Authelia - Free, Open Source, Self Hosted authorization and authentication for your web applications

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] it's your open source advocate and i'm back with another video and this week we're going to talk about authorization and authentication for your sites and of course we're talking about authorization and open source one of the first things that's going to come to mind is authilia now ophelia gives you a web based interface to do single factor and multi-factor authentication on the front of any of your web applications so it's really a very cool application when you think about it now a lot of applications have authentication already baked in but let's say you want to have a single sign-on or a single point of entry for any of your applications and you want to make that really easy so instead of having to go and combine authalia into a whole bunch of other applications maybe those applications have an option to turn off authentication within their app and in that case you could do that and then turn on authalia maybe you want to have authilia in front of your web app and then once you get to that point you won't have to log in a second time so instead of two-factor authentication that would be more like single factor authentication twice which is not the same but you could also turn on two-factor authentication for authalia and then have single-factor authentication on the web app again just making it more complex and more complicated for any kind of nefarious person to get in and do something nasty with your self-hosted applications the other great thing about something like authelia is for applications where you don't have an authenticated front end so something like homer my home homer dashboard i i access my home or dashboard through dash.routmehome.org this is technically open for anybody to go and try to use now all you're going to get is a bunch of links to sites and a lot of these are just sites that are internal to my network so it's not going to pass you through to my internal network sites but i could be worried about you getting to my google search and trying to use google search for something else i could be worried about you trying to get some of these other apps right but what i can do as i and i have done is i can put authelia in front of my dash.routmihome.org site and now whenever somebody tries to go here the first thing they're going to get is an authalia authentication prompt they're going to have to authenticate before they'll be forwarded on to the homer webpage so i've protected my homer dashboard site using authelia and it's kind of the same way actually with something like google search so here i've got google search but i've authenticated throughout thalia now if i authenticate throughout thalia for each application i can tell it to remember me so that for me you see that it's not popping up the authentication prompt every time i go open up these shortcuts instead it knows who i am and it has a session linked and then i say session link will expire at a time that i've set up in my configuration file so you can kind of see what happens here with authalia and the things that we're trying to set up and make it do so what i'll do is i'm going to open up a private window here dash.routemehome.org and now you see that i get the authalia prompt it does not go straight to my dashboard first it redirects me to authelia which i now have to authenticate with and once i do that it will take me to my dashboard so i'm going to go ahead and authenticate here yeah so this was just username password but there is the option for two-factor authentication as well but now you can see in this private window i've got my application up and running and i can get to my dashboard so now let's say somebody got to here and they said i'm gonna go do searches i'm already authenticated but i could change this to be two-factor authentication for google search and then they would have a hard time getting to that search screen all right i've opened up a new window and i'm gonna go to intop.routm.org so in this case you see i get the authalia prompt i'll start to log in here and you'll see that i now get a two factor authentication request so for in top i've set up two-factor authentication so when you do this you get set up for the one-time password and i'm showing you all of the upfront so you can see what authentic is about and determine if you want to install it i don't always do this on most of my videos but today i thought you know what let me show you what's going on because there is some setup and configuration required but it's totally worth it and it's really really not that bad once you get used to the idea of what you need to do for authelia so i'm going to open up my authentication application here i'm doing that on my phone and i'm going to go in and tell it i need my authelia stuff here so once i type in the correct password i don't even have to hit enter it just shows up and says hey you did it good job now you can see that in top ng also has authentication set up for it so i would also have to you know log in through in top ng um i don't honestly remember if it's the right password or not there we go so i've got basically single factor authentication two times but really it's two factor authentication with ophthalia and then single factor authentication for in top ng itself which made it even hard for me to get logged in much less anyone else if they just really want to see what my network traffic looks like but this is kind of a good example of what you can do with authalia so again you can put authalia in front of your different applications that you're trying to run so what we're going to do today is we're going to use authalia to get set up on our websites and we're gonna set it up we're gonna configure it i'm gonna show you all the things that you're gonna need in order to do that and i've got some really great scripts kind of set up to help you make things easier if you're not already set up with some of the basics so we'll go through that in just a minute just want to say thank