Authelia | Authentication for Traefik - Ultimate Guide / Keycloak alternative

Рет қаралды 10,240

Күн бұрын

*Get 200$ worth of credits in the Digital Ocean Cloud: link.techwithmarco.com/digita... (*)
Github tutorial link: link.techwithmarco.com/github...
In this tutorial, learn how to enhance the security of your Traefik setup by implementing powerful authentication using Authelia, an open source software. Authelia acts as a 2FA & SSO authentication server dedicated to protecting both applications and users. With Authelia, you can enjoy a wide range of features, including:
- Several two-factor authentication methods for enhanced security.
- Self-service password reset functionality.
- Account banning after multiple failed login attempts (known as regulation).
You'll also explore different options for the first and second factors of authentication, such as using a user database (configurable in YAML file or LDAP Server/ActiveDirectory), TOTP like Google Authenticator, YubiKey, and Mobile Push with the Cloud Software Duo. Additionally, Authelia allows you to enforce password policies with options like requiring numbers, characters, and specific length.
Take control of authorization by defining access control rules for specific URLs, granting access to certain users or groups. Safeguard against brute-force attacks with built-in brute-force protection, which automatically locks an account after several failed login attempts.
For advanced users, Authelia offers even more capabilities, such as serving as an Identity Provider for third-party applications and utilizing OpenIDConnect (OIDC) with applications like Portainer, Grafana, and Nextcloud.
Join me for this demo-packed tutorial and learn how to secure your Traefik setup with Authelia, ensuring the highest level of protection for your applications and users.
Stay tuned for more valuable tutorials on my channel!
#Traefik #Authelia #Authentication #Security #tutorial
Traefik Tutorial: • TRAEFIK - the BEST rev...
00:00 - 00:29 Intro
00:29 - 00:57 What is Authelia
00:58 - 02:00 Options of Authelia
02:01 - 02:30 Which proxies are compatible?
02:31 - 05:19 Dataflow of authorization
05:20 - 05:50 Demo time - files overview
05:51 - 10:02 Docker-compose.yml
10:03 - 16:44 Authelia configurations
16:45 - 18:08 User database
18:09 - 20:53 Live examples
20:54 - 23:54 Identity provider settings
23:55 - 24:40 Outro
www.authelia.com/
traefik.io/traefik/
www.portainer.io/
www.digitalocean.com/ #digitalocean
Support me at Patreon: / techwithmarco
--------------------------
(*) -links are affiliate links. (If you buy something through the link, I receive a commission of your purchases. There are no extra costs for you.)

Пікірлер: 28

@techwithmarco 8 ай бұрын

🔐If you want to improve your security stack even more, head over to my newest video about using a docker-socket-proxy instead of using it directly mounted from the host system! kzfaq.info/get/bejne/mLWdoc57vtyXaYE.html

@olsenlid Жыл бұрын

I made several attempts to configure Authelia a few weeks ago, but I was unsuccessful. However, after watching your video and going through it quickly, I was finally able to reach the sign-in page of my Authelia stack. I wanted to express my appreciation for your excellent work. Keep it up! :)

@techwithmarco Жыл бұрын

Very kind of you! I am really happy that I could help you out! 😊

@dalgardnerd 4 ай бұрын

I have watched so much content on traefik and authelia and struggled so hard until now. Your two videos on the subject are so great. Thanks!

@techwithmarco 3 ай бұрын

Glad to hear that! Hope you having fun configuring your instances!

@avdokuchaev 7 ай бұрын

Great guide. Previously, I didn't know how to make these settings and wasted a lot of time. Now I managed to set everything up. Thank you very much for the excellent instructions!

@techwithmarco 7 ай бұрын

Glad to hear that :)

@justhackerthings 2 ай бұрын

Thanks for the great video! It helped me a lot!

@nicoladellino8124 Жыл бұрын

Very useful video, THX.

@techwithmarco Жыл бұрын

Thanks! Always appreciate these comments 🙂

@jkandersen Жыл бұрын

great thing - saved a lot of headaches.

@techwithmarco Жыл бұрын

Always happy to save someone a headache :)

@RR-vi1oz Жыл бұрын

Great video, Thank you

@techwithmarco Жыл бұрын

Thanks! Always appreciate these comments 🙂

@cybr774 Жыл бұрын

Nice video as always! I'm curious how you setup your instance running docker, do you setup anything in particular to secure it? Like changing the docker namespace?

@techwithmarco Жыл бұрын

Thanks @Nemesees ! For this demonstration purpose I did nothing in particular to harden the server completely because I shut it down afterwards. But in other cases I mostly do stuff like denying root logins, disable pw logins, only allow ssh logins and sometimes extend ssh logins to provide a totp. UFW is a nice tool which I enable, and extend to work with docker (github.com/chaifeng/ufw-docker). On traefik I use crowdsec, and sometimes authelia. You could extend this with really private services to run only in a private subnet and make them accesable via a vpn connection or tailscale... millions of possibilities 😄 But until now I did not use docker namespace remapping. I will check that out and will learn how to do it. Thanks for the hint! And sometimes I use cloud-init scripts or ansible playbooks, and sometimes do it with my bare hands, as it is fun (only when you do not too often 😄) What do you usually do to harden your servers? Maybe I can create a video about different possibilities to harden servers :-) Cheers!

@cybr774 Жыл бұрын

@@techwithmarco Thanks for the detailed answer. As of now, I always apply the standard techniques to harden a server (such as no root via SSH, no password auth and only with key pairs etc), then I change the namespace by following the simple guide on the docker documentation so that the containers don't run as root. Unfortunately, by changing this particular setting, I often find myself having to pass in the docker compose files the parameter "userns_mode: host" due to the fact that some services containerized require higher privileges. I'm always on the lookout for possible ways to harden my servers and by not blocking too much that it becomes hard working on them.

@TheOnlyEpsilonAlpha Жыл бұрын

Great Video, i'm more familiar with portainer config, but not with oauth. I guess you have to map a certain group in authelia with a group in portainer. Or you can map the new user in portainer manually to the correct user rights, but i guess that is not that fancy ;)

@techwithmarco Жыл бұрын

Yeah it's not that fancy, but if it serves the purpose then I guess it's okay 😀 But I you are right, you can map specific groups of portainer to some custom claim in the token, which contains the groups of Authelia!

@YTDIMIR Жыл бұрын

Super, weiter so. 😎

@techwithmarco Жыл бұрын

Danke, Meister 😎

@user-de1ii3nl7t 10 ай бұрын

could i implement it as authentication tool for a google site ?

@techwithmarco 10 ай бұрын

That won't work because you do not have the control over the google site, to redirect to your authentication website. Correct me if I'm wrong about your setup 😄

@user-de1ii3nl7t 10 ай бұрын

so i need to use a google product as an authentication tool in my google site , i just want to make members area page that will be inaccessible to non members thank you :) @@techwithmarco