2 Factor Auth and Single Sign On with Authelia

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today we're going to regain control over our sign ins and authentication no more leaving sites wide open no more single factor authentication we're going all in with authentication and authorization for our self-hosted services and we're going to secure them with single sign-on and two-factor authentication we're going to use an open source product called authalia which acts as a companion for reverse proxies like nginx or traffic or aj proxy it allows us to sign in once and gain access to all of our services securely and it supports several second factor auth methods like yubikey or totp time-based one-time passwords with google authenticator or authy and even mobile push notifications using something like duo and if you can't or don't want to support two-factor authentication it can still support one factor and it even supports basic authentication for endpoints and just recently it started supporting openid connect 2. it also supports password resets using identity verification by sending confirmation emails and we can restrict access after too many failed attempts to stop brute force attackers in their tracks and because it's open source and actively developed the feature list continues to grow and believe it or not we can get all this running in just a couple of minutes also i'm going to share my entire configuration with you with everything that i've learned about ophthalia over the last couple of weeks and if that sounds good to you give this video a thumbs up and let's continue to configure our failure so how do we get started we're going to set this up using docker important and traffic i recently created a video on docker portainer and traffic and how to secure all of your services with wildcard certificates so if you need help setting that up i'll leave a link in the description for you but even if you're not going to use arthelia most of this guide will still apply because athelia supports many different reverse proxies and so you want to make sure that your reverse proxy is up and running then we can hop right in so authenti has three types of configurations they call them bundles the first configuration is a local configuration this type of configuration is for something that you would use behind the firewall it uses minimal to no configuration and it doesn't use dns at all but it also means that self-signed certificates will be used so this isn't a good choice for us the next one is the light bundle now this can be used for machines that are exposed directly to the internet this is going to be a good option for homeland users and then there's the full bundle now this is like the light bundle except for it's going to use a different type of storage on the back end with a full option you have options like mysql postgres and mariadb and if you already have one of those databases running in your environment this is probably a good choice for you but in my environment to keep it simple i'm gonna go with the light option and this is easy to swap out later so just follow along next we'll need to create a docker compose file so we can instantiate this container on one of our servers now in their traffic example you can see here that they're using both services they actually have a third service in here called nexcloud in this example they combined all of these services into one stack which is great for a demo but not great for me i like to keep most of my compose files separate so that i can spin these up without all of the dependent services spinning up at the same time too so we're gonna break this apart and make this a little bit easier but the idea is still the same because in this example they have a reverse proxy here they're using traffic and they apply the image the container name a volume network labels ports commands all the normal stuff you would see on traffic or your reverse proxy then they define the service authalia and this is what we're going to focus on today and in here they define their image the container name a volume which is a path to their config a network they define and then some labels and in these labels is where the magic happens but we'll talk about that here in a second and then next they defined another containerized workload which is nexcloud and this looks like your typical nexcloud deployment except for one thing this line right here this label traffic http routers next cloud middlewares authalia at docker and this is telling this container to use this middleware athelia at docker which is a service we defined above so this is all great for examples but let's break it down and make it a little bit easier and separate this configuration so that you don't have to deploy one gigantic yaml file so here's what our docker compose file looks like just for authelia and remember i'll have links to this file and all of these files in the description in a documentation link so be sure and check that out but you can see here this is a typical docker compose file we're using version three we defined a service called authelia it's using the image of arthelia slash athelia we're using the tag of latest since we haven't defined anything we're naming this container authalia and then we're mapping some volumes so we're telling the container to mount this path config to the containers path of config then we're defining a network called proxy now this network name needs to match the same name that traffic is using for its network which i've called proxy so make sure that matches and then we're going to define some labels and these are all for traffic so we're enabling traffic on this container we're creating a route on this container and we're saying that the host name is auth.local.technotim.org now how did i come up with this name well i just came up with it now i own this domain and this is going to be my auth endpoint that's available to all of my machines here internally now this can be an external endpoint too but you'll have to make sure of a couple things one you'll have to make sure that this dns entry exists if you're doing this internally this will be on your internal dns so if you're using buy hole you would create a dns entry to an auth endpoint if you're using external dns you would have to create an external record that points back to