Secure Self Hosted with Authentik | Traefik & NGINX Proxy Manager

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys and welcome back to another ibra corp video absolute pleasure to have you guys back here today thank you for coming and checking out the channel we really appreciate you and today we've got a really exciting video for you something we've been working on in the background for quite some time with our ibra beta team thank you to all of our ibravada team and our admins for helping this one come together this is episode 2 in our authentic series now authentic is a beast of an application and can do many different things but the most notable thing that we're going to show you today is getting it to protect your self-hosted apps using all self-hosted technology and making it easy to use now we have the instructions for both unraid and docker compos on our docs now finally ready and it will be linked in the description below for you so you can follow along depending on what you want to do we've also given you the docker compost file and everything you need to know about it in our docs page so you'll find that in the description below now if you guys are fans of orthelia which we love orthelia here we still use it for a lot of things and we're just starting to scratch the surface with authentic then you will love authentic and it does offer some other very notable features depending on your setup that you may be interested in i'll make note of those as we move along with the video as usual guys if you like what we're doing what we're doing on this channel the videos we're putting out please think about subscribing and hitting that like button it really helps the channel a lot and we really appreciate it thank you very much for 15 000 subscribers what a huge number so the topic of today's video we want to protect our self-hosted applications something like sonar radar or plex with authentic so that all requests are redirected to it for authentication and then sent back we're going to show you two different reverse proxies to get this working you'll be able to do it with internetx proxy manager as well as traffic so we're going to give you both in one place right here right now as well as in the docs that we'll link below so make sure you follow through and check out the chapters if you think you need to skip over anything so that we don't waste your time of course a couple of assumptions one is that you have authentic started up and running if not like i said we have the compost file there for you and the previous video shows you how to get it up and running you've logged in you can authenticate successfully and you've got authentic ready to go just basically just waiting there for us to actually use it so without further ado let's just get stuck into it alright guys like i said we're looking at the second step in our authentic series which is to use a reverse proxy to protect our self-hosted applications now don't be confused authentic offers various different ways to both authenticate and authorize your requests and make them easy to use so today we're only concentrating on the identity provider being ourselves and of course it's going through our reverse proxy which means that when we type in an external address like sonar.domain.com or whatever your domain is that the reverse proxy forwards that request to authentic authentic asks you to sign in and then it's passed back to your reverse proxy but there are other methods that authentic does offer and we will cover those in upcoming videos for example we can use oidc or saml so that we can authenticate with something and be single sign on which means we sign on to once and it signs into those applications for us if you want an example next cloud is the perfect example we can also use third-party providers to authenticate so if you wanted to use something like google or github whatever the case might be we can try and use that method as well but we thought for the interest of most of our self-hosters we want to keep that data in-house we want it to be protected with our own knowledge and we may only have one or two users that possibly could be affected by it if you are running a very large business or something like that you might want to look at some of the other options but i think for most people using a reverse proxy authentication is going to be the most common uh use case that we could think of so i'm not going to go through all of this guys we did it in the first video feel free to check that out again like i said it's really important to give you some background but here are some of the alternatives that you might see and some of the differences that authentic can offer you i'll leave that up to you to decipher however you like we're just here to show you how to get it working so without messing around any further let's go to our setups and get this going first and foremost we're going to be looking at traffic so here we are in code server and we're just looking at our docker compose files for traffic and for authentic now we're covering docker compose we'll also show you unread in a moment as well so if you are using docker compose this is essentially what your docker compose may look like for traffic as you can see we have our api middlewares which is auth now that if you're already using orthelia will already be in there so you don't have to change anything there per se i just wanted to show you for example and keep in mind any of the tokens or anything like that i've obviously changed so nothing to worry about there however the one part you do need to take note of is the file config.yml now this is your dynamic file config and it's the same whether you're on unraid or on docker compos and as you can see we have our middleware section under here under middlewares we have auth that's what we're referring to this as which is where this comes from auth at file now under there this is the entry that we put we have to put in this entire section from all the way underneath up until here the rest of this is from our previous traffic guides so that is further explained in those guides so don't have to worry about that part this is the part that we're adding and we need to have it underneath middlewares what you'll notice here is the name of our authentic container if you've installed our container from the unraid ca store your container may simply just be called authentic rather than dash server uh if you're using our compose file we've referred to it as authentic server so what we're doing here is giving it a certain name that's the name of our authentic container and the port that it runs on by default it's 9000 for http so just update it to match whatever the name of your container is this is assuming they're all on the same custom docker network if they are not you may have to put the ip address of your server here instead now the next thing i'll show you is the authentic docker compose file now this is a huge file as you can see for those who are not using docker compos you still need to take note of one important thing which is our labels if we look underneath our labels and if you're using traffic obviously then you'll have labels for your docker setups now the next thing i want to show you is the labels inside of our docker compost for authentic now this is for authentic not for anything else so let's scroll down and we'll see the labels here