Authelia | The Ultimate Guide To Install and Configure (2022)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

i.t security a cornerstone of the i.t industry that seems to be for most of the time is a small subject until things go awfully wrong and self-hosting is no exception when we are hosting our own applications we tend to sometimes maybe overthink or not think hard enough about the security implementation that we have to protect our infrastructure two years ago we ventured into ophelia and we were the first to generate a easy to follow and fully in-depth guide on ophthalia and how to use it since then plenty of other videos have come out from other content creators and we still think it's a topic that changes very often and so naturally we need to update our work as well for those who know our docs page has been one of the most important resources and we've constantly been updating the ophelia guide over the years with everything that we continue to learn from ourselves and from our community members however this time we did a complete overhaul there's so many things that we learned in the process that the whole documentation really needed a clean up and to be brought up to date with all the changes that orthelia themselves have implemented since our original video so we hope today we can cross everything off and show you from start to finish how to get orthelia running on your server we're also going to be putting up our docker compost files here on our docks as well so for those who are using docker or docker compost feel free to follow through with the video because all the configuration steps and setting up of other is the same across docker compost or on unraid it's only the initial install step where we're going to be showing on unrate but feel free to follow along so that you understand what's happening but like i said our docker compost is there so you can use that as well orthelia is an open source authentication and authorization server in short guys if you have applications that you're self-hosting you're reverse proxying them out and you want to apply a layer of security whether it's single factor or two-factor authentication orthelia is the app for you and it lays right over the top and easily integrates with your reverse proxy so from our previous guides you'll see that we've shown it working with nginx proxy manager and then we also showed you in our traffic guide a few weeks ago how to apply ophthalia using labels keep in mind that once you implement orthelia you can also disable your built-in auth on most apps so that you only have to sign into orthealia and then get straight into your application if this sounds interesting and you want to lock down your apps and get started then stick around i think this is going to be the video for you without further ado let's get stuck into it salaam ibrahim and welcome back to this week's video thank you for coming back and checking out the channel as usual really appreciate having you here if you like our work you like what we're doing please don't forget to like and subscribe join our discord and be part of the discussion we'd love to have you there you can find all of our links in the description below but first things first guys we're going to start with our docs so as you can see guys we've really overhauled orthelia we've done a lot of work getting it up to speed and getting it to where it is now and the changes that we've made have made a lot easier to follow for one but also include a lot of tidbits that we didn't know about until we learned these things as time progressed so i think you guys will really enjoy this for the purpose of this video i'm going to be having the guide off screen as usual and i'll be doing the video for you guys so that you can basically just watch the video if you so choose but keep in mind that all the configuration files as you can see here and any other configuration that we've created templates for are on the docs page i'm not going to link them here on youtube we have them here so that we can update one single source so don't forget to read the sidebar when you're following the guide up above we've also tried to hyperlink them where possible so that you can just click and it'll take you straight to the file that we are referring to so while we do that what we're going to do is jump into unraid and we're going to get into the install real quick once we get to the install guys those who are following docker please use the compost file and if you're using docker run then you'll see the commands that we're using in the compost file as well after that you can basically just follow along no matter what system you're running in terms of configuring orthelia because it's going to be the same across the board so let's move that over and let's just get stuck into the install okay so here we are on our unraid server and uh as you can see i've taken out orthelia i've removed all of its dependencies so that we can go through it together and you guys can see everything that happens from start to finish in one easy to follow video so first thing we're going to do is head over to the app store and before we actually install orthelia we have to get some dependencies sorted out so i'm going to talk you through what those dependencies are first and foremost having something like code server is going to be immensely helpful for you when it comes to us configuring and setting up our configuration files it also allows us to validate the files and make sure they're correctly formatted i think about 80 of the problems that we get from people coming into our discord and asking for help with orthelia is usually the yaml formatting is completely wrong or one extra space can basically break the file so if you haven't watched our code server video please go and do that install it get it set up it's going to make your life a lot easier it is optional but i highly recommend it what isn't optional though is readers so let's go into the app store and we'll just search for readers here now in our guide we follow the one from a75 g's repository the reason why is because it uses the bitnami