Authelia¶
Authelia is a lightweight authentication server providing two-factor authentication and single sign-on for applications via forward authentication.
Maintenance mode upstream
Authelia v4 is feature-frozen — it still receives security updates but new development has slowed. For new deployments on this build, Authentik is the recommended choice. This page is kept for reference and for users with an existing Authelia install.
Docker Compose Setup¶
docker-compose.yml¶
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
volumes:
- /mnt/tank/containers/authelia/config:/config
environment:
TZ: Europe/Oslo
# Authelia is accessed through the reverse proxy via labels/forward-auth.
# Bind to localhost so it doesn't clash with Transmission/9091 on the LAN.
ports:
- "127.0.0.1:9091:9091"
networks:
- proxy
networks:
proxy:
external: true
Configuration Files¶
Create config/configuration.yml:
# config/configuration.yml
theme: dark
default_redirection_url: https://home.example.com
server:
host: 0.0.0.0
port: 9091
log:
level: info
format: text
totp:
issuer: example.com
period: 30
skew: 1
authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
access_control:
default_policy: deny
rules:
# Public endpoints
- domain: public.example.com
policy: bypass
# Single factor for basic apps
- domain: app.example.com
policy: one_factor
# Two factor for sensitive apps
- domain: admin.example.com
policy: two_factor
# Admin-only with 2FA
- domain: secure.example.com
policy: two_factor
subject:
- "group:admins"
session:
name: authelia_session
domain: example.com
expiration: 3600
inactivity: 300
remember_me_duration: 1M
secret: your-session-secret
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt
# Or use SMTP:
# smtp:
# host: smtp.example.com
# port: 587
# username: authelia@example.com
# password: your-password
# sender: "Authelia <authelia@example.com>"
Users Database¶
Create config/users_database.yml:
# config/users_database.yml
users:
admin:
displayname: "Admin User"
# Password: admin (change this!)
# Generate with: docker run authelia/authelia:latest authelia crypto hash generate argon2
password: "$argon2id$v=19$m=65536,t=3,p=4$hash_here"
email: admin@example.com
groups:
- admins
- users
user:
displayname: "Regular User"
password: "$argon2id$v=19$m=65536,t=3,p=4$hash_here"
email: user@example.com
groups:
- users
Generate Password Hash¶
docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password'
Traefik Integration¶
Authelia Labels¶
services:
authelia:
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.example.com`)"
- "traefik.http.routers.authelia.entrypoints=https"
- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
# Middleware for other services
- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.example.com"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
Protected Service¶
services:
myapp:
labels:
- "traefik.enable=true"
- "traefik.http.routers.myapp.rule=Host(`myapp.example.com`)"
- "traefik.http.routers.myapp.entrypoints=https"
- "traefik.http.routers.myapp.tls.certresolver=letsencrypt"
- "traefik.http.routers.myapp.middlewares=authelia@docker"
Caddy Integration¶
Caddyfile¶
auth.example.com {
reverse_proxy authelia:9091
}
app.example.com {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.example.com
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy app:8080
}
Access Control Policies¶
Policy Types¶
| Policy | Description |
|---|---|
| bypass | No authentication required |
| one_factor | Username/password only |
| two_factor | Username/password + TOTP/WebAuthn |
| deny | Block access |
Rule Examples¶
access_control:
default_policy: deny
rules:
# Public API
- domain: api.example.com
resources:
- "^/public.*$"
policy: bypass
# Require 2FA for admin paths
- domain: app.example.com
resources:
- "^/admin.*$"
policy: two_factor
# Allow specific users
- domain: secret.example.com
policy: two_factor
subject:
- "user:admin"
- "group:admins"
# Network-based rules
- domain: internal.example.com
policy: one_factor
networks:
- 192.168.1.0/24
# Require specific methods
- domain: api.example.com
resources:
- "^/api/write.*$"
methods:
- POST
- PUT
- DELETE
policy: two_factor
Two-Factor Authentication¶
TOTP Setup¶
Users can register TOTP at:
WebAuthn (Hardware Keys)¶
Add to configuration:
webauthn:
disable: false
display_name: Authelia
attestation_conveyance_preference: indirect
user_verification: preferred
timeout: 60s
Database Backends¶
SQLite (Default)¶
PostgreSQL¶
storage:
postgres:
host: postgres
port: 5432
database: authelia
username: authelia
password: your-password
MySQL/MariaDB¶
storage:
mysql:
host: mysql
port: 3306
database: authelia
username: authelia
password: your-password
Session Storage¶
In-Memory (Default)¶
Good for single instance.
Redis¶
Email Notifications¶
SMTP¶
notifier:
smtp:
host: smtp.example.com
port: 587
username: authelia@example.com
password: your-password
sender: "Authelia <authelia@example.com>"
startup_check_address: test@example.com
File (Development)¶
Secrets Management¶
Use environment variables for secrets:
# configuration.yml
session:
secret:
file: /config/secrets/session
storage:
encryption_key:
file: /config/secrets/storage
# Or use environment variables
# AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session
Troubleshooting¶
Check Logs¶
Validate Configuration¶
Common Issues¶
- Redirect loops
- Check domain in session config matches your domains
-
Ensure forward auth URL is correct
-
Cookie issues
- Session domain must be parent of app domains
-
Check browser accepts cookies
-
502 errors
- Verify Authelia is running
- Check network connectivity