this reverse proxy which is my number two this dns record should point to your reverse proxy it should point to wherever traffic is and the name can be whatever you'd like it to be it could be login it could be sign in but i just called mine off and this will be where authalia is hosted and these other labels are typical traffic ones too use https tls is true and these next ones are defining our middleware so here we're saying use the middleware from authalia and the middleware called forward auth and the address is defined as this url right here so if you look at the end of this address it looks familiar it's the same address for our auth endpoint so this is all you'll need to change but this is basically saying hey use the forward auth middleware from authalia when you get an authentication request and we're going to redirect you to authalia 1991 api verify and then specify our auth hostname and this authalia right here i think is defined from the service name here so if you have authority there you're gonna need it here too or vice versa and the next two are just middleware properties for forward auth so trust forward header equals true and auth response equals remote user remote groups remote name remote email so these all need to be set and here's the port we were saying 9091 that looks familiar here and then we're going to say restart it unless stopped and then we're going to set an environment variable so time zone is america chicago for me update this for you then we're specifying a health check and we're disabling it equals true we probably don't even need this but this is included with their example and then we're defining that network too that we defined above so networks proxy external equals true and so with this we could spin up our container but we need a little bit of configuration and we want that in place before we spin up this container for the first time so what does that configuration look like well it looks like this now this can be a little overwhelming but this is their example with only a few values changed and so i'll cover some of the highlights and let's go through this so we're saying the host is any ip on any interface we're specifying the port is 1991 we're setting the log level to debug next is theme and we're setting this to dark because why not dark mode but it supports three themes light gray and dark and i think it's light by default so if you want dark mode add this here if you want gray set gray and if you want light just don't specify anything at all and next is our jwt secret or our jot or json web token you want to make this very secure long and i think up to 64 characters you can also mount this with the secret file here too and i think if you don't specify it it'll generate one for you but you want to make sure that this is a super complex and long string and don't share it with anyone next is your default redirection url for the time being you could set this to where authalia is hosted on your network so i've just set mine to auth.local.technotim.life but update this with your value and totp so our time-based one-time password we want to set the issuer to athelia.com next is our authentication backend and remember if i said if we're using the lite version we can use a file-based back-end which is a lot simpler than the alternatives which are database back-ends and this is great for home lab use or in an environment where you only have a few users but once you get above a few or 10 you'll want to switch to a database doesn't make any sense to manage it and yaml after that but for us and for me i only have one user on my network that's going to use this so i'm going to use the file based approach and so we're going to use the file backend with a path to the user database and the user database is just a yaml file which is another file we'll need which is our user database and so this users underscore database yaml file is right here now this is just an example one and we specify our users here but i'm saying that i have a user called authalia and my display name is a failure user and my password specified here my email specified here and these are the groups that that's user belongs to so let's update this a little bit so i'm going to say my users techno tim i'm going to say my display name is also techno tim and then my password what's my password well let's go back to our configuration really quick because our configuration has a password specified too this password is using an algorithm called argon 2id so argon 2id i learned is a password hashing algorithm and i think they support a few different algorithms but this is the most popular one and this is the one that they recommend and here are some of the properties that they recommend for hashing your password now these can be changed or tweaked but i would definitely look at their documentation before changing some of these so how do we actually hash this password using this algorithm now as you can see this one looks hash to me well in their documentation they've conveniently supplied a docker container that can hash your password for you using their algorithm so this is super nice so all we need to do is paste this command in our terminal then we'll want to update this with our password don't use this password and then this container will actually hash the password for us and it's right here so we can copy this value and put it into our database this yaml file then you'll want to update your email address for this user and then you'll want to specify groups that they're in so i'm gonna stay in the default group of admins and dev and so if you had more users you would just duplicate this here change the username generate a new password update the email address and paste it there okay so back to our configuration now that we have a user created next we're going to set the access control and this is an access control policy for all of your routes and we're going to keep this really really simple and we're going to say the default policy is to deny and then we're going to apply some rules and so we have three different types of policies one we have bypass which doesn't have any authentication at all next we have one factor which is one factor just your password and then we have two factor which in our case it's going to be the one-time password or authy or google authenticator and