you to all my patrons over at patreon i truly truly appreciate all of your support i cannot express to you how much it means to me i also want to say thank you so much to my subscribers over on youtube if you're enjoying this video give it a thumbs up give it that like go ahead and subscribe and then hit the notification bell so you'll know when i put out new videos so really to run a failure you need a few things now we're going to run authelia today with basically kind of a local user database that runs in sql lite you do have the option to run the mariadb or the mysql database or postgresql database they have a few different database backends if you're going to have lots and lots and lots of users with authalia you'll have to go do a little bit of self-study on that to get all that stuff set up though today i'm really talking about a home user setup where you might have 10 users maybe 12 if it's if it's just a really big home for some reason but you get much beyond that you probably want to look into the other database back-end options but today we're going to do the the kind of home user setup so there's a few things you need one you'll need a docker compose file with the appropriate things set up in it which we'll go through it's really a very simple docker compose file which is great you're going to need a configuration file for authelia itself in my show notes i will have a copy of the configuration file that we're using for authelia i will have it of course blanked out with information for you guys to use for whatever you're needing and you can just change out the little bits that you need here and there and then finally you'll need nginx proxy manager because we're going to do this with nginx proxy manager today now ophelia out of the gate uses traffic t-r-a-e-f-i-k the the reverse proxy called traffic again i'm not a traffic expert i'm not somebody who really knows that much about it so i figured okay let me go out and see how to do this with nginx proxy manager and after some digging around on reddit and some digging around on the internet and some other places i really did find some good information the other place i want to point you is over to the ebracorp channel because he has covered how to do this with unraid and even gone a little bit further and set it up with some ldap using free ipa so if you're interested in that go check out his video it's really really tremendous i will link it in the description as well so that you can get to that but we're going to do this right now with just docker docker compose nginx proxy manager the configuration file you're going to need a user database file and then the docker compose file so we're going to kind of go through this in order just be patient and we'll get there so really the first thing you want to do is set up docker compose docker and nginx proxy manager if you don't already have those set up on your machine that you're going to use for your authalia server then you need to get that set up and the good news is i've got a script out here so i've had these scripts out here for a while and you've seen them if you've seen some other videos where it installs docker and docker compose for you but i went ahead and modified one of them and i'll modify these others soon so that would actually install nginx proxy manager and get it up and running for you as well so you can go out here and click on this file you can highlight everything in here just just click on it i'll have a link in the description of the show notes highlight everything copy that you're going to paste that into a simple uh document here so i'll show you how to do it so the first thing we're going to do is i'm on this local machine here so i'm just going to say you know what let's just go ahead and try to make sure everything's set up if it's not it'll install it for us which is great so i'm going to create a folder authelia okay very simple very straightforward now i'm going to create a file called docker install dot sh you can see that there's nothing in here so i'm going to go back to my repository here i'm just going to go up here i'm going to start at the very top i'm going to highlight all the way to the bottom of this file it's a little bit long but that's okay i put a lot of comments in i'm going to hit ctrl c to copy i'm going to go back to my terminal i'm going to do ctrl shift v to paste all of that in i want to make sure there's one line here at the end there we go i'm going to go all the way to the very top of the program here just to make sure i got all of the characters we want to make sure we have a shebang which is the hashtag and the exclamation point and we're set so i'm going to hit ctrl o to save that file i'm going to do control x and now i'm going to change the permission on the file with chmod space plus x space docker install.sh now we can run this file docker hyphen install.sh and this is going to install docker ce which is a community edition docker compose and nginx proxy manager and it's going to start up nginx proxy manager for us once it's installed now i think i already have docker and everything installed on here but it'll try to go through the process anyway so we're just going to hit enter and it's going to ask for your pseudo user password if you're not logged into sudo so make sure you type that in it's going to go out and update all of your repositories to make sure it's getting the latest information so once you get to this prompt just hit enter to continue alright so if you're logged in as a regular user you may come across this prompt right here and the thing is that it installed docker and docker compose here on my machine but i'm logged in as a normal user i do have a command in there to set up the normal user in the docker group but until you've logged out and back in sometimes it won't actually take that command so you actually have to run sudo docker compose up so in order to fix this problem it's no big deal you just go cd engine x proxy manager and then we're gonna just do an ls and we should have a docker compose.yaml file there we do now this has got all defaults set up