Thank you for watching our video! What are your thoughts on Authelia? Would you use it to protect your precious internal sites and applications? Let us know! EDIT: You can find our updated 2022 Guide right here: th-cam.com/video/IWNypK2WxB0/w-d-xo.html
Any chance that I can do this without LDAP FREEIPA? I don't have enough resources to run another VM and only 1 user will be created which will be the admin account. Thank you.
Honestly the fact that you've made written instructions to go along with the video makes this SOOOO much more useful to me than just a multimedia (youtuve) tutorial. I feel like this is the absolute most effective way to teach - a written guide for technical reference, and a video to explain that whats and why's. This isnt to say that any one channel is better than any other - SpaceInvader blazed the trail, with his tutorials being the gateway that enabled so many folks, as well as attracting tons of new people to unraid. I see this as more of an evolution, the "next step" so to speak. Great work, man! Kudos 👍
Thank you mate that mean a lot. I put a lot of work into Authelia for myself initially and just wanted to make easier for others. Spaceinvaderone is the OG I respect him and his work, he taught me everything at the start. I look forward to making more with the style in future. Cheers!
Bro.... how do you not have more subscribers? These videos are gold! Not only got me set up but now I understand the process along the way! Seriously can't thank you enough
Is it possible to use this set up for VM’s/external servers on the same network? It seems the authelia set up (with the configuration in the video) is only suited to docker containers. Would it be possible to adjust it for external servers or VM’s? For example, I would like to push my HomeAssistant VM web access public but am not willing to do it unless it’s secured with Authelia
Also to note, you can add a few rules to the authelia configuration file to block web access but allow api access. That allows you to use phone applications that access sonarr/radarr/home assistant without compromising security as the web page is still blocked
Something important in case the web-ui doesn't come up for you as it did for me. At the very top of the configuration do NOT change the HOST and the PORT numbers. These must always be 0.0.0.0 and 9091 even if you have specified different port for your container (I had to change it cause I run transmission on that port). It took me an hour to realize my mistake... Other than that... I really appreciate the time and effort you put for this guide and video IBRACORP (twice). I followed your instructions and I now have it running on my openmediavault server. Thanks!!! Subscribed*
Hi Kornimar, thank you for the kind words and for subscribing it's greatly appreciated. And thank you for sharing your solution, I wasn't aware of this tip so hopefully it will help others out. Welcome aboard!
Nice. In the first 10 minutes I was like "nah, don't need this.." Later on I was like "hmm.. Interesting 🤔" Now I'm like "f*c|< yeah. Want this" Thanks for the video 😘
Hey, as of March 2023 can't seem to get past the Redis install on 6.11.x. Getting permission denied in the logs for the Redis docker. Tried following a forum post about using install command for folder prior to install but still not working. In fact, seems to have created a redis folder somewhere else on the server I can't find. Can you provide updated instructions with the change in non-root dockers?
@@IBRACORP I seem to have come across a small issue that I can't isolate. I can authenticate via authelia, for example when I hit sonarr.mydomain.com however after authentication, I get a screen that says I've authenticated, that's it. It doesn't redirect me to sonarr.mydomain.com. Any suggestions?
Have you tried checking the protected endpoint configuration in NPM? The redirection line should be in there, just check it. I do believe this has been come across before, the unraid forum might have the answer (in description). I'll see if I find it
my config file is asking for a storage encryption_key but I can't see it being mentioned here? The template from the website looks a good bit different to the one you use.
having a lot of problems when starting mine: getting follow errors: - authentication_backend: you must ensure either the 'file' or 'ldap' authentication backend is configured" "Configuration: access control: 'default_policy' option 'deny' is invalid: when no rules are specified it must be 'two_factor' or 'one_factor'" Configuration: storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided" "Configuration: storage: option 'encryption_key' is required" notifier: you must ensure either the 'smtp' or 'filesystem' notifier is configured"
Using this video and your other freeIPA one, I banged my head against a wall attempting to authenticate this from my AD domain for a couple days. I couldnt figure out why it wouldnt work. Finally I commented out the additional_users and additional_groups entries and BAM! What I discovered is if all your users and groups are in the OU=Users and OU=Groups OUs respectively (As I suspect many home labs are) it will just silently fail if you point the "additional" entries to those same OUs. Gotta just comment it out. Thought I would share and save someone else heart ache
Thanks for sharing Anthony great tips! It's important to note that my template for LDAP is based on FreeIPA LDAP scheme and so the search queries will be different if using MS Active Directory for example
That would be great! I could share them in the instructions for people running AD as their backend. If you like you can email them, support @ ibracorp . io
I have set up two "proxies" one fore overseer and one for guacamole. I configuration.yml I have only entries for domain and policy:one_factor. If I go to my overseerr domain i get to log in using authelia. But ig I close the overseerr window and try to go to my overseerr domain again I get a authelia message saying that I am already logged in and only gives me the option to logout. If I want to access overseerr again I have to click logout, wait for the login page to show. I then need to close that window and enter my overseerr domain again. Is there something I have missed ?
