Authelia — Self-hosted Single Sign-On (SSO) for your homelab services

📆 · ⏳ 6 min read · ·

Introduction

Welcome to another week of self-hosting various services in my homelab. This week, we’ll be tackling a critical aspect of running a homelab - securing access to all our self-hosted services.

When you start self-hosting multiple services in your homelab, some of those services might have their own authentication mechanisms, and others might not have any authentication mechanisms at all. Managing authentication for each service individually becomes a hassle.

That’s where Authelia comes in - a comprehensive authentication and authorization server that I’ve been using to secure all my self-hosted services. What makes it special isn’t just its SSO capabilities, but how seamlessly it integrates with various reverse proxies and supports multi-factor authentication.

What is Authelia?

Authelia ↗️ is an open-source authentication and authorization server that provides secure access to your applications. It acts as a proxy between your services and users, ensuring that only authorized users can access your applications.

What really drew me to Authelia was its comprehensive feature set:

  • Single Sign-On (SSO) for all your applications
  • Two-Factor Authentication (2FA)
  • Multiple authentication backends (File, LDAP)
  • Fine-grained access control
  • Brute-force protection
  • Password reset capabilities
  • Integration with various reverse proxies
  • OpenID Connect Provider
  • User session management
  • Customizable via YAML configuration files (This is particularly important for me as I maintain all my services via Ansible and this makes it easier to manage)

The project is actively maintained with regular updates and improvements. You can check out their GitHub repository ↗️ to see what’s coming next.

Setup Authelia

I use Docker to run Authelia in my homelab, so let’s go through the setup process. First, create a new directory for Authelia:

Terminal window
mkdir authelia && cd authelia

Here’s my docker-compose configuration:

services:
authelia:
image: ghcr.io/authelia/authelia:latest
container_name: authelia
volumes:
- ./config:/config
ports:
- 9091:9091
environment:
- PGID=1000
- PUID=1000
- TZ=Asia/Kolkata
restart: unless-stopped
healthcheck:
test:
[
'CMD',
'wget',
'--no-verbose',
'--tries=1',
'--spider',
'http://localhost:9091',
]
interval: 30s
timeout: 3s
retries: 3
start_period: 5s

Create a configuration directory and the main configuration file:

Terminal window
mkdir -p config

Here’s my config/configuration.yml:

---
theme: dark
server:
address: tcp://:9091
endpoints:
authz:
forward-auth:
implementation: ForwardAuth
identity_validation:
reset_password:
jwt_secret: supersecret
authentication_backend:
file:
path: /config/users_database.yml
regulation:
max_retries: 3
find_time: 2 minutes
ban_time: 5 minutes
totp:
issuer: authelia.mydomain.com
period: 30
access_control:
default_policy: deny
rules:
# Public endpoints
- domain: ['home.mydomain.com']
policy: bypass
# Protected services requiring 2FA
- domain: ['vault.mydomain.com']
policy: two_factor
# Standard protected services
- domain:
- 'photos.mydomain.com'
- 'docs.mydomain.com'
policy: one_factor
session:
secret: secret
cookies:
- name: authelia_session
domain: "mydomain.com"
authelia_url: "https://auth.mydomain.com"
expiration: 1h # 1 hour
inactivity: 10m # 10 minutes
remember_me: 1M # 1 month
default_redirection_url: "https://mydomain.com"
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt

For simplicity, I opted for a file based authentication backend. You can also use LDAP or other authentication backends. If you want to use LDAP, you can refer to the official documentation ↗️.

Let’s go ahead with the file based authentication backend. For that, we need to create a users database file config/users_database.yml:

---
users:
akash:
displayname: 'Akash Rajpurohit'
password: '$argon2id$v=19$m=65536,t=1,p=8$cUI5VmFTUzQyRjdK$xvbHN8yqwDT+Yt8m1Vf8qQ' # Generate using authelia hash-password
groups:
- admins
- dev

To generate the password, you can use the Authelia CLI:

Terminal window
docker run --rm ghcr.io/authelia/authelia:latest authelia crypto hash generate argon2 --password <password> | sed 's/Digest: //g'

Replace <password> with the password you want to use.