so here you'll want to add the domains you want protected and how you want to protect them for example in this public.example.com i don't need any authentication this is going to be wide open in public access this would be like a public website the next domain in my example is heimdall so i use heindall as a dashboard here and i want to say that hey heindall has one factor authentication so password only and then next my next domain this pve-1 is my proxmox server i want to make that a little more secure so i'm going to say that this requires two factors so not only the password but the time-based one-time password as well and as you add more domains here you can specify the policy that they fall into so in the session section we're only going to change a couple of things so a session is how long your auth tokens last or how long before you'll be prompted to sign back in we're going to keep most of the default settings but we will need to change the domain this domain has to match the domain that you're protecting so here i'm going to put technotim.live so update this with your domain the next section is for redis and we're actually not going to use redis but if you were going to use this in say ha mode you would probably need redis to store these sessions on some other type of storage but since we're only using one we can actually comment this whole section out so the next section is regulation and this is to stop brute force attacks so when here we're saying that anyone can retry up to three times with the wrong password it's gonna search back or seek 120 seconds back so two minutes and look for those failed attempts and if it finds them then it's gonna ban for 300 seconds or five minutes and so these are pretty sensible defaults if you'd like to change them feel free to but i'm gonna keep mine at the default so the next section is storage and i mentioned if we were using the full bundle we would have a lot more storage options but since we're using the light bundle the only storage option we have is sqlite and this is fine for a small setup like mine in a home lab or if you only have a few users sqlite will do just fine but if you wanted to use a different storage provider here's where you'd swap it out and notifiers so this one can be pretty complicated but it's really going to be up to you so this is the service that will send out notifications for password resets if you forget your password and need to reset it this will be the service that will send an email to the email address you provided in the users section and as you can see this isn't configured right now for smtp to actually send an email you can do this in a couple of ways if you use gmail or any other mail provider most of them provide a way to send an email through their smtp server so that you can get the password reset email and you'll want to fill in the details here but then there are also third-party free services like mail gun or any other provider like that that will allow you to use their smtp server to send the email out for the password reset and if you're going to use one of those services you would do the same thing fill in your credentials fill in the host the port and the sender that the email's from and that will allow you to get that email click on the link and reset your password through authalia but there's one more option you don't want to configure email at all and this is a small installation you can actually configure a local provider that will write the notification to disk so that you can look at it now this should not be used long term and it's definitely not scalable you don't want to ssh into this machine every time and look at this text file to get a link to click on that link to reset your password but it's here in a pinch and so i'll show you what that looks like it looks like this so basically instead of configuring smtp we're going to configure the file system notifier with the file name that's written out to slash config and notification.text you can use this while you're setting it up and before you decide on which mail provider you're going to use to send out this email or you can use it here forever so that you don't have to send those reset emails through someone else's mail server but i'd recommend going the email route when you can so that was a lot of configuration i know but i think it warranted the time we put into it so that you understand how to configure the service and spin it up and so that's all there is that's left to do at least to get out there you're going let's spin it up so you want to remote into the server that's running portainer or running docker that's also running your reverse proxy and then once you're in there create a folder called config then we'll want to create a file called configuration.yaml and in that file we're going to paste the config that we talked about a little bit earlier again that file is in my github and there's a link in the description so we'll paste our config there then we'll save it then we'll create our user database which is just this yaml file so we'll create a yaml file user underscore database.yaml and in here we'll paste the contents of our user database yaml file then we'll save that so inside of our config folder we should have these two files now configuration.yaml and userdatabase.yaml so let's go one directory up then we'll create our docker compose file and in here we're going to paste the contents of the docker compose file we created earlier save it close out of here and now we should be able to bring authalia up so we're going to run this command docker dash compose up dash d and what that did was pull authoria down and then spin it up so now you're thinking okay how do i make sure it's working to make sure it's working you can go to the auth endpoint that we created earlier for authalia so in my case it was auth.local.technotim.live and when we go here we can see a sign in screen so this is a great sign this means that authentic is up and working but so far we only have authalia running don't get me wrong that's a huge accomplishment but we haven't protected any endpoints yet or any web services right now we just have a sign in screen that we can sign into get authenticated and redirect it back to this authentication page which isn't really protecting anything at all so to start protecting endpoints we only