in it for your dockercompose.yaml file you need to understand that you should go into this file and change those defaults so that they're not username pass npm password npm and change them in both sections and things like that so if you do nano dockercompose.yaml you'll see here these are just set up as npm and npm so you need to change them here and then down in the next section you need to change the same things change the user and the password here to match what you put up at the top you should use whatever user you want and then a strong password just make sure to do that save your changes with ctrl o and enter and then exit nano with that and then you can do sudo if you don't want to log out and back in to get this started docker compose up dash d so let's go out and get nginx proxy manager and pull it down and get everything started for us and here we can see that we've got nginx proxy manager app one and inject proxy manager db1 both running and they've been running for about five minutes so they should be up now if we want to check that with our web page we can go to local host colon 81 and you'll see here that you get nginx proxy manager that comes up and we're going to go in and you use admin at example.com and the password is chang that's the default login when you log in the first time it's going to ask you to change those things so change this email address here to something else when you hit save it's going to ask you about the password so here make sure you type in the old password and then type in a new password and save and after i do that i like to go over here and log out and then log back in with my new credentials just to make sure everything was working as i expect maybe i type something wrong here there we go once we're logged in we're pretty much set for what we need for nginx proxy manager for right now so we're just going to leave this alone and we'll come back to it after after a little bit of time so we've done our dockercompose.yaml file step one is done we're gonna go to step two which means we need a database dot yaml file and we're gonna call that usersdatabase.yml so we're gonna go back into our terminal and we're going to go in we're going to backspace out of this we're just going to back out and we're going to do authelia and we're going to say ls and there's going to be a configuration folder as well as some other things so inside of ophthalia we're going to create a file called config you can see that it's there now we're going to we're going to create a second file called redis this is all going to be part of the docker compose file that we need so we created a folder called config and a folder called redis if we do an ls we can see those now we're going to make a file called dockercompose.yaml again so we're going to do nano space docker hyphen compose dot yml it's going to be blank so we're going to paste in this information right here and you can see that we're going to have a docker compose file this version 3.3 the services are going to be authelia the image is going to be authelia slash authalia and then for volumes we're going to map dot slash config which is in this folder that we just created and it's going to be mapped to slash config on the container side for the ports we're going to map 9091 to 1991. if for some reason on your host 9091 is already taken you can change the left side port to a port that's open do not change the right side this is the container port and this is where it expects the app to be running restart unless stopped health check and we're going to put here disable true so it doesn't do any kind of health check and then for the time zone you're going to put whatever your time zone is mine is america chicago you should put in whatever yours is it might be europe slash london or who knows okay europe slash paris or africa wherever just make sure to put in the correct time zone for your area because when you do two-factor authentication time zone will matter if you're getting a time-based uh one-time pin finally we're gonna have a dependency on redis and then below that we'll see the redis section so here the image is gonna be redis alpine the volumes are gonna be dot slash redis which is the another folder we just created and it's mapped to slash data on the uh actual container side and we're just gonna expose the redis port 6379 so that we can connect to it from our authalia side there's nothing for us to get to on the reddest part from the web again we're going to restart unless stopped and again we're going to set our time zone to america chicago for me and you will set your time zone accordingly that's really everything that you need inside of the docker compose file so we're gonna do control o and save it with enter and then control x and now if we do ls we can see we have our docker compose we have our config and we have our redis this is number one of three we've created number one file of three so now we're gonna create the next one we're gonna do cd config and inside of config we're gonna do nano users underscore database dot yml just like this and we're going to hit enter it's going to be empty all right we're going to paste in this text and again i'll have this in my show notes that you can grab it easily and put it in here you can see right out of the gate they have some default users john doe this is the hashed password so there is a command that will run so that you can hash your password when it's time to put it in and then you have their email address the groups that they belong to so you can just name whatever groups you want this comes into play later if you want to allow certain groups access to certain applications and other groups not to have access to those applications again you see here that we've got harry potter in this case he has no groups that he's assigned to he's got an empty set here you've got bob dylan and again he's got one group and then down here we've got james dean and he has no groups at all because he didn't have that section so they've given you a really simple way to kind of see what's going on here but this is your user's database your