Simple Self-Hosted Security with Authelia

Рет қаралды 10,668

Күн бұрын

In this video, I'm setting up Authelia. It's a very lightweight authentication service, which can be used to provide authentication to services which don't natively support any form of authentication. I think this is a great choice for small scale homelab environments, as it's simple to run and administer.
Blog post with instructions:
www.apalrd.net/posts/2024/ult...
FlexiSpot C7 Premium Ergonomic Chair:
Use my code C730 for $30 0ff!
US: bit.ly/4c8Tq2z
CA: bit.ly/4aWkpNQ
Support me on Ko-Fi if you enjoy my content and find it useful:
ko-fi.com/apalrd
Feel free to chat about my upcoming projects on Discord!
/ discord
Timestamps:
00:00 - Introduction
00:29 - Overview
02:33 - Installation
10:20 - User Database
11:26 - Certbot
13:16 - Caddy Forward Auth
14:40 - Advanced Auth
16:23 - Two Factor Setup
17:36 - Conclusions

Пікірлер: 52

@apalrdsadventures 14 күн бұрын

Now is the best time to buy FlexiSpot Ergonomic Chair. 30 days free return, try it with confidence! Use code "C730" for $30 off! US: bit.ly/4c8Tq2z CA: bit.ly/4aWkpNQ

@BartomiejSacharski 14 күн бұрын

About Frigate not having authentication - the current beta (0.14) has authentication exposed on port 8080, with 5000 being now considered an "internal endpoint", that should isolated from "normal" network.

@nezu_cc 7 күн бұрын

I've been running authelia with docker and traefik and it's amazing. All the apps that have OIDC use OIDC the rest use proxy auth. The nice thing about using it with services like traefik is that once set up it's a single line in the YML to enable it for a service. God, I love Docker. I've even started adding OIDC auth to my own projects since it makes auth so much simpler to manage in the long run.

@KeithHanlan 14 күн бұрын

I like how this proxy setup is able to support differing policies for different URIs. Once you have authenticated without 2FA for a non-config URI, your config is still protected. This sort of behaviour from built in authentication would require much more work for the developers and consequently introduce risk. Very slick. Once again, thank you for sharing your experience!

@georgH 14 күн бұрын

I use a different approach, none of my services are exposed to the internet except for v2ray. I used v2ray when I lived in a country with censored internet and I keep using it to connect to my services securely. Because it can be set up to work over standard https, it works everywhere, even in places were wireguad and OpenVPN are blocked (which is very common nowadays). Because nothing is exposed, I use the DNS method of renewing the letsencrypt certificate instead of the https.

@Darkk6969 14 күн бұрын

Yep. I use pfsense's HAProxy and ACME to handle the certificates for Let's Encrypt. Real happy that it supports DNS to verify the domain.

@dvntaudio8106 5 күн бұрын

Awesome to see someone that uses v2ray! I discovered that through the "hysteria toolkit". I found it fascinating and functional..🐯🙏

@RyanParmeter 14 күн бұрын

I've been able to get Authentik working for a simple setup and plan to expand. It can act as an LDAP (and other) user stores for wide compatibility.

@dirtybrokkoli 13 күн бұрын

Is the setup as "simple" as the authelia setup seems here? And how easy is it to integrate it with common applications like nextcloud, jellyfin, etc?

@lightechoes 14 күн бұрын

Great stuff as always. I've been thinking about authentication for a while.

@LaurenceHartje 14 күн бұрын

I'm running Windows AD on my homelab and Keycloak for handling the SSO to OIDC apps (Portainer, Paperless-NGX, PGAdmin, XO-CE and Proxmox [as I'm experimenting with different hypervisors at the moment]). Nothing exposed publicly, remote access is all over Wireguard.

@netroy 13 күн бұрын

7:00 For SMTP I run local mailpit. It's pretty good.

@apalrdsadventures 12 күн бұрын

That looks super useful, especially in a test environment

@Felix-ve9hs 14 күн бұрын

Pretty cool, definitely something I'll take a look at the next time I rework my home network :^)

@alex.prodigy 8 күн бұрын

Awesome video , thanks! I know there are many solutions like this , but since you are already using caddy ... probably caddy-security would make sense here

@hanley-development 14 күн бұрын

Authentik is great and works with duo push.

@olokelo 14 күн бұрын

Thank you for the video! As for my current setup I don't run any authentication server however I'm using client TLS certificates and Wireguard for remote access. I think that's secure enough.

@apalrdsadventures 14 күн бұрын

client TLS certs are an extremely secure form of auth if the CA is properly hardened / offline I've been using client tls certs before I had this setup, it's just a pain to re-key clients every few months.

@John-kd6gi 12 күн бұрын

@@apalrdsadventures hello, can authella be used to add 2FA to wireguard?