image which we just like to use it seems to be very stable and does the job that we need it to so from here we'll go ahead and click install and on the template installation screen we're going to see a couple of options so here's what we need to do first let's set our custom docker network to ibra proxy or whatever your proxy network is we have a video on custom docker networks for you to follow as well make sure we've got that selected then come down to the readers port 6379 is the default and we're happy with that with allow empty password what we want to do is actually set that to no and then in the password we're going to put a password in here so put in the password that you think is secure and relevant and then we'll go from there as you can see i've just put in a simple password and that's going to allow us to demonstrate where we're using configuration later so make sure you take a note of this because we're going to need it for orthelia in the following steps once you've got that your app data location now this by default is actually not here okay but we have it in our guide and we instruct you to add it and the reason why we do that is quite simple basically if you don't add this bitnami readers will not actually save any configuration or caching files so what that means is when you go to ophelia and you click on remember me for example without this path it actually won't remember you at all and you'll be finding yourself constantly signing in and out and we've got to give credit to a user over on the unread forums on our thread for ibracorp who has suggested that that was over a year ago so thank you to them for giving us that suggestion with that all done we're pretty much ready to go so we can go ahead and click apply now while that's loading you guys might be wondering what is redis so redus is an in-memory data structure store and it's used to store keys memory key values database cache and a message broker with optional durability so it really allows us to get transactional data in and out nice and quick where it can be an instant cache rather than writing to a full database like mariadb for example so we'll click done and you can see we've got radius there it's running let's check the logs and make sure and that looks all good we got ready to accept connections so successfully started that the next thing we're going to install is maria db now i already have maria db here and guys we already did a video on setting up mariadb and creating a database and also using addminer which i'll get to shortly so if you don't have marie db please follow that video it's going to help you understand how it all works and get it set up but in our case it's already set up and ready to go so i'm not going to go over that here so what we all we need to do here is now actually create a database on this database server for orthelia and the easiest way that we like to do it is using something like addminer you don't have to use it you can use anything else you think is relevant you can use the terminal as well which we've included the instructions in the terminal but i want to show you guys adminer because it is pretty useful we've opened up adminer we've got our login credentials we go ahead and click login now in here you can see all these databases that we've already created we need to create a new one for orthelia so go ahead and click create database in here pretty straightforward we're just going to call it orthelia leave the correlation as is and click save okay so now we've created a database we need to create a user so let's go ahead and go to privileges and you can see i've already had this database before so the user actually already exists but if you didn't have it you would go to create user now again for the purpose of this video i've just set the password to password maria db and that will just allow us to see it in the config file but please obviously generate a strong password and make sure you note it down because again we're going to need it in the configuration for a feeling so once you've got the password we click on all privileges we scroll down and we click save like i said i already had the user there so i'm not going to need to create it again and as you can see we can you know do everything here from our visual point of view we don't need to use the terminal if we don't want to we can look into other databases as well that already exists so then you can check out we know what sort of data is in there maybe you want to drop a table for whatever reason you've got all the functions that you would normally have of course if you're experienced with databases you may not want to use adminer but i think for the general public you're not really used to databases and using the terminal to control them i think adminer is a very useful tool and there are other similar tools that exist as well to allow you to do the same thing so there's no discrimination just depends what works for you so guys checking off the list we now have radius and we now have mariadb we have a database set up for orthelia in mariadb we're ready to go so guys as you probably guessed the next step now is actually installing orthelia we've got the dependencies done which was redus and mariadb and now we can install orthelia so in the app store again if we just look up authelia you will see our template here from psychotics repository which is us go ahead and click install on the template screen we're going to be setting some very similar stuff as before so we want our custom docker network set again guys on the mario db that was also a custom docker network too so we're all on the same custom docker network for everything here okay the web ui by default 1991 if that suits you just leave it as is i highly suggest you just leave it as is the app data config path again leave it as is these following labels you see here are for getting traffic to pick it up now if you don't use traffic using nginx proxy manager for example you do not need to add these labels okay you do not need these here they're not here by default in our template so you won't even see them if you do use traffic please follow our guide on traffic because we've talked about that a little bit more and also the reading guide is there for you to follow as well uh specifically setting ophelia in traffic okay so assuming you understand how that works already because you watched our video two weeks ago those are the labels for traffic and we're using traffic here now so we're just going to leave those as is nothing needs to change here once you're happy go ahead and click apply now as we've noted in our documentation the other container isn't going to start it's going to exit straight away okay and if we go here and we click on the logs you're going to get an indication of why the configuration did not exist so a default one has been generated at that location so we need to configure this now here's where code server is going to come in handy if you are not using code server you just want to use you know your notepad plus plus editor on your desktop whatever the case might be you need to open up the file to edit it so just to demonstrate for you guys not using code server you would need to navigate to the location where that file is you may come across permissions issues doing this as well so just keep that in mind if you do have permissions issues you can create the file on your desktop and then copy it in here that's the easiest way to get around it otherwise you can change the permissions if you know what you're doing so here we have a configuration that's created for us okay but we're gonna go into code server and edit that now okay so here we are in code server i can see our app data location again guys code server we have a video for so you'll understand all this if you followed that we have a configuration file let's click on that and here's our default config that gets generated by ophelia now if you have a look at this giant configuration file you can see why people feel a little intimidated sometimes and look rightfully so the comments need to be there because they explain exactly what's going on especially as the version of orthelia continues to change more features keep getting added so then they have to explain what's going on so in our case what we're going to do is actually go to our documentation that we've written and we have a configuration file for you to just simply copy and paste so let's highlight everything in here we'll remove it and we'll paste in our template as you can see with our template a lot smaller and we'll start working our way through it now so most of the work that we're going to be doing is done in this configuration file this file is what tells other how to work what it needs to do where it needs to send stuff you know basically we are configuring it and its behavior all from this file so most of the time you're going to spend it in here troubleshooting stuff if you do need to troubleshoot something and it's really important that you understand what each thing is doing so we're going to walk through it together guys so bear with me it's really important you stick with me here otherwise you'll find yourself stuck and you won't know why so let's start right at the very top theme we've set dark as the default there are light theme as well and i think a grey theme you can set that to whatever you prefer when it comes to creating secrets if you look under the orthelia tab here and under placeholders you can see our link that we've put for secrets now this is just to help you generate them you've got 128 bit options so if you just click that click on 128 bit and it'll help you generate them it's going to be a lot easier okay now it's really important that as we go through the different areas require different secrets so you just generate them but don't make them the same it's for your own security so with that key done so we can just copy that for example and then we come into the jwt secret and we just paste that in okay so we have a secret there that's fine the default redirection url now what that says is if you hit orthelia and ophelia doesn't have a rule to tell it where you want to be bounced onto later once you've authenticated you can set a default address where it'll say okay i'll just send it there anyway typically that's going to be your main domain so let's say in our case ibracorpto.io for example let's say that's the case we just put ibracorp.io but perhaps maybe you have a different address you want it to forward onto for all these details here we do not need to make any changes from our template this is verified to be working so we're just going to leave that alone log we can leave that alone you can change it if you want a little bit more info you can set this to debug for example useful for troubleshooting and this is your one-time pin so with the one-time pin we also want to set our issuer to our domain so we'll set that to our domain one important note i'll add is that you can only have one domain at this point in time configured in orthelia so it's really important that you try and maintain consistency as you're going through the file the period is 30 and the sku is one we can leave that as is then you get to the authentication backend now there are two different ways that you can authenticate a person in orthelia you've got two options option one is using a simple yaml file with the user's encrypted credentials that ophelia can read and option two is allowing ophelia to read from an ldap database such as free ipa or active directory now there is also open id option i don't know if that's been implemented by ophelia yet but i personally wouldn't suggest it just yet if especially if you're self-hosting you probably want to keep that all in-house and so we give you both options in our guide in our written section you'll see on the side that we provide you with your ldap config or free ipa and active directory and we also provide you the user's database file template as well if that's what you so choose so by default in our template we've got the file as the option being selected as you can see here under authentication it says we want to use a file this is where the file lives and these are the details we use in the file alrighty