username so inside of the user's database file we have the username right here that's the header of this section next is the display name for who this belongs to the hashed password and again will have a command that will run to hash the passwords the email address of the user and the groups they belong to and then you just repeat that all the way down for any users you want again if you get above 10 or 12 users you probably want to start thinking about getting the database stuff set up and not using sql lite but we'll do that so here i'm going to delete a bunch of this stuff and in nano you can delete line by line just by using ctrl k so we can get rid of all the stuff here at the bottom i can change this to be brian and then i can go over here and change this to be my name and then we'll change the password here in just a minute when we run that command and here you can change this to be your email address of course [Music] and then of course any groups that you want to have admins dev whatever you want to call it i don't need to be a dev but i can be an admin and then make sure you have a line there at the bottom we're going to save this real quick so that's not my password we're just going to save this real quick and then we're going to exit and we're going to go run that command so that we can actually get our password that we need all right right here at the very end you're just going to replace the password with your password so we're just going to say our password is a really terrible password so don't use this password but once we run this it's going to pull down authelia ah i'm still not logged out and back in so we're going to do sudo so if you have that issue just hit sudo it's going to go pull down authalia it's very quick it's not a very large file it's gonna hash your password and then it's gonna give you the password hash right here so you're gonna just grab all of this you're gonna copy it with either ctrl shift c or you can right click and select copy from the menu either way we're going to go back into our usersdatabase.yaml and we're going to go back here we're going to get inside the quotes we're just going to erase everything that's on this line we're going to leave the two quotes and we're just going to do control shift v or you can right click and hit paste now we've got our hashed password in there ctrl o for save and then control x for exit so now we've got our user database.yaml setup we now have two out of three configuration files set i know with me talking through it it takes a long time but if you go do this and you're copying it once you've done it once it's gonna go very quickly this will only take you a few minutes to get everything set up for authilia finally we need our configuration.yaml file so we're going to do nano configuration.yml make sure you spell everything correctly once you have that set hit enter and again we're going to go in and we're just going to copy and paste our configuration.yaml file here now this is kind of a long file but that's okay so we're going to go back up it's a long file but it makes sense and there's not a lot for you to change honestly so first we're going to say host is 0 0 0 0. we don't really have to have anything specific here but you can put a specific ip address if you know what that's going to be port is nine zero nine one unless you change that port just leave it as ninety ninety one so here you're just going to create a long string of letters and numbers okay mixed case everything like that this is just a key it needs to be a key that you set up that's private is a key that you keep that you never tell anybody you're gonna have a redirection url now this is gonna come into play a little bit early so here we don't want it to be example.com we want it to be what we have set up so we're going to say o s i a and in my case it's dot me okay and i'll show you how all this works together in just a little bit but you want to set up whatever your domain is going to be here and you want to have something like off dot whatever your domain is after that okay so this is going to be basically the outside address that you're going to get to ophthalia from that's running on your machine now if you're running this on like a digital ocean server you're not going to have to do any kind of special port forwarding but if you're running enginex proxy manager for the first time you need to make sure that you forward ports 80 and 443 from outside your homeland to inside your homeland to the machine that's running into next proxy manager so if you don't know how to do that let me know and i'll do a video on how to do it but there's lots of videos out there on port forwarding and it just depends on what your router is set up as so we're going to come on down and right here on issuer again we're going to change this to be our domain osi a dot me in this case okay open source is awesome dot me i'm going to leave this at 30 and i'm going to leave this as skew is one this is our totp information so this is how we're going to get our two-factor authentication if we want to have that now below that you're going to see a section that's all commented out um if you want to use the duo api you can buy credits for that and it uses push notifications to basically send you a notification like hey you tried to log in and there's probably like a little button you push to say yeah it was me that kind of thing instead of using like a totp app but i prefer this i don't want to use an api but if you want to you can uncomment this go set everything up and you need to fill in all of these different information pieces here i have not done it so i can't really walk you through it the authentication back end information here so disable reset password which means the user can't reset their password on their own you could set this to true if you want to i left it false because i want to be able to reset my password if i ever forget it file so right here we're going to say config and this is exactly where we put it it's going to be a slash config slash users underscore database dot yml now if you named your file