Also to generate a secure JWT secret, you can use the following command:

Terminal window
openssl rand -base64 48

Now you can start Authelia:

Terminal window
docker compose up -d

Reverse Proxy Configuration

I use Caddy as my reverse proxy for this setup. Here’s how to configure it with Authelia:

  1. First, create the authentication portal:
auth.mydomain.com {
reverse_proxy localhost:9091
}
  1. Then, protect your services:
# Example for Paperless-ngx
docs.mydomain.com {
forward_auth localhost:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy localhost:8000
}
# Example for Immich
photos.mydomain.com {
forward_auth localhost:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy localhost:2283
}

We are setting up Authz to forward the authentication request to Authelia and then proxy the request to the service. As seen in our configuration, we are setting up Authz to forward the authentication request to Authelia and then proxy the request to the service.

This will ensure that calls to our services are intercepted by Authelia and as per our access control rules, we can enforce authentication and authorization for our services.

My Setup and Usage

Here’s how I’ve integrated Authelia in my homelab:

  1. Authentication Levels:

    • Public services: Homepage, status page
    • One-factor: Most services like Paperless-ngx, Immich etc.
    • Two-factor: Critical services like Vaultwarden
  2. 2FA Setup: I use TOTP with Aegis ↗️ (Android).

  3. Access Control: Different rules for different user groups:

    access_control:
    rules:
    - domain: ['admin.mydomain.com']
    policy: two_factor
    subject: ['group:admins']
  4. Identity Providers: Along with straightforward username and password authentication, I also use Authelia as an OpenID Connect provider for services that support it.

    This is particularly useful for many of the services which supports OpenID Connect.

    I did not mention about setting up OpenID Connect provider in this blog since it will be complicated to go over in this blog, but if you want to know how to set it up, you can refer to the official documentation ↗️ or look out for another blog post on this on my blog.

Features I Love

After using Authelia for couple of weeks, here are some features that I find invaluable:

  1. Single Sign-On: One login for all services makes life so much easier.

    I’m using this for Immich, Paperless-ngx, Jellyfin, Linkding and many more services.

  2. Flexible 2FA: The ability to require 2FA only for sensitive services is perfect.

    This means that I can use 2FA for Vaultwarden and not for Paperless-ngx.

  3. Brute Force Protection: Automatic blocking of suspicious login attempts gives peace of mind.

  4. Protect Open Services: I can protect my services from being accessed by anyone by setting up access control rules, even the ones which do not have built-in authentication.

What I Want to Explore Further

  • LDAP Integration: Currently using file-based authentication since I am the only user, but in future I want to use LDAP for more scalable user management.

  • Hardware Security Keys: Talking about security, I also want to explore WebAuthn support for physical security keys.

💡

Security Note

Remember to:

  1. Keep your JWT secrets secure
  2. Regularly backup your user database
  3. Monitor failed login attempts
  4. Use strong passwords for admin accounts
  5. Keep Authelia updated

Conclusion

Authelia has become the cornerstone of security in my homelab. It provides enterprise-grade authentication for all my self-hosted services while being relatively simple to set up and maintain.

With over 15 services protected behind Authelia, it has proven to be reliable and user-friendly. The peace of mind knowing that all my services are properly secured is invaluable.

Have you implemented SSO in your homelab? What authentication solutions do you use? Share your experiences in the comments below, or reach out to me on Twitter ↗️ / Reddit ↗️.

Happy securing!

You may also like

  • # homelab# selfhosted

    Speedtest Tracker — Monitor your internet speed with beautiful graphs

    Speedtest Tracker is a self-hosted internet speed monitoring tool that helps you track your ISP's performance over time. Perfect for ensuring you're getting the speeds you're paying for.

  • # homelab# selfhosted

    Ntfy — Self-hosted push notification server for all your services

    Ntfy is a simple yet powerful pub-sub notification service that lets you send push notifications to your phone or desktop from any of your self-hosted services. Perfect for monitoring, alerts, and automation in your homelab.

  • # homelab# selfhosted

    MeTube — Self-hosted YouTube downloader with a sleek web interface

    MeTube is a web UI for youtube-dl/yt-dlp that allows you to download videos from YouTube and other platforms. It's perfect for archiving your favorite content or downloading videos for offline viewing.