this doesn't mean much to you i'm sure unless you know what it is okay but this is the encryption method and strength that we're going to be applying to the passwords in the file let me explain that a little further what we'll do under other let's create a new file here okay and we'll call it users underscore database dot yml okay we're making sure that we spell it exactly like that purely because that's what it's looking for here in this file we have our template i'm going to copy that from our docs page and there's our template okay so users we want to change the username they will say psychotics and display name so maybe the username you want to have different display name when their name comes up in orthelia i'll say psychotics guy under the password is where we need to put in this encrypted password how do we do that you might ask all right pretty straightforward so jump into your favorite ssh tool whatever that case might be or jump into unraid directly same applies for those using docker of course if you're on ubuntu already in the terminal i'm sure you will be running a command so open up the terminal so to generate the password now while we're in the terminal it's pretty straightforward we've got the code written in our documentation all you need to do is paste that and then we'll backspace between the two apostrophes here and set the password that you want to set for that user so for psychotics's password we're just going to put in password user obviously in your case make sure you put something secure once you're done hit enter now what that's going to do is it's going to spin up an orthelia container allow us to generate a hash password and then it's going to remove it again so copy this so by just highlighting it of course with our mouse and letting go at the end it should copy that for us if not use whatever shortcuts you need and then come back to our users database file and paste it in so overriding this template password we've got here now the email is pretty important especially when you want to do your password resets for example so in this case we can just go let's say for example psychotics at hebrew called the io it's not a real email address but you would put a real one there and then you've got groups so you can create groups and tell orthelia where that user lives so in this scenario we know that psychotics is part of the admins group and also part of a dev group if you wanted it you don't even need the second one if you don't want it you can just put that for example if that's what you so choose if you wanted another user in here you follow the exact same steps and you paste it from this level again so then we can say hawks and we'll say hawke's guy exactly as we did before and go through the same steps updating it like that so now we have two users for example they're allowed to access orthelia that's pretty much it once you've done that you've got the password there that's all fine go back to configuration and we can now move on with the list the next thing you have is access control access control is like the name suggests what it's going to be doing now the default policy we've set is one factor okay so what this means is when we apply ophthalia to let's say a container or to a sub domain in nginx whatever however you decide to deploy it these are the rules that we are going to be setting up now to keep it simple for you guys we've taken out all these extra rules that we used to have for the template and that just helps cut down on the extra work that it takes to troubleshoot issues and what we didn't want is to give people a whole list of rules when it may not really apply to them but what we did do is take the rules that we had and we've got a specific section in our docs now called rules under ophelia and we explain a little more and give you more examples so i'll show you that here for example and you can see all the different rules that you could have at the moment all we've literally got is access control default policy and that's it now what this policy would do here instead is says the default policy is actually to deny so we are allowing explicit stuff to pass through other rather than implicit what that means is by default policy being denied everything that passes through orthelia will be denied if you want something to then bypass authelia then you will need to tell it specifically that you want it to bypass or if you want to set it to one factor or if you want it set two factor you can set them up for different rules for different domains whatever the case might be so here we have this first rule let's look at one rule here just to make it easier for us okay so here we have a bypass rule and we're saying that this is the rule we use for things like apis if you're someone that uses sonar or radar as i've explained up here somewhere usually you want your api to be bypassed and the reason is that's not going to be able to authenticate with orthelia so then they won't be able to actually communicate via the api i feel they will end up blocking it so having something like this particular rule in fact if i scroll down that's what the condensed rule looks like that will allow anything on this path to be bypassed by ophelia but i would not do this unless you fully understood how it works and make sure you don't bypass something that you really want secured and probably the most important tip i can give you about rules is the following they are read from top to bottom and in that order so it's actually in your best interest to put the most restrictive rule down at the very end and if you do that then you'll know that everything is being protected at least unless you have a specific rule so we'll put our most permissive ones at the top and we'll say auth.domain so the address where orthelia is actually living we don't want to then authenticate with orthelia so what we want to do is bypass that so let's bypass that right at the top then we have another bypass here then under that we have some one-factor authentication then it goes into two-factor authentication and then we have some separate rules so you can even say you know i