something different than users underscore database.yml make sure to put that name right here you have to change it here as well and i have a little comment out here that says make sure to create this file it's very important if you don't create it it's not going to work password information so how's the password going to be encrypted so the algorithm is here all the information is here i didn't change any of this if i were you i wouldn't change any of this stuff unless you really know what you're doing finally default policy is to deny this is very important this means that all domains added in nginx proxy manager rules will be denied unless you set them up here so the default rule says that if if you have authalia in front of this of this website and you haven't set that website up in here yet even if you authenticate with other it's not going to redirect you to that site it's going to give you an error page instead so basically it's kind of like acting like a firewall it's kind of like well i mean i see that you authenticated but you're trying to get to a site that's not in my list of sites right here so i'm not going to help you out by forwarding you on you know you're out of luck so make sure that if you set up a site that you want to be able to go that you set it up here so let's just pretend that we have a site called dot movies.osia.me it doesn't exist but we'll just create one osi a dot me and that's my jellyfin server and then here we have our authentication server that we also want to make sure is not protected by by authelia osia dot me so this one you want to make sure that you have it as you set up the domains and then you're gonna set the rule as bypass so this this one right here i won't have to authenticate to get to it and this one right here i won't have to authenticate to get to it so this one totally makes sense like i don't want to have to authenticate to get to my authentication instead i need to go to my authentication page and let me authenticate and then take me to the other pages that are down here behind it if you have other sites that you're like i don't want this to be protected i want to bypass it then set it here and then you can still set up the rules and at some point you want to change that all you got to do is move this entry down to wherever you want it so it makes it pretty easy to do that if you don't want it to be protected by authelia don't put the rules in ninja next proxy manager and don't list it here and that's the other route you can go just to be clear alright so down here so i have dashboard.example.com search.example.com and then example.com so if you want to just protect everything that you can here this is going to be osia.me don't forget to go through and change these to your domain and then right here so we're just going to change this as we go down and here you can see the policy is one factor so just like i had on dash on my dash.home.org it's one factor that means username and password so we're going to keep going down now here you can also set like hey only allow it if it's coming from a certain ip range don't don't let me do things if it's not coming from a certain ip range uh that'll also kind of protect you so like local network access only kind of things you can set that here with the network stuff i'll let you guys dig into that a little bit if you want it so now if we want to factor all we do is go to the end here we're going to hit enter we're going to space out because this is the ammo we're going to say let's see let's get into the right spot dash domain colon and then we're going to space out out here to dash and we're going to give it some other things so let's just call this in top.osia.me and you can add more things under that list if you want to but here we're going to go out we're going to do policy and we're going to say 2 factor so now we've got it set up for two factor you can add this networks piece if you want to you don't have to but now we've got two factors set up for this same exact thing so i'm going to say save this real quick while we're going just ctrl o and enter to save just don't exit so we're going to keep moving down so right here we've got our failure session by default this was set to 300 which is like five minutes i think um no five minutes of inactivity and i think it was i don't remember how short it was here but i changed them to be 3 600 seconds which is an hour and 7 200 seconds which two hours so if i'm inactive for two hours and i come back to the page and try to do something it's going to reprompt me to log back in if i if i go here and it's expired after an hour if i reopen the browser it's going to prompt me to log back in so domain right here you need to put in what your domain is this needs to match whatever you've set up for your protected domains so this is going to be osia.me in my case this will be whatever your domain is make sure you put it in correctly see i made a little spelling error there redis so this is going to be important you need to set this to be whatever it's going to be whenever you run docker compose if you use my docker compose file it should come up as this right here you shouldn't have any problems but just in case if the name changes this is this is where you're going to go change that name from docker so if your docker name for your redis database is not this then you'll just come here to change it to whatever it is in docker port if you didn't change it leave it alone and you shouldn't have changed it in this case um so regulation so the max retries to guess my password is five if i don't do that it's gonna lock me out it's gonna log me out for 10 minutes okay and then i can try again but until then i'm locked i can't try that side again uh the defined size the fine time is two minutes i can't remember what this is for um oh if i try five times within two minutes and fail then i get locked out for ten minutes that's how it works so if you want this to be longer or shorter you can change those feel free to change them to whatever you want most places do like three tries i think three tries and two minutes and then it's 