you also have labels there as well for authentic we wanted to go through traffic so we have our two standard labels which is to enable it and which entry point we're using then we add this line underneath now this is again guys in our docs for you so all you have to do is copy and paste it as you can see authentic that's the name of our rule and then we're saying it's going to our domain now if you don't want to use auth.domain.com you might have authentic.domain.com whatever the case might be you put that in here that's what you want to use that's fine put that in there in here we also change domain.com we do not change anything on this side just leave that as is and then we've got the prefix now what this is doing is a two-step process one it's going to be attaching this to the end of each sub-domain that is protected by authentic and also tells us where authentic lives so auth.domain.com now on unraid you would simply be adding another label and that label would be this is the key and this is what you put as the value so with those two changes done we've added the label to authentic and we've added the middleware into the traffic file config we should be pretty much right to go that's pretty much it from our traffic point of view now we have to actually make the change in authentic itself but we're going to get to that later because now i'm going to show you how to do this in nginx proxy manager now big warning for your eyes guys it's going to be a very white screen in just a second all right guys so here we are in nginx proxy manager and you guys know that we're a big big favorite of nginx proxy manager we do prefer traffic these days and there is very valid reason for that it does offer us a lot of flexibility especially when we're using docker compos but for those who are still using nginx proxy manager we wanted to give you something to use as well now here at ibracorp we believe in community spirit and as such the guide for the authentic and npm section was actually written by a community member on reddit his name is it's mevens and we've given him credit in the documentation he's given us permission to use his guide to walk you through this so that's what we're doing right now we've linked that all in our documentation as well now basically if you're going to here we should have a couple of different proxies now in your case you may have 10 15 whatever the case might be we need to create one that is for our authentic container if we just click edit we're using our host name now this is the container name because they are on the same custom docker network alternatively put the ip address in there of your server 9000 is the default port so that's what we're using we want to make sure websocket support is checked you should also have another application in here as well that you know is working and works fine as it is so if you were to click that it would take you to your domain and finally obviously that you have one set up for npm itself so you would have one here for example like this and so we have our nginx proxy manager reverse proxied as well now similar to our orthelia instructions it's not too far away from what we need to do there when it comes to authentic basically find the app that we want to protect so let's say sonar we'll select that and click on edit go to advanced and then you'll see we have this huge configuration that goes into there now again this is on the docs it's been linked and it's published by a geek circuit which is all there for you to take if you need it and as you can see all we have to do is customize some of the links so we've got some of our links here that point originally to just the basic domain we set that up to our auth domain that we've configured and pretty much if you just copy and paste that for each proxy that you need you'll be right to go so guys that's pretty much traffic and nginx proxy manager set up and ready for us to start using with authentic so now that we have nginx proxy manager and we have traffic set up and ready to go depending on which one you're on you should be now ready to go with the authentic side of things so we've set up our reverse proxies now let's think about authentic so here i am on the signing page and you can see i'm signing in with my username and there we go we're now on the dashboard and what we want to do is go to the admin interface so let's go ahead and do that now on the admin interface we're given a bunch of different information this is all the stuff that we can now follow through and carry on to set up our applications in your case you're not going to have anything because you probably haven't set anything up yet that's easy so let's do that now so let's say in our scenario we want to reverse proxy sonar let's go to applications click on create and start filling it out and what we have here is the name so we just call it sonar literally just sona the slug for the url is sonar and then the provider we need to create so in your case by default it'll just look like that go ahead and click on create provider of the options you can see that we've got at least five options at this point in time now you have a lot of different ways you can do this like i was saying earlier we have ldap provider so if you're using ldap that may be something you want to use we have the oauth 2 as well as open id we have a proxy provider a saml provider and a sample provider using metadata for the purpose of today's video we're going with proxy provider and as you can see from the description it's if we're using a reverse proxy so go ahead and click next now for the name we can call it something like sonar forward auth the authorization flow will give you two options one is an explicit consent and the other one is implicit consent so basically explicit means no matter what it'll ask you to go to the login screen and ask you to confirm the request before pushing you over with implicit consent as long as you're signed in it assumes that you're allowed and that you consent to passing through so it will just pass you through now you can play between the two and change them on the fly and just test it out and see whether you like it it's not going to break anything so let's start off with explicit just so that we get confronted with that login screen for the external host we want the external address that sonar is located on for example sonar.domain.com that's that we put the fully qualified domain name into this field there's one more step that you might be interested in though here i am on the existing sonar one we filled out if i just go under advanced protocol settings and we scroll down you actually have a section called unauthenticated paths now if you know from our video in orthelia there are certain paths that we don't want to be authenticated and the reason is they're our api endpoints or some sort of path that is used by automation and so it's not going to be able to pass through authentication so here we go we have our api path as you can see now this is taken from authelia but it's been changed a little bit to match the syntax required for authentic and we've put this list on our docs just to make it easy for you guys as well now this will allow all of our automation apps to work through the api and not get challenged by authentic it's really important you guys put that in there you can ignore almost all of this if you don't want to use it as long