want only this group to be able to access this domain or these groups to access this dome the strength that we want to apply to those groups at the very end as you can see here is what we call a catch all so with that wildcard we'll pretty much we won't have to set a specific rule for every single domain we'll just say anything on our domain i want you to automatically apply one factor authentication okay no matter what it is but then the rules are read from top to bottom so the rules up here say well orth.domain should be bypassed it will process this rule first which means auth.domain is then bypassed so i know it's a whole lot of words guys i'm sorry if it's still confusing but that's really in essence the most easiest way we can explain it if you just keep it simple look this is a huge list and that's why we took it out but if you keep it simple this is what one simple rule could look like it could be all you need in any case back to the configuration file so right now we only have this one rule right i'll show you how we can modify that real quick so that there could be an example if you wanted to we could we're saying that orthelia's domain that we've set up i want you to bypass it or anything on our domain that has this uh file path we want you to bypass it for everything else apply one factor authentication simple as that done default policies deny so that anything outside of the scope of these rules will be denied from access the next section you have is the session so with this we don't have to change too much we just simply change our domain again you report the io again we need another secret so let's generate a secret for that how long do you want to be remembered by other once you sign in so this says two months at this point inactivity of five minutes will kick it off if it's lower than this rate and the expiration of the token is one hour you can leave that all as is then you've got your reader's password so as you remember we set up redis so we actually have to set this password here now regulation so how do we want to regulate the activity that we're seeing so maximum retries for someone to sign in is currently set to three it's got a 10 minute find time and then they'll be banned for 12 hours if they fail that again you can configure this so we can say you know maybe they can try 10 times before they're banned how long do we want to ban them for maybe six hours up to you now in version 4.33 of orthelia is the storage encryption key so what we need to do is generate a key with a minimum of 20 characters uh in our case we chose to go with 64 in our guide so we put a 64 character encryption key just like that one and then it goes to connect to the sql database so we've got maria db as the host then we've got the port and we've got the database name and the username we've already configured all that before keep in mind that if you are not on a custom docker network then you would typically have to put the ip address of the server here but we're using the container name because they're all on the same custom docker network with encryption key just use something like a password generator i usually try to remove any special characters from the password so something like passwordsgenerator.net is pretty useful for that and then we need our mariadb password that we created and then finally is our notifier so we want to get smtp working and the reason you want that working is so that if a user goes to reset their password it's going to send an email out to allow them to manage their account themselves this also works with ldap so actually will work with ldap if you have an ldap setup then when the user resets their password authelia will actually communicate that back to the ldap database and reset it there as well just an extra bit of info for you now smtp is pretty subjective so you know it's really up to you what you put here depending what your smtp provider gives you but typically as you can see you've got your user email you use a password for the account then you got the address that you want to be to be sent from so maybe ophelia ibracorp.com the identifier so localhost that's fine we don't need to change that the subject of the email you can change it to whatever you like uh the test address is there as well we don't need to worry about that and you can leave everything else the same now if you followed everything we've done that should be looking pretty good that should be enough for us to actually get it started and i would say that's the hardest part done for ophelia so let's test it out we've got our philly container here if you're on docker whatever the case might be go ahead and start the container up and then we will follow the logs and reading the logs is really important especially when it comes to asking for help so if you guys decide to join our discord you want some help the logs are pivotal to being able to assist you so let's have a look at the logs we can see a couple of issues here okay now i'm doing this to show you guys typical troubleshooting steps to help you navigate through it because it can be a little confusing but you got to give ophelia credit their errors are actually pretty clear most of the time so if we scroll to the top we can say error pinging database access denied okay so clearly we've got the password wrong and that's because our database was already existing in there with the user that already existed so pretty straightforward to fix that let's go back to addminer we're going to scroll down to where we set the mysql database for our user and we'll say that's our user there and because we want that password to match we'll keep it the same so go to other go to privileges go to the user which is this one here and untick the hashed box this one will throw you off if you don't untick it and then basically paste the password that we do want come back down and click save so now that password should match what we have in our configuration file continuing the troubleshooting so if we scroll down a little bit further it then tells us that it has a problem running the notification provider startup check okay easy peasy