10 or 15 minutes locked out but it's up to you the theme so you can do dark or you can do light if you don't like the dark theme do the light theme i like dark so i'm going to leave it that way as we go down the storage so here this is what we want to make sure is set this is already going to be set you don't need to change it it's going to do this and then it'll create this file whenever you run the docker compose stuff but it's going to be db.sqlite3 again if you're doing a whole lot of users you probably don't want to use sql lite you probably want to use something more like mysql mariadb postgres but for home usage sqlite sqlite3 should be fine so you do have two options for how to get a notifier if you forgot your password so if you don't have an email server that you want to set up you can uncomment these two lines and then go comment all of these lines out all the way down so you'll comment out all of this stuff and then uncomment these two and what happens is on the file system it will basically create a file and it's going to be a file called notification.txt so if you say i forgot my password i need to reset it this is where you would go find that reset password it's going to put it in this folder instead of sending you an email it's going to put it in a folder on the files system in my case i set up email so up here you put in your email username your email password your email host which you know could be smtp.gmail.com i don't suggest using gmail it's a pain but you know if you want to you can port depending on what kind of email server you have you should know what these are and your your email provider should have smtp ports for you but generally it's 25 for non-ssl 443 for ssl and 587 for tls you'll need to figure out for sure what those are so sender this is your email sender so whoever you want this to come from and depending on your server this name may not be allowed to be different from this name so so make sure you understand that if it doesn't work for some reason you tried to make those different go back and set this to an actual email address and make it sure it's the same as the one at the top don't mess with this line right here ophthalia title is what we want and then disable require tls is false because i do need tls if you're not using tls make sure to disable this set it to true and then disable html emails if you don't want to get html emails then put true if you just want plain text emails put it as true i don't mind html it's fine finally tls put in your server name skip the verify just leave it as false and then tls version 1.2 is what i have set you can change this if you want to but i don't recommend it anything less than this is not secure anymore they found all kinds of security holes with it so definitely 1.2 is better that's it that's the configuration file i know it took a little while to go through that but it's important for you to understand what's here and what you need to go through and fill in and change but once you've got this set other than this section right here where you're putting in the domains that you want to protect you never have to get into this file and mess with it anymore you will add other domains here as you add new domains you'll just go in create a new line space out here put hyphen and then put in whatever you want so if you want this to be one factor then you would put in something like uh you know anything give me give me something right uh nmap dot o s i a dot me maybe that's maybe that's the new site once you do this you save the file you exit you do the simple command of docker compose restart and that's it you don't have to do anything else now we haven't started it yet so it doesn't have docker cables running yet but if you already have it running you can go in and change that configuration file you actually need to go back one directory first but then docker compose restart and when you hit enter it's going to restart docker compose and it's going to re-read that configuration file and add that new site to your index so that's pretty awesome now we've got our configuration file set up we have to do some internet proxy manager stuff here in just a minute and there's a little bit of stuff there but it's really really not that hard i promise and i'll kind of walk you through that but first we're going to do docker compose up and i always like to do up first just to make sure that everything gets pulled down that i don't have any uh mess up so connect to dr damon docker local host oh yes i have to keep doing pseudo i'm not used to this but if you'll log out and back in you don't have to do sudo i'm just because i'm recording i don't want to log out right now pseudo docker compose up i didn't set up all of the configuration it has a whole bunch of placeholders in there so yeah you should not see this if you replace all of that data you should just see that it comes up and runs no problem and you'll see that it works like mine because i have a bunch of placeholder stuff in there that's not valid it's creating errors i'm sorry about that but we'll go and we'll we'll restart my other one and i'll let you see what it looks like so all right so here i'm in my my production authalia server so i'm gonna do docker compose down just to bring it down for you guys now i'm going to do docker compose just up so you can kind of see what the logs look like as it comes up to start running so it tells you there's a few options that have been deprecated and they're going to be removed so you may have to modify your configuration file as new versions of ophthalia come out right here you can see log severity set to info and it gets a little bit of information that says here you go zero zero zero zero colon 1991 path is slash so we can go there and kind of check that out so if we go and open up off dot routem.org in this case we're gonna see that we're set up now you can see i've told it to save my credentials it just makes it faster for me on this machine it's my own but it may it'll come up for you and just be blank and if you set the light theme it'll be on a light theme but i can say sign in