@lifefromscratch2818 14 күн бұрын

Someday I would like to get far enough with my learning where I feel comfortable trying to implement a single sign on solution.

@codeman99-dev 14 күн бұрын

I intend to setup authentik at some point. It's probably way too much for my needs. That said, I know there's documentation for the one application I actually host. Heh.

@colinstu 13 күн бұрын

Frigate has been on my list to mess around with. TIL that it didn't have auth yet. (but seeing in another comment saying it does now in beta)

@AndrewFrink 14 күн бұрын

I'd like to run a single sign on thing, but covering web apps; user accounts on lxcs, smb shares, real hosts, and windows computers; and managing ssh keys is just too much. None of my services (except wireguard) are publicly accessible, so i basically have 0 authentication on services.

@TheUkeloser 14 күн бұрын

I work for a network security company that provides, among other things, a large enterprise grade authentication platform, and I get it for free for "testing" purposes, so I run that in my lab. Way overkill, but it does RADIUS, LDAP, SAML, etc. so I can make it work with just about anything I want to run. Definitely don't recommend it for home labbers though, since even the smallest VM license is 4 figures.

@almc8445 14 күн бұрын

RADIUS, LDAP, SAML… Kerberos, NTLM, OIDC, OAuth 2… Fk me no wonder so many apps don’t implement SSO, it shouldn’t be this hard…

@apalrdsadventures 14 күн бұрын

Part of the issue is that different industries have different historical standards which they follow. RADIUS came from dial-up authentication and became the standard in everything networking (like 802.1X), OIDC/OAuth run over HTTP(s) so they can be done by web apps without an installed client, and Kerberos is a great solution and could be universal but is really only possible on domain-joined computers (at least with current implementations), unfortunately.

@almc8445 14 күн бұрын

@@apalrdsadventures Yeah it definitely makes sense how we got to this point, just sad we haven't seen a unified push to adopt or build a universal standard. And I don't think we're likely to see it happen in my lifetime...

@Unselfless 7 күн бұрын

I've been looking at Authelia, Authentik, and Zitadel for my own homelab. Is there anything in particular about one that makes it better than another? I can't seem to find too many videos about Zitadel

@flosen569 14 күн бұрын

Great Video, are there any GUI available for managing Authelia? If so, could you create a video?

@apalrdsadventures 14 күн бұрын

Authelia itself has a GUI for managing password reset and TOTP/WebAuthn configuration. The only thing 'missing' is the initial user creation.

@darkpixel1128 14 күн бұрын

if you connect to an LDAP service you can create users with a GUI. LLDAP is an easy, lightweight way to do this

@apalrdsadventures 14 күн бұрын

I'm expecting this to be used by people with

@dirtybrokkoli 13 күн бұрын

Currently i do not host any service that does not have it's own authentication but authelia looks pretty good, do you know if authelia could in theory authenticate the user on the backend service, like some kind of sso? Without using ldap? That would help me get rid of one reverse proxy and really simplify my setup but i would prefer to keep it simple instead of adding a behemoth like ldap

@apalrdsadventures 13 күн бұрын

File and LDAP are the options with Authelia. LDAP is a bit of a lowest common denominator, it's so old that it's generally the core of most big networks. Some more complex options support other backends, for example Keycloak supports Kerberos.

@TheSmiddy 9 күн бұрын

my homelab SSO solution is password reuse :P

@Tntdruid 14 күн бұрын

Blog link -> 404 - Page not found...

@userou-ig1ze 14 күн бұрын

I thought I'm a homelab guy, but then I found myself not know what frigate is. Taking my hat, eating it, and taking my leave

@apalrdsadventures 14 күн бұрын

It's more popular when there's overlap with Home Automation, but it's also an app I use that has no authentication and made a good demo

@thaddeuscleo5920 13 күн бұрын

Hello apalrds would you Zitadel SSO server?

@kriansa 11 күн бұрын

What's the app you use to create these diagrams?

@apalrdsadventures 10 күн бұрын

draw.io

@DawidKellerman 14 күн бұрын

Can I beg a keycloak video?

@apalrdsadventures 14 күн бұрын

I'll consider it... it does Kerberos so maybe

@DawidKellerman 14 күн бұрын

@@apalrdsadventures Thank you! I don't have much experience with Kerberos Know there are some cool SSO Stuff

@apalrdsadventures 14 күн бұрын

Kerberos is actually quite old (Developed in the 80s), so it's unrelated to 'modern' standards like TLS and doesn't even use public key cryptography at all (purely AES). So while it's extremely well designed from a security and usability standpoint, it's hard to integrate into web apps and requires a client program. Microsoft Active Directory uses Kerberos auth for domain joined computers, so that's where it's most commonly used. The client requirement means it's really only usable on domain-joined or similarly managed devices.