Instructions and configuration files to deploy Authelia in Unraid OS using Docker + FreeIPA LDAP.
License: GNU General Public License v3.0
OUR DOCUMENTATION HAS MOVED!
FOR THE MOST UP TO DATE DOCUMENTATION PLEASE SEE OUR DOCS SITE AT: https://docs.ibracorp.io
All associated config files are with the documention at the link above
IBRACORP - https://ibracorp.io
YouTube: https://youtube.com/c/IBRACORP
Docs: https://docs.ibracorp.io
Discord - https://discord.gg/VWAG7rZ
GitHub - https://github.com/ibracorp
unRAID Forum - http://bit.ly/2MwDPTV
Twitter - https://twitter.com/IBRACORP_IO
===============================
So I have finished configured authelia but when trying to access my docker containers I get error 526
This is the advanced configuration for my proxy host
location /authelia {
internal;
set $upstream_authelia http://192.168.1.33:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_binhex-sabnzbd $forward_scheme://$server:$port;
proxy_pass $upstream_binhex-sabnzbd;
auth_request /authelia;
auth_request_set $target_url https://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://auth.moraleseder.com/?rd=$target_url;
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
set_real_ip_from 192.168.1.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
After entering that, the status for the proxy host goes to offline (in NPM) and I get the 526, invalid SSL certificate mentioned above. However, when removing that advanced configuration I can access the docker container just fine.
I have got the setup working with most of my services, but for some reason when trying to get it to work with VSCode (using linuxserver/code-server) I only get a white/blank screen after login. I get redirected to the correct address after successful authentication. Any tip as to what might be wrong? I am using the same endpoint configuration for all the services just changing out the address and port number. I have no trouble with VSCode when not behind Authelia. Checking F12 on the page shows a bunch of WebSocte error like this:
WebSocket connection to 'wss://vscode.domain.no/?type=Management&reconnectionToken=d0bb10e8-2249-4f90-9da8-2b4358f90451&reconnection=false&skipWebSocketFrames=false' failed:
Hi there!
I was happily following along with your in-depth tutorial on installing Authelia, right up until where you edit the configuration file (right around the 15 minute mark in the video). When I try to open the freshly created configuration.yml file, I am confronted with a file permissions-related error:
When I check the file permissions, my suspicions are quickly confirmed:
root@Alexandria:~# ls -lah /mnt/user/appdata/Authelia/
total 20K
drwxrwxrwx 1 nobody users 34 Mar 5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar 5 17:19 ../
-rw------- 1 nobody users 20K Mar 5 17:20 configuration.ymlAfter modifying the file permissions, I managed to resolve the issue:
root@Alexandria:~# chmod a+rw /mnt/user/appdata/Authelia/configuration.yml
root@Alexandria:~# ls -lah /mnt/user/appdata/Authelia/
total 20K
drwxrwxrwx 1 nobody users 34 Mar 5 17:20 ./
drwxrwxrwx 1 nobody users 410 Mar 5 17:19 ../
-rw-rw-rw- 1 nobody users 20K Mar 5 17:20 configuration.ymlThis all to say: while I managed to resolve the issue quickly and easily, it did surprise me, and might prove troublesome to people that are less experienced with Unix-based operating systems. As such, it might prove worthwhile to look into this matter.
time="2021-12-05T15:02:05-05:00" level=error msg="Configuration: invalid configuration key 'host' was replaced by 'server.host'"
time="2021-12-05T15:02:05-05:00" level=error msg="Configuration: invalid configuration key 'log_level' was replaced by 'log.level'"
time="2021-12-05T15:02:05-05:00" level=error msg="Configuration: invalid configuration key 'port' was replaced by 'server.port'"
time="2021-12-05T15:02:05-05:00" level=error msg="Configuration: storage: 'encryption_key' configuration option must be provided"
I'm unable to access the authelia webui and am getting a buffer size error. Do I need to change my config to what's suggested earlier in the log?