Great video, as the other ones. You rock!!!! Do you know if it's some way to use authelia and bitwarden together, with the app - windows, firefox, android, ios etc? Thanks
Thanks Daniel, appreciate the feedback. I do have bitwarden myself but I chose not to use Authelia. It will likely work except for maybe the apps. Usually, if there's an app that uses an API, in NGINX Proxy Manager, under the location section of a proxy, you can tell it to ignore authentication for the API. This is usually what allows the apps to function unrestricted. I think I'll need to make a video on it
@@IBRACORP I just finished watching video at your recommendation in the other cloudfare video. .. It would be great if you could make a video that explained this process of setting up ignore for API!. I am thinking of converting over from SWAG to NginxProxy manager... and with authelia being able to do the fail 2ban stuff... and then cloudflare the geoIP blocking would have coverage with a lot more flexibility within nginxproxy manager.. I do wonder with the setup for the MariaDB and adminer... I already had a MariaDB setup from a Spaceinvader video for nextcloud. This was without the adminer which looks alot nicer for config.. Would adding the adminer docker pickup or mess up the mariaDB I previously created? Thanks in advance your videos and responses have been awesome
I think I'll need to do a follow up on it. I've added it to my list to do, thank you for the suggestion. I'll explain how to bypass APIs so you can seperate protection in it so give me some time and you'll see it :) As for Admininer it will not hurt your existing config. All it does is provide a GUI to work with your databases. As long as it's a supported database type (which there are plenty) you can connect to it and manage it
First let me say i love your channel! Second, I have tried this guide 3 times now from scratch and i can't get it to start up. It keeps saying Provide JWT secret. I have gone though the video countless times and still get the same result. I know it will end up being a user error since i am new to docker and unraid, it's just frustrating. One sugestion for future videos if i may, use the same configuration file that you provide (not truncated). It makes it confusing when half the config options are not shown on your screen. (for a Noob at least) Thanks for the great content and i will keep plugging along until i figure it out.
question for you, what do I need to change in the Protected Endpoint.conf to point to a non-container item.. say another address on my local network? What do I replace CONTAINERNAME with?
Anyone else having an issue with radarr and sonarr not sending data back to the host once connected? I.e. saving settings or trying to download new media on the domain does nothing on the host side? I have other dockers that run with no problems (overseerrr, SABnzbd, nextcloud, etc.).
Finally got it working, the one thing that messed me up was the yml code. In other yml/yaml coding I have done if anything that you use contains a non alpha character you need to use (") quotes. Almost all my passwords do and that took me hours to figure out. Something about forest and trees. LOL
Do you plan to make a video about setting up LDAP for Authelia and Windows auth? Thats a project i want to implement since ages ago, but i never found a combination of tutorials and (free, selfhosted) software for that.
I recently updated the app and now i'm getting time="2021-04-16T19:49:31+01:00" level=error msg="invalid configuration key 'notifier.smtp.disable_verify_cert' was replaced by 'notifier.smtp.tls.skip_verify'" time="2021-04-16T19:49:31+01:00" level=error msg="invalid configuration key `notifier.smtp.trusted_cert` it has been removed, option has been replaced by the global option `certificates_directory`" how do I deal with this?
I will be updating the config files soon but you can comment out the first part and replace the key with the one it's telling you in logs. EDIT: Files updated on Git!
Thank you for this guide! Will you be able to create a guide to switch the username/password database from file to LDAP? Currently I have Authelia set up but I would want to expand to more users and with a file I will have to create each user account manually.
Can't seem to edit the config.yml authelia creates. Every other container I can edit anything in, including mariadb which was just installed. Windows saying I don't have read permission, to exclusively that folder.
