Introduction
Welcome to another week of self-hosting various services in my homelab. This week, we’ll be tackling a critical aspect of running a homelab - securing access to all our self-hosted services.
When you start self-hosting multiple services in your homelab, some of those services might have their own authentication mechanisms, and others might not have any authentication mechanisms at all. Managing authentication for each service individually becomes a hassle.
That’s where Authelia comes in - a comprehensive authentication and authorization server that I’ve been using to secure all my self-hosted services. What makes it special isn’t just its SSO capabilities, but how seamlessly it integrates with various reverse proxies and supports multi-factor authentication.
What is Authelia?
Authelia ↗️ is an open-source authentication and authorization server that provides secure access to your applications. It acts as a proxy between your services and users, ensuring that only authorized users can access your applications.
What really drew me to Authelia was its comprehensive feature set:
- Single Sign-On (SSO) for all your applications
- Two-Factor Authentication (2FA)
- Multiple authentication backends (File, LDAP)
- Fine-grained access control
- Brute-force protection
- Password reset capabilities
- Integration with various reverse proxies
- OpenID Connect Provider
- User session management
- Customizable via YAML configuration files (This is particularly important for me as I maintain all my services via Ansible and this makes it easier to manage)
The project is actively maintained with regular updates and improvements. You can check out their GitHub repository ↗️ to see what’s coming next.
Setup Authelia
I use Docker to run Authelia in my homelab, so let’s go through the setup process. First, create a new directory for Authelia:
Here’s my docker-compose configuration:
Create a configuration directory and the main configuration file:
Here’s my config/configuration.yml
:
For simplicity, I opted for a file based authentication backend. You can also use LDAP or other authentication backends. If you want to use LDAP, you can refer to the official documentation ↗️.
Let’s go ahead with the file based authentication backend. For that, we need to create a users database file config/users_database.yml
:
To generate the password, you can use the Authelia CLI:
Replace <password>
with the password you want to use.
Also to generate a secure JWT secret, you can use the following command:
Now you can start Authelia:
Reverse Proxy Configuration
I use Caddy as my reverse proxy for this setup. Here’s how to configure it with Authelia:
- First, create the authentication portal:
- Then, protect your services:
We are setting up Authz to forward the authentication request to Authelia and then proxy the request to the service. As seen in our configuration, we are setting up Authz to forward the authentication request to Authelia and then proxy the request to the service.
This will ensure that calls to our services are intercepted by Authelia and as per our access control rules, we can enforce authentication and authorization for our services.
My Setup and Usage
Here’s how I’ve integrated Authelia in my homelab:
-
Authentication Levels:
- Public services: Homepage, status page
- One-factor: Most services like Paperless-ngx, Immich etc.
- Two-factor: Critical services like Vaultwarden
-
2FA Setup: I use TOTP with Aegis ↗️ (Android).
-
Access Control: Different rules for different user groups:
-
Identity Providers: Along with straightforward username and password authentication, I also use Authelia as an OpenID Connect provider for services that support it.
This is particularly useful for many of the services which supports OpenID Connect.
I did not mention about setting up OpenID Connect provider in this blog since it will be complicated to go over in this blog, but if you want to know how to set it up, you can refer to the official documentation ↗️ or look out for another blog post on this on my blog.
Features I Love
After using Authelia for couple of weeks, here are some features that I find invaluable:
-
Single Sign-On: One login for all services makes life so much easier.
I’m using this for Immich, Paperless-ngx, Jellyfin, Linkding and many more services.
-
Flexible 2FA: The ability to require 2FA only for sensitive services is perfect.
This means that I can use 2FA for Vaultwarden and not for Paperless-ngx.
-
Brute Force Protection: Automatic blocking of suspicious login attempts gives peace of mind.
-
Protect Open Services: I can protect my services from being accessed by anyone by setting up access control rules, even the ones which do not have built-in authentication.
What I Want to Explore Further
-
LDAP Integration: Currently using file-based authentication since I am the only user, but in future I want to use LDAP for more scalable user management.
-
Hardware Security Keys: Talking about security, I also want to explore WebAuthn support for physical security keys.
Security Note
Remember to:
- Keep your JWT secrets secure
- Regularly backup your user database
- Monitor failed login attempts
- Use strong passwords for admin accounts
- Keep Authelia updated
Conclusion
Authelia has become the cornerstone of security in my homelab. It provides enterprise-grade authentication for all my self-hosted services while being relatively simple to set up and maintain.
With over 15 services protected behind Authelia, it has proven to be reliable and user-friendly. The peace of mind knowing that all my services are properly secured is invaluable.
Have you implemented SSO in your homelab? What authentication solutions do you use? Share your experiences in the comments below, or reach out to me on Twitter ↗️ / Reddit ↗️.
Happy securing!