Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy to let them know whether queries should pass through. Unauthenticated users are redirected to Authelia Sign-in portal instead.
Here is the list of the main available features:
- Several second factor methods:
- Security Key (U2F) with Yubikey.
- Time-based One-Time password with Google Authenticator.
- Mobile Push Notifications with Duo.
- Password reset with identity verification using email confirmation.
- Single-factor only authentication method available.
- Access restriction after too many authentication attempts.
- Fine-grained access control per subdomain, user, resource and network.
- Support of basic authentication for endpoints protected by single factor.
- Beta support for OpenID Connect.
- Highly available using a remote database and Redis as a highly available KV store.
- Compatible with Kubernetes ingress-nginx controller out of the box.
For more details about the features, follow Features.
If you want to know more about the roadmap, follow Roadmap.
Installation and Setup¶
- Authelia is deployed via the DockServer main menu, option
[ 1 ] Dockserver - Traefik + Authelia
Follow the Instructions
Two-Factor Authentication (2FA) (Optional)¶
- Authelia deployed via DockServer menu
- Authenticator app (Google Authenticator, 1Password, Authy, AndOTP, etc ...)
Once Authelia is deployed, open it's configuration file:
sudo nano /opt/appdata/authelia/configuration.yml
Change the following:
totp: issuer: authelia
totp: issuer: authelia period: 30 skew: 1
Scroll further and change the following:
## one factor login - domain: "*.YOURDOMAIN.COM" policy: one_factor
## two factor login - domain: "*.YOURDOMAIN.COM" policy: two_factor
Save and exit by typing
CTRL + X, then
Restart the container:
sudo docker restart authelia
Now visit https://authelia.YOURDOMAIN.com and login with the username/password. You'll be presented with a screen saying you need to register your device for TOTP. Click "Not registered yet?" and a message will appear on screen saying "An email has been sent to your address to complete the process". As we didn't set up SMTP, no email has been sent. However, the link you need to continue the setup can be found here:
Copy and paste the URL found in this file into your browser, and then scan the QR code with your favourite OTP app (Google Authenticator, 1Password, Authy, AndOTP, etc). Follow the setup instructions in your app, and enter the 6-digit OTP in Authelia.
Congrats, you've got 2FA setup with Authelia!