Pradosh Kharel

/posts

/tags

/about

/resume

Home > Posts > Authentication with Authelia and Traefik through Docker

Authentication with Authelia and Traefik through Docker

I wanted to figure out if there was an easier way to handle authentication and authorization. I have a bunch of services running via docker with their own authentication / authorization set up, and I wanted to simplify that.

Authelia

Authelia seemed to be a popular choice, so I decided to try it out. The examples in the documentation seemed to use Traefik which worked out pretty well since I migrated to Traefik from nginx.

Configuration

I configured Authelia based on their lite bundle.

server:
  address: 'tcp://:9091'

log:
  level: 'debug'

totp:
  issuer: 'authelia.com'

authentication_backend:
  file:
    path: '/config/users_database.yml'

access_control:
  default_policy: 'deny'
  rules:
    - domain: 'grafana.example.com'
      policy: 'one_factor'
    - domain: 'public.example.com'
      policy: 'bypass'

session:
  cookies:
    - name: 'authelia_session'
      domain: 'example.com'  # Should match whatever your root protected domain is
      authelia_url: 'https://authelia.example.com'
      expiration: '1 hour'
      inactivity: '5 minutes'

  redis:
    host: 'authelia_redis'
    port: 6380

regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'

storage:
  local:
    path: '/config/db.sqlite3'

notifier:
  filesystem:
    filename: '/config/notification.txt'

Authelia authenticates the endpoint grafana.example.com and allows public access toe public.example.com. We also need to host the authelia service and I added it to my main docker compose file. I put the configuration file at ./authelia/configuration.yml.

The next step is to add Authelia and it’s dependencies to your main docker compose file

  authelia_redis:
    image: 'redis:alpine'
    container_name: 'authelia_redis'
    command: "--port 6380"
    expose:
      - 6380
    volumes:
      - './redis:/data'
    restart: 'unless-stopped'
    environment:
      TZ: 'America/Chicago'

  authelia:
    image: 'authelia/authelia'
    container_name: authelia
    volumes:
      - './authelia:/config'
    user: ${PUID}:${PGID}
    expose:
      - 9091
    labels:
      traefik.enable: 'true'
      traefik.http.routers.authelia.rule: 'Host(`authelia.example.com`)'
      traefik.http.routers.authelia.entrypoints: websecure
      traefik.http.routers.authelia.tls.certresolver: letsencrypt
      traefik.http.middlewares.authelia.forwardauth.address: 'http://authelia:9091/api/authz/forward-auth'
      traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: 'true'
      traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: 'Remote-User,Remote-Groups,Remote-Name,Remote-Email'
    restart: 'unless-stopped'
    environment:
      TZ: 'America/Chicago'
      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/config/secrets/JWT_SECRET'
      AUTHELIA_SESSION_SECRET_FILE: '/config/secrets/SESSION_SECRET'
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/config/secrets/STORAGE_ENCRYPTION_KEY'

This above config is for the main Authelia service. I created the *_SECRET keys under ./authelia/secrets/ folder. As you can notice, the labels create a new Traefik middleware called authelia.

To enable authentication for https://grafana.example.com, I just had to add the authelia@docker middleware to the main router

labels:
  traefik.enable: true
  traefik.http.routers.grafana.rule: Host(`grafana.${DOMAIN}`)
  traefik.http.routers.grafana.entrypoints: websecure
  traefik.http.routers.grafana.tls.certresolver: letsencrypt
  traefik.http.routers.grafana.middlewares: authelia@docker

Once you’ve protected your endpoints with Authelia, you can disable the in built authentication mechanism of your services.

TL;DR (auto-generated with llama3.2:1b)

The author has set up an authentication system using Authelia and Traefik (a reverse proxy server) within a Docker container. They have configured Authelia to authenticate the endpoints of their Grafana instance, which they also run in a separate container. The configuration file is stored in ./authelia/configuration.yml.

To add Authelia to their main Docker Compose file, they added two new containers: authelia_redis and authelia, which are used to store and expose the Redis database respectively. They then created a middleware called authelia@docker for Traefik to enable authentication for specific routes.

The author also notes that disabling built-in authentication mechanisms is possible by using the Authelia middleware with Traefik’s router, but this comes at the cost of having to manage separate configurations and secrets.

Migrating from nginx to Traefik
back to top