created since it will automatically be created when the containers are started.
Note: While the whoami-secure
container is protected by the Authelia middleware, it is not in the authelia
docker network. This is because we want to avoid any risk of http traffic being intercepted. Protected services should either be in the proxy
network or a network shared with Traefik, while Authelia-specific services use the separate authelia
network for enhanced security isolation.
server:
address: 'tcp4://:9091'
log:
level: debug
file_path: '/var/log/authelia/authelia.log'
keep_stdout: true
identity_validation:
elevated_session:
require_second_factor: true
reset_password:
jwt_lifespan: '5 minutes'
jwt_secret: {{ secret "/secrets/jwt_secret.txt" | mindent 0 "|" | msquote }}
totp:
disable: false
issuer: 'example.com'
period: 30
skew: 1
password_policy:
zxcvbn:
enabled: true
min_score: 4
authentication_backend:
file:
path: '/config/users.yml'
password:
algorithm: 'argon2'
argon2:
variant: 'argon2id'
iterations: 3
memory: 65535
parallelism: 4
key_length: 32
salt_length: 16
access_control:
default_policy: 'deny'
rules:
- domain: 'traefik.example.com'
policy: 'one_factor'
- domain: 'whoami-secure.example.com'
policy: 'two_factor'
session:
name: 'authelia_session'
secret: {{ secret "/secrets/session_secret.txt" | mindent 0 "|" | msquote }}
cookies:
- domain: 'example.com'
authelia_url: 'https://auth.example.com'
regulation:
max_retries: 4
find_time: 120
ban_time: 300
storage:
encryption_key: {{ secret "/secrets/storage_encryption_key.txt" | mindent 0 "|" | msquote }}
local:
path: '/config/db.sqlite3'
notifier:
disable_startup_check: false
filesystem:
filename: '/config/notification.txt'
Each section in the configuration file above has detailed documentation available. Below are direct links. Note: There are config options that are not a part of this guide.
These documentation pages provide comprehensive information about each configuration section, including all available options, examples, and best practices for setting up your Authelia instance.
In the config there are go templates that can be identified by {{ }}
. These are replaced with the contents of the files specified when Authelia is started. More information on them and the directives involved can be found here.
There are 3 required secrets that we need to create and put in authelia/secrets/
directory:
You can automatically generate these secrets by running the following commands in the project root directory project/
.
chown 8000:8000 ./authelia/secrets && chmod 0700 ./authelia/secrets
docker run --rm -u 8000:8000 -v ./authelia/secrets:/secrets docker.io/authelia/authelia sh -c "cd /secrets && authelia crypto rand --length 64 session_secret.txt storage_encryption_key.txt jwt_secret.txt"
Note If you elect to generate these secrets yourself, it is Strongly Recommended that these 3 values are Random Alphanumeric Strings with 64 or more characters.
users:
authelia: ## Username
displayname: 'Authelia User'
## WARNING: This is a default password for testing only!
## IMPORTANT: Change this password before deploying to production!
## Generate a new hash using the instructions at:
## https://www.authelia.com/reference/guides/passwords/#passwords
## Password is 'authelia'
password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/'
email: 'authelia@authelia.com'
groups:
- 'admin'
- 'dev'
The current password listed is authelia
. It is important you Generate a new password hash.
Once all the configuration for Traefik and Authelia are complete, from the project/
directory run docker compose up -d
to download and start the containers.
docker compose ps
https://traefik.example.com
https://whoami-secure.example.com
docker logs authelia
This guide is not intended to instruct users on how to set up every aspect of Authelia. There are other features that were not mentioned in this guide that provide additional functionality. Some of these include: