Authelia: Install Guide + NGINX Proxy Manager (Deep Dive)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

You've been killing it with quality content lately! Know that it's appreciated by many. Keep up the great work!

👍︎︎ 4 👤︎︎ u/iRanduMi 📅︎︎ Feb 02 2021 🗫︎ replies

How about Pomerium? Does the reverse proxy by default, you don't need nginx anymore

👍︎︎ 3 👤︎︎ u/legolas8911 📅︎︎ Feb 02 2021 🗫︎ replies

Interesting.... I am trying out Jumpcloud since I want a complete identity management solution, but would prefer something self-hosted.

This is at least part of it.

👍︎︎ 2 👤︎︎ u/xTKNx 📅︎︎ Feb 02 2021 🗫︎ replies

Video's from spaceinvader1, your videos... This is why I love the unraid community. It's freaking unique. Thanx for this nice tutorial video.

👍︎︎ 2 👤︎︎ u/Brulbeer 📅︎︎ Feb 03 2021 🗫︎ replies

What's the function of redis?

👍︎︎ 2 👤︎︎ u/Brulbeer 📅︎︎ Feb 03 2021 🗫︎ replies
Captions
hi guys and welcome back to another ibrake  video thanks for coming back and checking   out the channel really appreciate  everyone that likes and subscribes   uh just a big thank you you know we've just  hit over 300 subscribers and uh that's really   cool i'm really happy to be helping people out  and it seems like it's making a difference so   it's encouraging to want to keep going so today  i'm going to be looking at orthelia again now a   lot of comments from the last video was that  it might have been a little bit too advanced   and look i couldn't agree more it was advanced  and it was really made for someone that sort   of already knew their way around on raid and  thinking about it again i'd like to make this   new one which is going to be a lot more depth  right from the start to the end and we're going   to do it together and hopefully by the end of  it you've got a nice working orthelia setup   so we're going to be following my guide now you  may have seen in my last video in the beginner   guide that i have i have written an actual guide  here we're basically going to be following that   but i'm going to show you a couple of  shortcuts that'll make it a bit quicker as well   and i'm going to be following my guide but  i'm going to have the guide over to the side   so hang in there let's buckle  in and let's get stuck into it so guys you've decided orthelia is  looking really interesting for you   i've already sort of gone through this in  my beginners video if you haven't seen that   go check that out as well otherwise let's just get  into the cases so authelia offers a single sign-on   secure authentication and is kubernetes  ready so it's really scalable which is good   here's some other features that you may not know  so it obviously allows username and password and   that can be either in a particular type of file  or known as user's database or connected to ldap   it supports both i've used both and i'm currently  using ldap if you don't want to go that far yet   try it with a use the database first and  we'll go through that step process today as a nice ui one-time password support two-factor  security of support as well which is great   it allows passwords to be reset which is  really good it actually works with ldap   quite well as well without having to set up  like some sort of portal it can regulate the   login attempts and provide a  little bit of brute force security   and is highly scalable and the high availability  of it means that you can basically run it on a   very large scale across multiple servers even  the high availability is great and just means   that it's really scalable later or now depending  on your needs whether it's for home business etc   if you're looking this up you sort  of have an idea what it's all about   my beginners video sort of covered this anyway  we're going to start right from the beginning   so we're on our brand new server here guys this  is a brand new server some of the feedback i had   was you know it's hard to follow when you have  an established server and i agree with that so   i've got a nice fresh one here i've only used it  for a couple of videos um but if you're a brand   new android user you could pretty much just follow  this right from where we are now so the first step   we're going to go into is head to our app store  in the app store we're going to look up radius there's a couple of different containers  for readers i like to use this one   which in my guide is referred to as bitnami's  repository but i think he might have just   changed his name it's the same creator  and the reason why is if i click install   you can see that he's mapped a password field so  some of them don't have that field mapped already   you can map it yourself but it's just easier when  it's there of course now i'm going to go through   the top to bottom here of a docker template just  to show you so we've gone to the app store and   we found the app that we want to install and it  brings you to the template here so under network   type i highly recommend you use a custom network  type for all your dockers so they can communicate   with each other and you can have separate networks  and have them communicate differently if you don't   know how to create your custom network it's really  easy watch this open the terminal in the top right type docker network create  followed by the name of the network   and if i just type that for example and i hit  enter it will go ahead and create this network   so i already created this one before so once  you've created it you might want to refresh or   go back through the app store to bring you back  to this point so that it comes up in the list   so in my case i'm using ibra proxy so make  sure that as we're going through these guys   we're going to make sure we pick this network  type so that they're all on the same network so   under here allow empty password and we're going  to say no we don't want to empty password we want   this to be secure remember we're doing something  involving security so we want to make sure that   we are being as secure as possible as we go along  now for the sake of this video i'm just going to   keep the password simple because it's just going  to be easier for me to remember as we go through   but in your case please please please please make  sure that you are putting secure passwords in here   for everything that we do but today i'm just gonna  go with password so please don't do that okay   so let's continue we'll just install  that and wait for that to finish so that's finished we'll click done and  if we just head back to the docker tab   we can see that radius is running click  on log and if we just have a quick look   it's ready to accept connections so that seems all  right that seems to be running nothing to worry   about there now we can continue with my guide  so i'm reading the guide on the side here guys   so if you want to follow along with that it  might help as well i'll put the link down in the   description again so we've installed readers the  next step is mariadb which is a database server so we've hit install and on the network  type again we're going to pick ibra proxy   the port is fine we're going to leave that at 3306  and i recommend if it's free on your system that   you just leave it at 3306 because a lot of things  have it as a default sort of port but if you maybe   you want to change it for security anything like  that then change it here under the root password   again i'm going to be just putting password in all  right so we're happy with that we're just gonna   click okay um we're happy with where it's being  stored in the app data folder so we'll apply that and wait for that one to install and that's  finished if we go back to docker again   we can see our database so that's running  perfectly fine we're pretty happy with that   now if you're reading my guide you'll notice that  it talks about creating the database and the user   for the database using the command line which is  really easy and i've already written out what you   need to put in there but i'm going to show you  another way to do it in light of making a video   about this i thought a visual approach might  be better so if we head back to the app store and we look up a particular program you'll see add miner here now  adminer just gives you a nice   interface so that you can manage your databases  um from a gui from a graphical user interface   um which is quite nice so if you  just click the little install button again we want to make sure ibra proxy is the  network 8080 i'm not sure i like that to be honest   with you so i'm going to change that to 8585 we  don't want to change the theme or add any plugins   and we'll click apply and wait for that to install   as you can tell guys a lot of this  is really just clicking and waiting   um the real nitty gritty is with the config of  orthelia but we'll get through that too and that's   done we'll just head back to docker under docker  you will see addminer so left click and web ui and i'll bring you to this interface as you  can see from this drop down you can pick from   quite a few different databases which is  really cool in our case we're using mysql   so we'll leave it with that for the server you  want to put the host name and the port number   and if you come back to docker in your unraid  here's our database mariadb and here's our ip   and our port number so you might want to just copy  that it just makes a little bit easier for you   so put that in there the  next field is the username   now the default username because we haven't  created a user yet is root so i've created   root the password is the password that we set for  root in the container so i've gone back to docker   under mariadb and it's the password that you  you've put here okay in my case it's password   in your case it's going to be that super  long complicated password that you made   if you had a specific database that already was  made and you want to access it directly you could   put that in the last field but we we haven't got  one so we're just going to click login so i've   clicked login and we're now in the database  server and we're looking at it from a nice   graphical point of view so if you were to click on  these for example which is just default in mysql   you can see the different tables the lengths and  any sort of comments against them about what they   might be so it's really helpful when you're  trying to find something that uses a database   to navigate to it now there's other ways to do  it guys i'm not saying this is the only way you   can install mysql on your main computer and just  access it remotely or anything like that if you're   a bit more advanced that's fine this is a bit more  for the beginners just to give you a nice visual   look at it so ignore all that and we'll go back  to the main screen and now once you've got to   this point you can just follow the guide that  i've written but in a visual manner and i'll   show you that now so first we'll create a database  we'll call the database orthelia and click save so we've created a database and it's  empty the next thing we want to do   is create a user click on privileges create user leave the server as a percentage and  under username type in authelia we then   just create a password for this user so this  will be for the user to access this database   if that makes sense so we don't   want all the passwords to be the same because  in theory you would want to separate everything   and make sure that one person's account  can't be used to access another system   so we put a password in there under the  privileges table just select all privileges   and click save as you can see we now  have a user and that user accesses   our database and if we just click back you  will see our new database there ready to go   we've set up our database and we can move on to  the next step so now the next step is ophelia   now i don't know if you know this about unraid but  you can click and drag these docker containers and   that changes the order of their startup and it  starts from top to bottom so when you restart   your server the first one will be the first one to  start so i usually like to keep an order of things   in if you just visualize your network so for  example i want my engine's proxy manager to   run first because that will make sure all  of my links are running and my connections   out then i usually have database applications  as you can see here and then i have everything   else underneath that uh because if you've got  to think about it in the order of dependency   okay an application that has a database you would  need the database up first before the application   tries to start otherwise it's going to fail on you  so it's important that you put them in an order   that makes sense there's also another feature if  you click on the basic view to advanced view here   as you can see when you check auto start  which means if they were all off or docker   was disabled or your server restarted then  these lockers would automatically start up   and that once you check it on it actually gives  you an option to put seconds here for it to wait   before executing the next docker startup so  i can say here for example wait five seconds   when this container starts it will wait five  seconds before it tries to start the next one   and so on and so forth so you might have  some containers that take quite a while to   start up in that case you might want to put in  a longer startup gap or a wait time so that the   containers underneath that might depend  on it have time for it to start properly   alright guys so let's get into  it again so back to the app store and we're going to look up orthelia  and as you can see here's my repository   template that i've put up for everyone we'll click install and there's really not much here i've put a link  to the instructions that i'm reading as well in   here as well under network type we'll set that  to ibra proxy i'm happy with the default port   and i'm happy with the app data location  and we'll just wait for that to pull down and that's finished now we head back to docker you'll  notice that orthelia is stopped click on log and you'll see that we   have automatically generated a config  file okay one didn't exist and now it does so in our file explorer we can see the file that  it's created here and it's a configuration.yml   and it's the default that ophthalia  creates once you first start it up   as you can see there's a whole bunch of settings  in there but if you were to use my guide i've   actually uploaded the files onto the github  which again the description is down below and i've had mine reconfigured a little bit just  so that we can have it easier to follow and it has   the file back-end config set up for us as well so  we'll start going through this file and we'll make   sure that matches your setup so starting from the  top we don't have to change anything here you can   just leave all that the same once you get to jwt  secret you don't have to remember this guys this   is just for the token and it will be used to keep  it secure so just put any random code in there   but i like to use the encryption generator just  makes it a bit easier the default redirection url   so what this is is basically just a default  redirection when authelia doesn't have a   specific place that you are trying to get to  so if you are trying to get to sonar.u.com   and it redirects to authelia they authenticate  it will then send them back to sonar ud   however if it if you go directly to  the website that authelia is living on   and you log in and sign in successfully it doesn't  necessarily have anywhere that you're trying to   get to so it'll just redirect you to whatever this  is okay which can be your main url for example   so in my case i'm just going to put  our main website and we'll scroll down all this here you can just give it any  name usually your domain name is the best this shows how long the one time password will  be current for so we're going to say 30 seconds we don't need to change anything here scroll  down the duo api now if you want to use duo i   personally have not used it so i cannot really  give you instructions on how to set it up   so in my case we're actually  going to comment this out and here you can disable whether the  reset password function is allowed   so i like to keep it there if  you don't just change it to true   how often you want it to pull  from your authentication back in   we're going to skip this for this video because  remember we're talking about a beginner watching   this so we don't want to over complicate things  so we'll just skip that for now come down and here   you'll see the file so instead of using ldap like  windows active directory or free ipa or open ldap   as a database for users for example you can just  have a file a user's database file so basically   you've got the path to the file and its name and  as you can see we're using this algorithm now   in the guide i've written the website but i'll  bring it over and this just lets us create a   nice strong hash to protect our passwords etc  and if i just bring up the guide here to compare you can see the plain text input is our desired  password so in our case we'll just put this and so as you can see it's converted our plain  text password into a hex password and as you   can see we have to pull a file from our github  called users underscore database so this is b   this will be the name of our users and you have  to be real careful of your spacing here guys   so just make sure you follow this so this will  be the username in our case it's john okay   your username might be whatever format that you  want it to be the display name is the full name so   that's john doe for example for the password we'll  be taking the output encoded form take that and   basically just paste it in there as you can see  we've got our email address there and the groups   it's really important that you set these correctly  because with the password reset this is where it's   read from so we've just put our email address  and we said that we're part of the admins and   the dev group so now that we've configured  that user's database file we'll just copy it   and paste it into the app  data folder ophelia folder   just so that it lives beside your  configuration.iml once you've done that we can   now come back to our configuration.yml file and we  know that we've done this part so we can move on   if you scroll down a little further you can see  our default policy so the access control a lot   of people get held up on the access control and  pretty much with the way you need to think about   this is what's the default policy for any  average joe that wants to come to my website   you might be thinking to yourself  well i want them to just be denied   if i don't know who they are and and they're  protected by orthelia deny them just deny it   the rules then explicitly state who's  allowed to access said protected urls   so it's more secure to keep it as  denier a lot of people think that   changing it i think that it's working but  really you're just bypassing it by default   so any website that you don't want orthelia to  protect just don't put ophelia over the top of it   okay but the ones you do it means you want  it to be secure so set it to deny by default   then under the rules you can start configuring  all the rules that you like so we've got the   domain the subject it's either the people  or conditions which are allowed to access it   and then you have the policy  so you can have either bypass   one factor two factor or deny and that will  basically judge what you want for that particular   domain so as you can see this is a wild card  domain so your whole domain would be protected   by this but we don't want that we just want one  particular domain and for our sake we're just   going to go with overseer it's our favorite  little test test um container at the moment   so we'll just call that overseer.ibracorp.org  and i'm making sure that matches my dns entry   in cloudflare we haven't got to that yet guys  but i do have a video already out about that so then you've got your session name so you can  just leave it as a default if you like or you can   change it the secret so with the secret again  we're going to use that encryption generator   so we'll generate a new 128-bit one go back  to our config and put that in as a secret   the time in seconds before the cookie expires  and the session is reset set that to whatever   you think is relevant sometimes eight hours  might be good so we'll just put on eight hours   the inactivity time uh we're gonna leave it at  five minutes this is one month so how long you   want to remember the person for one month is  set you can change that to whatever you like   i'm going to leave it as one month the domain to  protect so you need to make sure this matches the   domain that you are trying to actually  protect guys so make sure that's there now we want to put in the information from redis   and we're backing down right here  we can see our reader's details so   that's our ip address i've got my placeholder  there we're just going to replace that and 6379 for the port as you can see 6379  that matches what we've got so we can go on   if you click on redis and  compared to the next part   this will be the password that we  set here in my case it was password put whatever you had in there the database  index now this part is important guys if   you are just installing redis you haven't used  