Hi Marshy, yeah permissions can be annoying sometimes. You can run commands in unraid to give yourself permission or use Krusader to navigate to the file and change permissions of there too. The easiest thing I find is use Krusader to delete it from appdata and create your own one on your local machine then paste that in.
i have got authelia up and running after your great video. now i have a problem with getting api key from the different services i have to bypass it. lets say sonarr i want a more secure login, but i would want the api key from sonarr to work with other applications. how would i do this? i dont really understand how to set that up.
Hmm if you watch my latest Organizr video for server auth it should be similar by bypassing the URL for an API endpoint in your reverse proxy. Check it out and let me know if that's what you mean
hey, thanks for the video. ive tried to implement this in my server, but when i try to access radarr it asks me to connect and after i put in the username+password is just says "Authenticated" and doesnt move on to radarr. i tried to re-install, re-configure all configs that you added to the guide and nothing.. can anyone help me fix thix? :(
great content - for your future videos you could increase the font size a little bit, especially when showing config files in text editor (like notepad++ and so on).
Thanks a lot for this tuorial, it helped a lot ! With this configuration, I have an issue when I go to auth.mydomain.com, it does not force a redirection to https (Even though "Force SSL" is active on the Nginx Proxy Manager. Is this caused by a setting in the custom Nginx configuration ? I don't have this issue with my other services
Hey there, thanks for watching. I'm glad you found it useful. That's odd, there should always been https active. Are you using my config exactly as is? Might be worth checking your Authelia logs to see if anything is happening. If you read the advanced config it should be https as far as I remember
Hi Thx a lot for the overview for Authelia. I just have one issue will this install. The argon2id part does not work. I did change the name and did all the things u said we needed to change but it will not start Authelia. Any idea´s??
@@IBRACORP Hi thx for replay. The Argon2id didnt work for me so I went on will LDAP. Now the problem I have is that authelia doesnot take the user and password I have in FreeIPA, but in Organizer it works... I have to look in to that and see what that can be... Best Regards André
How would I put a virtual machine or another machine behind NGINX/authelia? I have HASSIO installed as a virtual machine on unraid. I want to expose it behind authelia. I plan to move it to a proxmox installation eventually although it will keep the same IP. Is this possible?
@@IBRACORP Hey! Thanks for replying. I'm referring specifically to where the authelia config uses the docker name: i.e. "location / { set $upstream_XXXXXXX $forward_scheme://$server:$port; proxy_pass $upstream_XXXXXXXl;" I'm not sure how to redirect that to 192.169.x.xxx:XXXX or homeassistant.local:XXXX I'm read the authelia docs and unfortunately it's not annotated well enough for it to quite click
I finally attempted this awesome tutorial. However I must be the only one that failed at it. When I log into Authelia to authenticate Jackett I get a 403 error. Any clues as why this is happening? I did pick a plain text word and used the HASH generator.
I have a question about MariaDB, I see Authelia requires a database but so does Nextcloud and Nginx how does that work? Can there be multiple database in the one MariaDB container and these DBs handle difference applications? If so, can you do a video on that if time permits? Great tutorial I trying to follow along and have a similar setup for my HomeLab. Going forward I will ask question at your email addy above. Again thank you for all your hard work on the videos. They are truly helpful!
Hi Sean, thanks for watching! To answer your question, yes you really only need one mariadb container (usually) because you can have multiple databases inside of it by simply creating more. An advantage of creating a whole new container might be for having it on a different VLAN but usually the one is enough for us homelabbers. Please don't worry you can ask questions here on our TH-cam, for anything too hard to answer here we have Discord too. Thank you for coming back and checking out the channel appreciate your support
hey ibracorp when i try to start authelia i get a "Error malformed yaml: line 228: did not find expected key" thats the "file" part of the config.yml i have tried different passwords and hash's i have put the plain text password in the password field and left it blank like in your video but nothing seems to work. any ideas?
@@IBRACORP thanks for the reply! i still cant figure it out :( i have it open on visual studio and it says theres a bad indentation mapping on 229 which is "file:" but i dont think thats the real cause because the template has the same "error" man i wish u could see what im seeing i feel like its going to be something dumb lol
Hello All Great guide. I do have an issue where its not redirecting to Overserr. I follow d the guide to the letter, When I log in it does show the Hi Marvin! Authenticated but it does not redirect
Hi Marvin, please check the code pasted into NGINX Proxy Manager for both Authelia and Overseer. There's is likely a placeholder that's hasn't been changed yet. Otherwise please check Authelia logs and see what it says
@@IBRACORP The message I am getting from the logs are the target URL "MYURL" is not under the protected domain "myDomain". By the way thanks so much for the help.