let's go back to that config file once more and if we scroll down you can see the startup check address which is here test orthelia.com and we'll try restarting the container now and we'll see what comes up when we launch it so looking at the errors again we can see that it actually has progressed so the storage schema migration so it's actually done the migration for us that looks good but it's still getting held up on our smtp settings no such host okay that's fair enough because there is no such host called your smtp host so let's fill it out with some proper information now so as you can see we've got some proper information obviously it's not the correct password or anything like that but we've tried to make it as if you've got this set up already so once you're happy with that let's try again and see what ophelia thinks of that okay so now we can see that we're actually getting a rejected message from gmail because it's not a legitimate password um it's going to be rejected by gmail for us okay so now i've actually put my legitimate smtp information in and we're going to start orthilia up and we'll check the logs and now we can see it's all good to go so once you see this message listening for non-tls connections on 1991 orthelia is actually up and running so let's left click that now go to web ui and there you go we're confronted with the login screen so let's test our user we created a user called psychotics in the user's database file now if you are using ldap like i said you have the ldap config there it would be the information that you've stored in your ldap server but we're using the user's database file so we've got psychotics and then i'm created the password and there you go so we've signed in it's now authenticated us it's now authenticated us and it's bounced us onto our default redirection url because we got to the point where it said okay or you've authenticated but you're not actually trying to get anywhere so it just sent us over to our main url now if we go back to our reverse proxied address now you can actually see that it's pulling uh ophelia fine it's coming through thanks to traffic and it's applying the rules that we need and guess what guys there you go you have ophelia set up start to finish in the most efficient way possible we've learned so much more it's so much easier to do now and it's so much more flexible we found in the way we can deploy it as well so you've got the options there i mean if you want ldap we've got the config files for you there if you want nginx as your reverse proxy we've given you the config files there as well so in here for example we've got your free ipa ldap so if you wanted to use ldap copy this you would scroll up and you would either replace or comment out this file section and paste in the ldap section and customize it to your setup so it needs to be your ip address and you know anything like that your password your admin user password goes down here okay so then in that case we could just comment this out with a control forward slash encode server and now we'll read from ldap instead let's say you're using uh for example instead of traffic you are using nginx proxy manager let's go into nginx we've got the nginx config for othelia so for your other proxy you put this in the advanced config contrary to our previous guides you don't actually need to update any container names anymore it's all through variables so the only thing i'll probably update here is your server ip so i'll put your server ip there and then you've got your endpoint so you would put this on your endpoint you only need to edit it once and then you can just paste it everywhere so you can put the server ip or the container name if you like if they're on the same custom docker network and you just put that on whatever and it will protect what you need uh if you are using traffic we have already set up traffic so if we go over to the traffic guide i've linked it right here takes you straight to enabling authelia and uh getting that going for you so thanks for watching guys i hope you really enjoyed that it's been a pleasure to put another orthelia guide out for you we've had so many people come to us thanking us for our work on it we really appreciate it we don't get paid from othelio or anything like that this uh this whole channel basically started because of ophthalia so um a lot of work has gone into it over the years and we really appreciate you guys coming to check out our work if you'd like to help support the channel please check the descriptions below you can donate to every corp you can donate to our projects you can sign up as a member whatever works for you our new website will be coming soon as well which we're really looking forward to sharing with you and it will have full discord integration that we can keep it all under the one roof now something we didn't get to in the guide was installing open ldap and using that as an ldap database and if that's something you guys want to want to see if you're interested in us doing that be sure to drop it in the comments below let us know so that we can work on it and we'll actually put that in the written guide for you and then we'll create an additional video at a later point in time so that you guys can use open ldap in a docker environment as opposed to free ipa which we've shown you before which runs in a vm thank you for watching guys we hope you enjoyed it and we can't wait to see you in the next hybrid corp video you

Info

Channel: IBRACORP

Views: 78,153

Rating: undefined out of 5

Keywords: authelia guide, Authelia, how to install authelia, authelia setup, install authelia, authelia tutorial, traefik authelia, authelia traefik, authelia docker, secure domain with authelia, authelia nginx proxy manager, authelia nginx, ibracorp, ibraco, ibra corp, nginx proxy manager, docker, traefik, unraid, reverse proxy, techno tim, identity provider, user authentication, ibracorp unraid, docker compose, nginx, homelab, jwt authentication, 2FA, self-hosted, traefik docker, Pomerium

Id: IWNypK2WxB0

Channel Id: undefined

Length: 35min 20sec (2120 seconds)

Published: Sun Feb 06 2022