it's not really going to go anywhere it's just going to give me the two factor stuff here so i'd have to get my phone out and again i'm going to identify myself yes and it's going to come up and tell me what my key is right now which is and once i put that in it tells me hey you've been set up you're good you've got one time password everything's checked and i'm done i don't really have to do anything else here because off doesn't take me to anything else it just takes me to the authorization screen it's all of the other systems that we want to get set up so we're going to go back and we're going to set up nginx proxy manager we're going to kind of go through that and i'll show you what you need to set up there for those sites that we set up in our configuration file all right we're so close to having everything set up you wouldn't believe it now like i said before once you've got nginx proxy manager set up and installed you need to add a proxy host entry so when you click on the add proxy host button there's several different places to get to it from you'll see a form like this and you want to put in that auth and then whatever your domain is so in my case it's routemyhome.org you want to put that in right here you want to hit tab or enter so it makes it a little chip then down below that you're going to see this http already set this is a little drop down just leave it on http here you're going to put in the server ip address where you're running authelia now if you're running it on the same server as nginx proxy manager and it's on the same server as all of the other apps that you're going to basically use ophelia in front of you can use their docker ips and if you set up a special network then you can even use their docker names for those containers but in this case this is actually on a different server from where i run nginx proxy manager so i'm going to put in the local ip address and then here i'm going to put in that port that we set which is 9091. now remember if you change that port when we're doing the setup on the docker compose file you'll want to set that port here whatever you made it i did take block common exploits and websocket support i don't know this one is really necessary but i go i went ahead and ticked it just in case once you've done that you can just hit save and the first thing you'll do is just click on the on the entry that you get over here and you'll see an entry like this that you may not have any other entries yet it may just be this one but you can click on this little link and it's going to bring you to the authorization page now i've already got ssl set up but you should see you'll probably see the login username and password and not the two-factor authentication page but that's okay as long as you see something that read this says it's authelia then you know you've got some things set up correctly so you can close that tab you're going to go back to the row in engine x proxy manager you're just going to click on this three dots and then click on edit and then we're going to just jump over here to the ssl tab and if you don't already have it set you won't have this yet you're going to say request a new ssl certificate so you're going to pick this option so it looks like that you'll see all of these things down below it we're going to tick the box for force ssl make sure it's enabled then you're going to go down and make sure your email address is in here for let's encrypt and then you'll say i agree to the let's encrypt terms of service if you want to see those you can click right here once you've got that done you're going to hit save it's going to spin for about 10 15 20 seconds just depends on your internet connection and then this box will just close and go away and it'll look just like it'll just go away like that with no errors and you'll still see your entry there in nginx proxy manager and basically you're just going to click on this again and you should get the same window that comes up but this time it should have the ssl lock there which is good so we're getting there this is very very good finally we're going to close that tab and one more time we're going to go back and we're going to click on the three dots and we're going to click on edit and we're going to go to the advanced tab now i don't usually use the advanced tab but in this case we need to and you need to have a little bit of a json configuration in here with some special entries there's really nothing secret about what's in here but you can kind of see how much stuff is in here now i'm gonna have this a special entry and i'll have some placeholder stuff so here you can see i've got my i p addresses where you would put your i p address instead and then where it says the the domain name off.routmyhome.org you would replace that of course with whatever you've got for your off-site but once you've got that set up it's just one line maybe two lines in this file that you need to change and i'll have those marked with the little angle brackets you copy it you paste it in here make sure you've got those changes in place and then one more time you click save just to save those changes and then you're set for the off off file now for any site that you want to route to you need to go add one more entry as well in engine xproximator so make sure it has a ninja next proxy manager entry so in this case we're going to go into intop.routmyhome.org i already have one set up for it so i'm just going to go here i'm going to click on edit so let's i already had this set up i just want to add enginex proxy manager to it or if i even want to just set it up from scratch i can do that so i set it up i set the ip address i set the port number that it runs on again tick the boxes that make sense for whatever it is you're running maybe you need to cash assets you know things like that that's fine jump over to the ssl tab force ssl request a new certificate save it make sure that it all comes up with ssl turned on first and you get a secure site make sure that it's resolving if you want to save it after doing this step just to make sure it goes to that page