How to Setup Authelia
Overview
Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.
Configuration Files
| File | What to Do |
|---|---|
secrets/JWT_SECRET |
Run openssl rand -hex 32 and paste into file. |
secrets/NOTIFIER_SMTP_PASSWORD |
This would be your SMTP API Key that you generated from SendGrid. Follow Create an API Key for SendGrid. |
secrets/REDIS_PASSWORD |
Run openssl rand -hex 32 and paste into file. This will need to be the same password as the REDIS_PASSWORD in the .env file. |
secrets/SESSION_SECRET |
Run openssl rand -hex 32 and paste into file. |
secrets/STORARE_ENCRYPTION_KEY |
Run openssl rand -hex 32 and paste into file. |
secrets/STORAGE_PASSWORD |
Run openssl rand -hex 32 and paste into file. |
Important Authelia Files
configuration.yml file
Replace
Replace DOMAIN with the domain you will want to use for your authelia instance.
configuration.yml
theme: 'auto'
server:
address: "tcp://:9091/authelia"
#asset_path: /config/assets/
timeouts:
read: '15s'
write: '15s'
idle: '30s'
log:
level: debug
format: json
file_path: '/config/logs/authelia.%d.json'
authentication_backend:
password_reset:
disable: false
file:
path: '/config/users.yml'
watch: true
password:
algorithm: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
totp:
disable: false
issuer: 'sso.DOMAIN'
algorithm: sha256
digits: 6
period: 30
skew: 1
secret_size: 32
password_policy:
standard:
enabled: true
min_length: 12
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
access_control:
default_policy: 'deny'
rules:
- domain: 'sso.DOMAIN'
policy: bypass
- domain:
- '*.DOMAIN'
resources:
- '^/api([/?].*)?$'
policy: bypass
- domain:
- '*.DOMAIN'
policy: two_factor
session:
name: 'DOMAIN_authelia_session'
same_site: 'lax'
inactivity: '5m'
expiration: '1h'
remember_me: '1M'
cookies:
- domain: 'DOMAIN'
authelia_url: 'https://sso.DOMAIN'
name: 'DOMAIN_authelia_session'
same_site: 'lax'
inactivity: '5m'
expiration: '1h'
remember_me: '1w'
redis:
host: 'authelia-redis'
port: '6379'
regulation:
max_retries: '3'
find_time: '120'
ban_time: '300'
notifier:
disable_startup_check: 'true'
smtp:
address: 'smtp://smtp.sendgrid.net:587'
timeout: '30s'
username: 'apikey'
sender: 'Authelia <authelia@DOMAIN>'
ntp:
address: 'udp://time.cloudflare.com:123'
version: '3'
max_desync: '3s'
users.yml File
Fill Out
Replace Name with the name of the account and fill in Email Address, Display Name. Use the command in the file to generate the password for your account.
users.yml
users:
Name:
disabled: false
displayname: ""
# For Password: Run docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'password'
password: ""
email: ""
Important Docker Files
Configure .env File
| Variable | Description |
|---|---|
ID |
ID of user, Run id -u and id -g to find your user ID on your server. |
TZ |
Time Zone Example: America/New_York |
NAME |
Container Name |
APPDATA |
Bind Mount Location |
SUB |
SubDomain for Container |
DOMAIN |
Domain |
DB_USER |
Database Username, usually run openssl rand -hex 16 and add it to the container name Example: ${NAME}-cfd6dbafc07759aa6f92eb648ffab3a8 |
DB_NAME |
Database Name, usually run openssl rand -hex 16 and add it to the container name Example: ${NAME}-17943efaa6e391e5530734666ad0fb47 |
REDIS_PASSWORD |
Redis Password, usually run openssl rand -hex 32 |
PORT |
Port for Container. |
.env file
.env
ID=
TZ=America/New_York
NAME=authelia
APPDATA=
SUB=sso
DOMAIN=
DB_USER=authelia-
DB_NAME=authelia-
REDIS_PASSWORD=
PORT=9001
docker-compose.yml file
docker-compose.yml
services:
authelia:
image: authelia/authelia
container_name: ${NAME}
restart: unless-stopped
user: ${ID}:${ID}
volumes:
- ${APPDATA}/${NAME}/config:/config
- ${APPDATA}/${NAME}/secrets:/secrets
depends_on:
- ${NAME}-db
- ${NAME}-redis
networks:
- proxy
- internal-db
dns:
- 10.1.10.1
environment:
TZ: ${TZ}
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: /secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /secrets/NOTIFIER_SMTP_PASSWORD
#AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /config/keys/oidc-private.pem
AUTHELIA_STORAGE_POSTGRES_ADDRESS: ${NAME}-db
AUTHELIA_STORAGE_POSTGRES_DATABASE: ${DB_NAME}
AUTHELIA_STORAGE_POSTGRES_USERNAME: ${DB_USER}
#AUTHELIA_DEFAULT_REDIRECTION_URL: https://${SUB}.${DOMAIN}
AUTHELIA_SESSION_REDIS_PASSWORD_FILE: /secrets/REDIS_PASSWORD
labels:
swag: enable
swag_address: ${NAME}
swag_port: ${PORT}
swag_url: ${SUB}.${DOMAIN}
com.centurylinklabs.watchtower.enable: true
authelia-db:
#image: pgautoupgrade/pgautoupgrade:17-alpine
image: postgres:17-alpine
container_name: ${NAME}-db
restart: unless-stopped
healthcheck:
interval: 10s
retries: 10
test: pg_isready -U ${DB_USER} -d ${DB_NAME}
timeout: 2s
networks:
- internal-db
environment:
TZ: ${TZ}
POSTGRES_DB: ${DB_NAME}
POSTGRES_USER: ${DB_USER}
POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD
volumes:
- ${APPDATA}/${NAME}/${NAME}-db:/var/lib/postgresql/data
- ${APPDATA}/${NAME}/secrets:/secrets
labels:
com.centurylinklabs.watchtower.enable: true
authelia-redis:
image: redis:alpine
container_name: ${NAME}-redis
restart: unless-stopped
command: /bin/sh -c "redis-server --requirepass $REDIS_PASSWORD"
volumes:
- ${APPDATA}/${NAME}/${NAME}-redis:/data
networks:
- internal-db
labels:
com.centurylinklabs.watchtower.enable: true
networks:
internal-db:
external: true
proxy:
external: true
How to Run
Run the Command
docker compose up -d