if anything else you can just leave it at zero   okay if you have used readers for quite a while  you might want to use a different index number   so then it uses a different database inside  of readers so the number basically tells it   what database it is you want to write to or read  from because this is the first one that's going   to be in here we'll let zero be that one we  scroll down a little bit further and we're   now looking at the regulation so we can allow the  person to retry three times before they're banned   this allows a certain amount of time for them to   attempt to log in before being banned and the  length of time before a band user can log in again   so basically like you know kicking  them out for a certain amount of time   so under storage here guys you've  got several different options   as i said before you can use  the light version of orthelia   and that just basically means uncommenting these  entries here and it will use an sqlite database   i personally do not recommend doing this so i  re always recommend setting up mariadb like we   did and it didn't really take that long so why  not just do it like that so we want to put our   mariadb details and as you can see it's these  ones just there the port is 3306 our database we   call it orthelia and our username we also call it  orthelia our password is the password that we set   and we can move on to the next part with  smtp i highly recommend you set this up   so i've just put out a video recently about using  your gmail account with your domain so that you   have a domain address i recommend you watch  that because it'll give you all the information   that you need to put into here if you're using  my video to create your domain email address   it would look something like this so your username  would be whatever it is gmail your gmail password   this is the host the port would be different  if you're using my method as 587 for tls   and sender so whatever your  email addresses that you set up   subject is ophelia followed by the title and it's  got a couple of test things in there by default   and you can change that disabling  require tls we won't do because we   need it for this type of connection which  you can actually see it down here anyway   sending an email using a gmail  and um this is pretty much it   so guys that's configuring orthelia okay that part  takes honestly the longest i reckon out of the   whole process and with little to no information  when i first started this it took me a while to   get it all wrapped up to make  it such an easy thing to follow   so we've configured our yml  we'll just copy all of this   because i've just saved this on my desktop  but we want this in our unraid app data folder so here you here we are on app  data and orthelia config.yml i really should have just made all the  changes in here but that's all right   click save and we've got all  the information that we want for   thelia to start up so minimize  all this and head back to unraid so we're back in unraid now we've configured  our config file check this to auto start and   now we're gonna get ready to start it up  for the first time and see if it works as you can see we've started we'll check the logs   and that's okay that's because we've got  the notifier startup in the config file so you guys saw that error message and we're just   looking back at our config file you can  see that it's the notifier startup check   so i'm just actually going to disable that because  we don't really want it and we'll click save and we'll try and start it  again we'll click restart now looking at the logs that looks a lot better  so if we try to open up web ui we're provided with   the orthelia interface so a lot of people test  it at this stage and i start wondering why it's   not working like it should this isn't really the  best way to test it there's one last step that we   have to do guys and that is to protect something  with orthelia so i hope you've already watched   my nginx proxy manager videos if you haven't  please go watch them because you're going to   need to know for this part how that all works but  i'm going to walk through it with you right now   so i'm in nginx proxy manager i have only  one proxy host which is proxy itself and we   want to now set up one for orthelia and one for  overseer so i'm going to quickly make an overseer one so i've created that took no time at all and i can  confirm that that's working   the next step if i bring over the guide and it  tells you what needs to be changed but to find   those files they're just up here so make sure you  click on it and then you've got what you need so   what we're looking at right now is the protected  endpoint okay so ophthalia portal conf is for   orthelia which we haven't created yet in nginx  proxy manager so we're just putting in this first   which will be for whatever we want to protect  so if i just go in there and i copy all of this and we come back to in nginx proxy manager  click the three dots there on oversee   and click edit under advanced  paste what we just created now scroll to the top and you can see a couple of details that  we need to change so first of all is our   server ip which is there is a placeholder  there as well so we make sure we change that scroll down a little bit more a little more and you get to this next location  block the container name