as you have the api endpoint open for sonar and related apps every other app though has different needs now because this proxy provider is just for sonar we don't really need all this other stuff we can actually just get rid of that if we if we wanted to and just leave api as the only unauthenticated path so i'm going to do that i'm going to leave it as api and i'm going to click update we've clicked on create and now it's added that provider to the list here we can then select it now just be mindful even after creating it it won't actually select sonar for you so you just drop down the list and make sure you select it now scroll down there's nothing else there unless you want it to you can put a launch url if you choose as well it's not important it's not mandatory as you can see if you don't put one in it will use it based on the selected provider and that's where we've already put a link in there so i'm not going to worry about it now that's all said and done pretty easy so far right the next step we need to do is modify our outpost so let's go to outposts basically an outpost is as the name probably suggests it's a deployment of authentic components to support different environments and protocols like reverse proxy so you can have multiple different outposts if you so choose and this may help with things like load balancing for example by default you'll have the one authentic embedded outpost ready to go so go ahead and click on edit now by default none of these options are selected in fact if you haven't done the previous steps we just showed you there will be nothing in this list so we've created these applications and now we want to select them all so we've selected them all we scroll down and in the configuration section here there are some changes that you can make as well i'm not going to get too much into detail here but the most important part is the authentic host as you can see we've put in the address that matches all the other places we've put for the address for authentic itself and we need to make sure that's correct because after the pass-through is complete it's going to send them through to this link and if it's not there correctly it's not going to work so make sure you update that and you've selected the applications you want to protect with this outpost once you're done click on update now believe it or not that's it we've just now protected an application with authentic and let's say we want to test that out so why don't i open this up in an incognito and we'll see how it goes all right so sure enough it takes us to our auth page there here's our url it's redirected us on behalf of traffic we put in our username and our password now it presents us with the consent screen now this is what we were talking about before whether it's implicit or explicit consent and we've said explicit sorry i need to actually give it approval to pass me through so as you can see you're about to sign into radar that's the name we gave it the application requires the following permissions email address and general profile information i agree with that let's click on continue and sure enough we're into radar now at any point of course we can go back to the authentic domain name and it gives us our little dashboard here which gives you a little shortcut so you can get to everything you need as well which is pretty cool if we go back to the admin interface i'll show you a couple of other things as well if you go to directory and then users this is where you probably want to create another user now by default the default user is the ak admin user that's what you need when you first set it up as we showed in our first video now after you do that you may want to think about creating your own user account and start using that instead of the default and that's what exactly what we did here so we click on create you give it a give the person a username the user's display name and email address and whether the person is active we can then add them to a group so if we click on plus we can select the admins group so that's the default group that's in there for admins we can select that and then you can put any other attributes in there as well using yaml or json this is all explained in their docs by the way so we won't go into much detail on the attributes but they are quite flexible uh if you wanted some more control over the users now something that actually took me a couple of sign-ins to get was how to set the password and then all of a sudden i just clicked i just had to drop this down and then we can actually set a password on the user helpful little tip there save your logging in and out like i did a couple of times whatever helps and also just wanted to show you guys who are using unraid if you're using unraid then you're adding these labels manually rather than docker compos so to do that you just click on the authentic container you have click on add label path variable and obviously choose label at the top give it a name there's the key that we want to put in and there's the value now again this is on our docs for you so you literally just have to click and paste them and you'll be right as rain and finally on your admin interface you have a whole bunch of information to help you keep track of what's going on any failed logins whether your system is out of date any warnings you need to know about uh et cetera so you have so much details there which gives you a lot of insight into what's going on with your setup especially useful when we come to multi-users so guys believe it or not that's actually it we've now reverse proxied our applications and protected them with authentic for now i think that'll get most of you on board and get you started using authentic to protect all of your self-hosted apps using your reverse proxy that you already have running it's going to make your life a lot easier if you don't have nginx proxy manager running we have a video on that that will help you set it all up we also have a video on setting up traffic it'll get you right from start to finish i'll make sure i drop those links down in the description for you just to make it easier i highly encourage you guys to check them out if you don't know enough about them and see why it may or may not be a better option for you really hope you guys enjoyed today's video i've been so excited to get it out it's really really cool to finally have this working and being able to share it with you of course as well if you liked this video don't forget to like and subscribe we really appreciate it let us know in the comments below what you think of authentic and whether you'll be willing to give it a go that's it for me today guys thank you for tuning in and i can't wait to see you in the next apricorp video you

Info

Channel: IBRACORP

Views: 45,583

Rating: undefined out of 5

Keywords: authentik, ibracorp, ibraco, ibra corp, authentik nginx proxy manager, authentik traefik, authentik docker, authentik docker compose, authentik proxy, authentik outposts, authentik applications, authentik installation, authentik setup, authentik unraid, authentik ubuntu, authelia, authelia alternative, ibracorp traefik, ibracorp nginx, authelia unraid, authelia vs authentik, authelia sso, traefik forward auth, traefik forwardauth keycloak, authentik setup guide

Id: CPURnYaW3Zk

Channel Id: undefined

Length: 20min 19sec (1219 seconds)

Published: Mon Jul 25 2022