without having to do the ssl step first you can do that i generally set it up save this this tab first save try it make sure it works i edit it go to ssl get the certificate put in my email everything like that save let it get the sale certificate try it make sure it comes up with ssl and then my last step is to come to the advanced tab now this advanced tab has a little bit longer json configuration in it but again there's only two or three places in here where you need to make a change and i think it's only two so you're going to make a change here to the i p address and the in the port number this is basically for your authelia install so right here you're just going to change this and again i'll have this file where you can just copy it out of the show notes and paste it into your nginx proxy manager entry now right here you're going to change this to be whatever application it is so for each site that you add you're going to change something right here so this you can see that this says upstream and then i've got n-top on this one so in top here on the one i did for homer i put homer on the one i did for another site i put whatever it was so i change it here and then i change it right here on this line and then i put in the i p address and the port number for that application so we're basically setting the ip address and port number for the application and then we're just changing this here to match what we have up above and then finally right here at this at this line you're going to change again instead of whatever it says here and i'll have example.com in there probably but you'll change that to be off dot whatever your domain is finally on this last step you have this set real ip so you can see here that i've got 7.0 and i've got it set to 16 which means this octet and this octet can actually kind of be anything so it's 192.168.any of those if you want to set that more strict you can you can set that to 7.0 24 and that would only be 192.168.7 now you could set you need to set this to whatever your ip address range is on your local network so if you use 10.0.0. whatever you'll want to set that one if you're using 172s because it's nginx proxy manager you'll want to make sure to leave this one and you may just need to add a line here that has your ip addresses or change this line to make it match whatever your ip addresses are for your local network so this line right here is one that you'll probably change because i've got mine set to seven you'd want to change yours to whatever it is this line you probably want to leave and you may need to add a line maybe two just depending on what you have set up on your network so once you've made those few little changes to this file really everything else stays the same so one more time you're going to come in here and you're going to put in the i p address of your authalia right here at the top i p address and port make sure they're set correctly you're going to come down to this section and change the name of the app from in top to whatever it is you're running in both of these lines okay you're going to change the i p address for whatever that app is and then the port number for whatever that app is after that you're just going to come down a little bit right here and you're going to change this from routemehome.org or example.com and you're going to put in your domain for whatever your authalia site is so it'll be off.whatever your domain is dot com or dot org or dot gov or whatever happens to be and lastly you're going to come down to the bottom and you're going to set this real ip to be the ip range for your local network and again you may have to add a line or something to add extra ip ranges if you have those but if you don't if you don't know what i'm talking about you probably just need to set this one to whatever your ip range is for your local network once you're done with that again click save and when you've done that you can go and test this out so you can see here i'm already logged in that's why it's only prompting me for the second factor because i'm i logged in to get to my dashboard earlier but it prompts me for my second factor when i try to go to that site so now that it's prompting me i want to test it so i'm going to put in my factor and it says hey good job and then it says welcome to ntop ng and of course now i have to authenticate into in top but if i get to this page i know that my redirect is working i know that everything's functioning correctly i know that i've got it running with nginx proxy manager so we've got authalia set up so i know that it took a long time to go through this video and it took a while to explain it but i wanted to go through things in detail for you guys because it took me a while to kind of figure this stuff out it took me a while to kind of go read and understand and figure out what things do i need and what things don't i need and how do i get them set up so i want to make sure i'm giving you that information to the best of my ability i've been really happy with the way authilia has been working i really like this project it's a really great project and authentication is so important these days and protecting everything that you've got as much as you can is so important as well i hope you guys enjoyed this video if you did like subscribe tell your friends about it so they can come along the journey with us and i'll talk to you next time [Music] you

Info

Channel: Awesome Open Source

Views: 33,250

Rating: undefined out of 5

Keywords: open, source, opensource, open-source, self, hosted, selfhosted, self-hosted, free, libre, software, server, web, internet, browser, linux, mac, macos, os x, windows, microsoft, unix, bsd, ios, android, pi, raspberry, desktop, digital, ocean, digitalocean, vps, tutorial, how to, setup, installation, instructions, cli, command line, terminal, interface, open source software, open source news, open source projects, authelia, ldap, okta, freeipa, authorization, login, web login, authentication, identity, keycloak

Id: 5KtbmrUwYNQ

Channel Id: undefined

Length: 46min 52sec (2812 seconds)

Published: Tue Sep 14 2021