so the   container name is the name of this  container that we are protecting   i can go back to the unraid server  i know the container name is this so you can just copy that and place that here instead of container name let's go down a little further  and you will find your domain   now here's something that we  didn't cover yet you need to have a   dns entry for your orthelia page and that could be  anything usually people like to call it auth.your   domain in this case you can change it to whatever  so we'll come back to cloudflare here real quick   and we'll play create a cname we'll call it auth at ibracorp.org and click save so if i come back to here i know  that i need to change this to   apricor and that's it there's nothing else  that needs to be in here so we'll click save   now if you will try if you try to go to that link   it's not going to take you anywhere because  we haven't set up our host for orthelia yet   and back in github let's go back you'll  find orthelia portal here click on that copy all of this information and head back  to nginx proxy manager in here we're going   to create a new proxy host again we've  already created our dns entry for it so we simply type it in and we confirm our ipm  port number is 101 for the ip9091 for the port we'll apply all this sort of protection head to  ssl we select our ssl certificate if you don't   know how to do this please watch my cloudflare  video i've just put that out recently too under advanced is where we're going to paste that  content that we just copied from our github page   and again we're going to change the placeholders so in my guide it explains  what parts we're changing   but on the video it's just easier to show  you like this of course let's go down a   little further and i believe that's it for  this particular file and we'll click save now if i was to click that link sorry guys i made a mistake i put my  usual domain in there just out of habit   so now if i click that link you can  see we reach auth.ibricorp.org and it   gives us our orthelia page awesome uh if  i try to log into that it's just going to   try and bounce us to our redirect domain  so instead let's test going to overseer so if you look up in the address bar you can see   that it's got the redirect link in  there and it's asking us to log in so our username was john and there you go guys so  we tried to get to overseer   it bounced us to authelia authelia said you need  to log in we signed in and there you go now sent   us over to our main page after we logged in all  all for us so we didn't have to do anything there   the biggest thing i can recommend to people when  doing this sort of work is to open a incognito tab   and which is ctrl shift n and that just makes  sure that no cookies are being saved and   causing issues with you trying to access  stuff a lot of people will get hooked there so   i thought it's a really important  little tip just go into incognito mode   so if we come back to our config file we'll  try something a little bit different so   instead of one factor authentication  we'll actually put in two factor   and we'll hit save head back to unraid we'll  restart authelia for those changes take effect   back in our incognito tab so we'll  try to get to our overseer link so it asks us to log in again and  now it gives you the option for a   one-time password so it says  we need a one-time password   and ask you whether you registered before if you  haven't registered click on not registered yet   and it says an email has been sent so if  we come back to our email there you go   there's our email address so we'll click register and from this point you can pretty much  just scan the qr code with your phone   and use the authenticator and it'll ask you  for that pin every time you go to use it   which is uh which is pretty cool so there you  go guys there's orthelia start to finish i know   it was a long one i'm hoping that i covered  everything you know my with with my two videos   and the written guide i'm hoping that is just  enough information to get people going if you   have trouble you know feel free to open an issue  on my git uh if i can't solve it and i obviously   recommend logging it with the actual orthelia kit  although with the unique setup of having it with   nginx proxy manager and on unraid that's where  i found a lot of difficulty getting some help so   feel free to reach out anytime leave your  comments down below and please think about   subscribing it really helps if we can get to  a thousand that would be awesome guys i really   appreciate it thank you very much and i look  forward to seeing in the next ebracorp video you
Info
Channel: IBRACORP
Views: 15,210
Rating: undefined out of 5
Keywords: Authelia, Authentication, active directory, ad, auth, authelia, authentication, authentication and authorization, authorization, deep dive, docker, freeipa, homelab setup, ibracorp, identity provider, jwt, jwt authentication, kerberos authentication, laravel, ldap, mariadb, nginx, nginx proxy manager, oauth, reverse proxy tutorial, security, self-hosted, selfhosted, spaceinvaderone, two factor authentication, unraid, unraid nas, unraid tutorial, user authentication, authelia guide, install authelia
Id: kw_pohbKE3Y
Channel Id: undefined
Length: 36min 5sec (2165 seconds)
Published: Tue Feb 02 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.