time="2022-09-05T10:51:13-04:00" level=warning msg="Configuration: configuration key 'server.write_buffer_size' is deprecated in 4.36.0 and has been replaced by 'server.buffers.write': this has been automatically mapped for you but you will need to adjust your configuration to remove this message"
time="2022-09-05T10:51:13-04:00" level=warning msg="Configuration: configuration key 'server.read_buffer_size' is deprecated in 4.36.0 and has been replaced by 'server.buffers.read': this has been automatically mapped for you but you will need to adjust your configuration to remove this message"
time="2022-09-05T10:51:13-04:00" level=warning msg="Configuration: access control: no rules have been specified so the 'default_policy' of 'one_factor' is going to be applied to all requests"
time="2022-09-05T10:51:13-04:00" level=info msg="Authelia v4.36.6 is starting"
time="2022-09-05T10:51:13-04:00" level=info msg="Log severity set to info"
time="2022-09-05T10:51:13-04:00" level=info msg="Storage schema is being checked for updates"
time="2022-09-05T10:51:13-04:00" level=info msg="Storage schema is already up to date"
time="2022-09-05T10:51:13-04:00" level=info msg="Initializing server for non-TLS connections on '[::]:9091' path '/'"
time="2022-09-05T10:52:00-04:00" level=error msg="Request from client exceeded the server buffer sizes." error="error when reading request headers: small read buffer. Increase ReadBufferSize. Buffer size=4096, contents: \"GET / HTTP/1.1\\r\\nHost: 192.168.1.186:19091\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105\"...\"c-xVfHM0iKtCYLqSjUC1aD_VWaikFlkgh3mR1RYG1P4QyjROpZrJJGYQiCcmbJo-vxkyPYzNbbHkHkT6t4u-iYFnmoCgnlzm77gRSDnRXl2kGzmw4QqjhW-4gpukdAD3xz9LSbP7yckz8KR5kmoCynzOggp7PcmWN-x3s0YP224YUu3lH_TdOzMjk_1HDB1kVeO9J410\"" method=GET path=/ remote_ip=192.168.1.224 stack="github.com/authelia/authelia/v4/internal/server/handlers.go:72 handleError.func2\ngithub.com/valyala/[email protected]/server.go:2794 (*Server).writeErrorResponse\ngithub.com/valyala/[email protected]/server.go:2233 (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594 goexit" status_code=431
Edit: Simply increasing the buffer size did help with accessing the webui. However, I would still like to know whether the server.buffers.write change is needed.
Please see screenshot of error after updating container. Any chance you're aware of this?
Hello,
I'm stumped on getting the Authelia page before my intended destination page.
After editing the Protected Endpoint.conf to my personal settings for Sonarr, I paste it in the Advanced tab of my Sonarr site in NPM, and save it. But after, when clicking on my proxy host link, it sends me straight to my Sonarr instead of Authelia.
I rewatched this section of your tutorial on youtube multiple times thinking I'd missed something, but if I have, I can't figure out what it is since it only seems to need 3 edits.
I'll post my endpoint config below (with my real domain edited out as MYDOMAIN for privacy):
location /authelia {
internal;
set $upstream_authelia http://192.168.4.111:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_sonarr $forward_scheme://$server:$port;
proxy_pass $upstream_sonarr;
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://id.MYDOMAIN.net/?rd=$target_url;
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
set_real_ip_from 192.168.1.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
Here's my ACL entry in the configuration.yml:
access_control:
default_policy: deny
rules:
- domain: sonarr.MYDOMAIN.net
policy: two_factor
Hi,
I'm having issues with Authelia allowing browsing to the proxied address after authentication has been successful once.
I have Authelia and NginxProxyManager setup on Unraid (6.9.1), using Brave as my main browser (have also tested Edge, albeit U2F doesn't work with Edge). Once I have authenticated (either with U2F or OTP) once, it will bring me to where I wanted to go. If I try to navigate to a different reverse proxy address protected by Authelia in a different tab, it appears to remember the cache of the previous authentication and will not go any further than the below:
I have tried Incognito mode and the same behaviour is experienced; authenticates once, but successive attempts retain the previous successful auth but do not navigate to the address I was looking to go to.
