Skip to content

authelia

Introduction

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies by allowing, denying, or redirecting requests.

authelia screenshot

Authelia allows me to centralize the authentication part of nearly all deployed services into one neat web portal. It features a complex access control rule system and enables the usage of multi-factor authentication.

For every service which supports user authentication by HTTP headers or complete disablement of authentication, I configured Authelia as authentication layer using a Traefik middleware.

Example via Traefik Middleware

First a Middleware object needs to be created which defines the forwardAuth address and headers:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: auth
  namespace: traefik
spec:
  forwardAuth:
    address: http://authelia.authelia.svc.cluster.local/api/verify?rd=https://auth.${DOMAIN_INTERNAL}
    trustForwardHeader: true
    authResponseHeaders:
      - Remote-User
      - Remote-Groups
      - Remote-Name
      - Remote-Email

In order for the Middleware to take effect, it must be added to the middlewares section of any IngressRoute:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
  namespace: traefik
spec:
  entryPoints:
    - https
  routes:
    - kind: Rule
      match: Host(`traefik.${DOMAIN_INTERNAL}`)
      services:
        - kind: TraefikService
          name: api@internal
      middlewares:
        - name: auth
          namespace: traefik
        - name: security
          namespace: traefik
        - name: optimizations
          namespace: traefik
        - name: error-pages
          namespace: traefik-errors
  tls:
    secretName: traefik.${DOMAIN_INTERNAL}

Info

Currently Authelia does not support multi-domain usage. Since the feature is on the roadmap, it will probably be implemented sometime in the future and both instances can be merged back into one. This feature ships with v4.38.0! 🎉

Created Resources

Kind Name
Namespace authelia
HelmRelease authelia, authelia-external
Certificate auth.${DOMAIN_INTERNAL}, auth.${DOMAIN_EXTERNAL}
IngressRoute dashboard, dashboard-external
ConfigMap authelia-users
Middleware headers