need to do a couple of things so for containers that are already hosted on this same machine it's super easy for example i have heimdall hosted on this machine it's dot heimdall.local.technotim.live and my heimdall is using a pretty standard docker compose file it's already configured for traffic so it's going through my reverse proxy and has certificates so to add authalia to this container that's running on the same machine i just have to add one line so i add another label and this one line that i'm adding is basically just adding middleware and it's saying use the middleware authalia at docker so i should be able to just add this one line save it and then recreate this container and then refresh this page and there we go now we're protected with authalia and i should be able to just sign in and there we go we're protected without failure now why didn't i get the time base one time password prompt let's check our config so if we go back to our configuration we're saying that this domain is only protected with one factor and not two and we're saying that our proxmox server is protected with two factor and so now we'll cover how you protect an endpoint that's not a container that we defined in our traffic route and that also is really simple to do it's right here so in our traffic config we've provided some routes and this is the route on how i get to my proxmox server so i'm saying it's this ip address maps to this hostname and so when traffic sees a request for this hostname it's going to send it to this ip address and protect it with a certificate so we need to add some middleware what middleware do we need to add we need to add ophthalia middleware and so here we've defined our middlewares so we're going to add one item of middleware for authalia and we're saying the aeothalia middleware for the property forward off and then the property address is the address of our failure server and then all we need to do is add that to our middlewares for this route so let's go back into our server and let's modify this config file for traffic on our server and let's add this middleware here and a note you'll want this middleware to be first so order matters here and you'll almost always want this first just make sure it's first and then we haven't defined this middleware yet so let's add it right here and so now we've defined this middleware saying authelia the forward auth property the address property is the url of our server okay so let's save that let's recreate our traffic container so now it should have the middleware and once we go there we're prompted for our one-time password now why didn't we get prompted for our first factor well that's because we already have a session so if we log out of here and we go back to our proxmox server now you can see we're getting prompted for our password so that's the cool thing about sessions and getting single sign on is that we're authenticated for that whole entire domain so anything you protect behind that domain has the cookie and the session already so let's sign back in and now we need to register our one-time password so we can register by clicking on this link below and it's saying it send an email to us so if you configured smtp it should be there you should have an email in your inbox we didn't configure smtp we did filebase so let's go look at that notification so back on our server we'll go into the authalia folder and then config do an ls and we see we have a notifications text if we edit that we should see the notification email in a text file so we should be able to go to this url and see a qr code and now we can scan this qr code click done enter a password and now we're authenticated and now we should be able to get to our proxmox server that's pretty awesome sorry i'm still amazed by this this is this is new to me so let me bask in this glory of single sign-on and one-time passwords but that's pretty awesome i i i'm thoroughly impressed i'm speechless and so you can see how powerful this is and at the same time you can see how easy this is it's super duper easy once you get it set up to add additional endpoints to be able to protect and now i know i did this with internal sites but that really doesn't matter you can protect external sites as well if you're already exposing your reverse proxy it's as simple as just adding additional labels adding some configuration and adding some routes to be able to have to factor off on some of your endpoints athalia makes it really easy to protect services that are running on that docker host as well as any other service that's behind your reverse proxy and again it supports more reverse proxies than just traffic so what do you think about thalia are you going to protect any of your endpoints behind one factor to factor auth are you going to configure push notification what services do you use that can actually use authalia in front of it if you are going to or not let me know in the comments section below and remember if you found anything in this video helpful don't forget to like and subscribe thanks for watching uh tiffany's how's the hair all right hair reveal it's kind of wild well this is this is uh what the hair this is what i'm working with right now it is so wild right now like i can't even do anything with it and so i've had curly hair like my whole life and i've been shaving it for a while and um i just let it grow i'm just letting it grow i'm just just figuring it out every time i need a haircut i ask my wife hey let's you got a second i want to try to cut my hair try something new and so we do and so lately it's just been like cutting it and shaving it and making it uh less wild
Info
Channel: Techno Tim
Views: 33,354
Rating: undefined out of 5
Keywords: traefik docker, traefik, docker, docker compose, portainer, portainer with ssl, ssl, secure portainer, traefik tutorial, traefik reverse proxy, proxy, reverse proxy, expose service, self-hosted, selfhosted, letsencrypt, homelab, home lab, portainer ssl setup, portainer tutorial, tutorial, guide, selfhosting, techno tim, dns, pihole, sans, authelia docker, authelia, 2fa, sso, 2 factor authentication, auth, single sign on, authelia setup, authelia tutorial, authelia theme
Id: u6H-Qwf4nZA
Channel Id: undefined
Length: 25min 21sec (1521 seconds)
Published: Sat Jun 05 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.