In this guide we will walk through setting up Authelia with Traefik as the reverse proxy. This guide aims to provide an opinionated way to setup Authelia that is fully supported by the Authelia team.
Security Note
This guide is a temporary solution while we work to improve our “Getting Started” section of the website. It is likely this guide will not be updated for future versions. At such a time, a deprecation notice will be posted.
This is not a demo. If you would like an all-in-one demo, please take a look at our local bundle.
Assumptions and Adaptation
This guide makes a few assumptions. These assumptions may require adaptation in more advanced and complex scenarios. We can not reasonably have examples for every advanced configuration option that exists. Some of these values can be automatically replaced with documentation variables.
You will have to adapt all instances of authelia in the URL if:
you’re using a different container name
you deployed the proxy to a different location
You will have to adapt all instances of 9091 in the URL if:
you have adjusted the default port in the configuration
You will have to adapt the entire URL if:
Authelia is on a different host to the proxy
All services are part of the example.com domain:
This domain and the subdomains will have to be adapted in all examples to match your specific domains unless you’re
just testing, or you want to use that specific domain
File Structure
The first thing we want to do is set up the file structure. Which should look something like this:
Traefik and Whoami
Note
We’ll focus on the minimal configuration needed to work with Authelia. For advanced Traefik features and configurations, consult their documentation.
Next, we’ll set up Traefik as our reverse proxy. For detailed Traefik documentation, refer to the official Traefik docs.
Now we configure Traefik.
The following files contain the minimal Traefik configuration needed for Authelia integration:
Domain Configuration
Note
These are minimal configurations focused on Authelia integration. Adjust them according to your needs using Traefik’s documentation.
Authelia Compose
This configuration sets up Authelia’s core service and configures forward authentication with Traefik. The portal will be available at auth.example.com. It also defines a new whoami container that will be protected by authelia.
The docker compose services defined below should be added to the existing compose.yml created for traefik and whoami.
Docker Networks
There are a couple docker networks that need to be created.
proxy
The proxy network contains Traefik and can be used to connect any additional containers to the Traefik proxy.
It is created by running the following command:
authelia
The authelia network contains the containers required for Authelia to function and connects Authelia to Traefik over a separate network.
While not included in this guide, it would include the storage provider (PostgresSQL or MySQL), session provider (Redis), and LDAP authentication backend. This network does not need to be created since it will automatically be created when the containers are started.
Note: While the whoami-secure container is protected by the Authelia middleware, it is not in the authelia docker network. This is because we want to avoid any risk of http traffic being intercepted. Protected services should either be in the proxy network or a network shared with Traefik, while Authelia-specific services use the separate authelia network for enhanced security isolation.
Authelia Configuration
Each section in the configuration file above has detailed documentation available. Below are direct links.
Note: There are config options that are not a part of this guide.
Core Configuration
Server Configuration - Configure the server address, ports, TLS settings, and other core server options
Logging - Configure log levels, output locations, and format options
Identity Validation - Configure settings for password reset and elevated sessions.
Regulation - Configure brute-force protection and rate limiting
Notifier - Configure notification delivery methods and settings
These documentation pages provide comprehensive information about each configuration section, including all available options, examples, and best practices for setting up your Authelia instance.
Secrets
In the config there are go templates that can be identified by {{ }}. These are replaced with the contents of the files specified when Authelia is started. More information on them and the directives involved can be found here.
There are 3 required secrets that we need to create and put in authelia/secrets/ directory:
jwt_secret.txt
storage_encryption_key.txt
session_secret.txt
You can automatically generate these secrets by running the following commands in the project root directory project/.
Note If you elect to generate these secrets yourself, it is Strongly Recommended that these 3 values are Random Alphanumeric Strings with 64 or more characters.
Users Database
The current password listed is authelia. It is important you Generate a new password hash.
Starting the Stack
Once all the configuration for Traefik and Authelia are complete, from the project/ directory run docker compose up -d to download and start the containers.
Verifying the Setup
Check container status: docker compose ps
Access Traefik dashboard at https://traefik.example.com
Test authentication at https://whoami-secure.example.com
Troubleshooting
Check container logs: docker logs authelia
Ensure all secrets files exist and have correct permissions.
Next Steps
This guide is not intended to instruct users on how to set up every aspect of Authelia. There are other features that were not mentioned in this guide that provide additional functionality. Some of these include:
Non-memory Session Storage using Redis. The default session provider is memory-only, this means that when Authelia restarts, all user sessions are destroyed and users are required to reauthenticate. Redis allows sessions to persist across restarts and makes Authelia fully stateless.
Metrics allows Authelia administrators to export various statistics regarding their individual Authelia installation.