I'm using the Protected Endpoint.conf file provided as part of the setup guide and have the placeholders replaced with my information, but am just wondering whether this is expected behaviour?
I have followed this to the T and am unable to access it via IP or URL.
This site can’t be reached192.168.1.17 refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
###############################################################################
# Authelia Configuration #
###############################################################################
## The host and port to listen on.
host: 0.0.0.0
port: 8443
theme: light
server:
read_buffer_size: 4096
write_buffer_size: 4096
path: ""
jwt_secret: ShVmYq3t6w9z$C&F
default_redirection_url: https://home.example.com:8080/
totp:
skew: 1
authentication_backend:
disable_reset_password: false
refresh_interval: 5m
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
key_length: 32
salt_length: 16
memory: 1024
parallelism: 8
access_control:
rules:
- domain: "*.MYWEBSITE.io"
subject:
- "group:admins"
- "group:moderators"
policy: one_factor
session:
name: authelia_session
secret: ShVmYq3t6w9z$C&F
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
domain: MYWEBSITE.io
redis:
host: 192.168.1.17
port: 6379
# username: authelia
password: MYPASS04!
database_index: 0
maximum_active_connections: 8
minimum_idle_connections: 0
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
mysql:
host: 192.168.1.17
port: 3306
database: authelia
username: root
password: MYPASS04!
notifier:
filesystem:
filename: /config/notification.txt
...
i try setup authelia but stuck protect an endpoint setting and npm.
Now i have successful redirect from service page to authelia page, and single factor authorization.
But arter authorization, i have 403 error page
or i stuck on autoruzaton page
I try some else containers, but one result.
my config
location /authelia {
internal;
set $upstream_authelia http://192.168.31.100:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_doc http://192.168.31.100:4430;
proxy_pass $upstream_doc;
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://authelia.myunraid.ru/?rd=$target_url;
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
set_real_ip_from 192.168.31.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
Hello -
I'm putting the finishing touches based on your guide. I have a question about the endpoint protection conf file.
I'm running home assistant on a VM (not on unraid's docker), what edits would I need to do to the upstream_CONTAINERNAME rows to enable this?
Also, what is this:
set_real_ip_from 192.168.1.0/16;
FYI: subbed your channel today on youtube. great content. Thanks for putting together.
Hello -
I have my cloudflare ssl settings to full strict.
In your current guide I don't see a mention in the nginx proxy manager from proxy to authelia via https. That means authentication requests going from proxy to authelia are over http, not https, over internal network. When you get a moment could you update your guide on these points (if you agree). Maybe an optional section for further hardening for those of us wanting full end to end encryption.
When I'm using the protected endpoint config. https://github.com/ibracorp/authelia/blob/master/Protected%20Endpoint.conf
I am unable to access websockets over SSL. (unraid -> cloudflared->nginx reverse proxy manager + authelia )
Trying to use Frigate as a docker container... everything works except the websocket connections. I believe the error is when the socket is upgraded over SSL...
websocket code goes into infinite retry loop
location /authelia {
internal;
set $upstream_authelia http://192.168.1.9:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_frigate $forward_scheme://$server:$port;
proxy_pass $upstream_frigate;
auth_request /authelia;
auth_request_set $target_url https://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $email $upstream_http_remote_email;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://auth.redacted.me/?rd=$target_url;
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
set_real_ip_from 172.18.0.0/16;
set_real_ip_from 172.19.0.0/16;
real_ip_header CF-Connecting-IP;
real_ip_recursive on;
}
Hi, I am using swag and was wondering where Authelia Portal.conf and Protected Endpoint.conf should be placed?
Do they go in the Authelia container or in proxy.conf in the nginx/swag container?
Sorry if it is in the documentation, but I couldn't see it.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.