Ok so that means in your config yml file the protected domain field is either missing or different to the one you are trying to protect. They need to be the same
@@IBRACORP Ha thanks for the help found the issue was a capital letters in my domain name, Also you have some extra spaces in "Protected endpoint" @ the end of "proxy_pass $upstream_authelia;" Thanks so much for the support you rock dude !!
Greetings from Australia! Followed this as close as possible but can't get Authelia to start. Logs give "Unable to initialize SQL database: Error 1045: Access denied for user 'authelia'@'172.18.0.1' (using password: YES)". Any idea what I'm doing wrong?
Hi mate, have you configured your SQL server in the Authelia config file? It's trying to connect to a 172.18.0.1 address. It should be the the unraid servers IP along with the port of your SQL database. Also, confirm your credentials are correct as it might also be a password or username issue.
@@IBRACORP hey mate, i've definitely amended the config with the correct info. Upon further inspection, i think it may be an issue with mariadb. Logging in to the authelia user in Adminer shows the following "Warning: PDO::query(): SQLSTATE[42000]: Syntax error or access violation: 1044 Access denied for user 'authelia'@'172.17.0.1' to database 'information_schema' in /var/www/html/adminer.php on line 185". Sorry if this is something silly!
Definitely a password issue in my opinion then. You should just reset the password for that database user and make sure you've given the user full privileges as I've shown
@@IBRACORP Got it! In the end the problem was twofold. Both Redis and mariadb didn't seem to like my passwords consisting exclusively of just numbers (0-9). Also it seems creating the database with Adminer using any other sequence than the one shown in the video will cause problems setting privileges. Appreciate the hands-on support!
Is it possible that you could help me get two-factor fixed? It states "There was a problem initiating the registration process" whenever I try to use it.
Very good video! I am curious to know if I can use authenlia to log in nextcloud. Specialy when Nextcloud has multiple user account . Anyway good work.
You sure can mate. The hard part is getting the Nextcloud app to connect, but if you know the API details you can configure in proxy to bypass Authelia. You can also use LDAP like I do for both Nextcloud and Authelia so they share the same users. I will be making a video on this soon
I believe you can but I don't know for sure as I haven't implemented it over Nextcloud for myself personally. I know some of my members have though, sorry I can't say for sure
Check your share permissions in unraid, if it's protected when you go to access that share you need to make sure you are providing the credential of a user with permission
hi everyone i just set up authelia, but i have 2 problems with apache guacamole and radarr, the question is when i tip first time my adress guacamole, login in authelia and login in apache guacamole, and everything works fine, but second time when i close the page and retype the adress, give to me a blank page and don't show anything (in adress bar show this adress guacamole.*******.com/#/ i hide my adress for security), to show page correctly i need to clear the cache of my web browser the second doubt its, i type my radarr adress the adress show the authelia login page, i login and show the radarr login page, but when i click on the login buton they return whit page error HTTP ERROR 400, can anyone support me, i'm a newbie, i was learning to make a nice reverse proxy
Hi Eric, Does this happen without authelia in use? If not please check all your settings in Authelia config file making sure the cookie sections are correct and and your domain is correct. Do you have any logs for Authelia? What do they say?
i dont change anything on cookies section on config.yml (appdata), when i try to reach the adress of my apache guacamole the log show this time="2021-03-14T02:40:29-03:00" level=info msg="Access to guacamole.******.com/api/languages (method unknown) is not authorized to user , sending 401 response" method=GET path=/api/verify remote_ip=172.68.25.163
hi man the bug of acess to guacamole its solved, if i just tip the adress they show me the blank page, if before i just tip and refresh page, show for me the login page correctly, but the radarr bug its not solved, i use the authelia login and the login form (login page) who came with radarr, if i just disable the form (login page), and just stay only authelia autentication page, before login in authelia redirectly with no problem to radarr homepage, but if i enable the form (login page) before i make the login, they return with page HTTP ERROR 400, anyone have this bug
great video, I didn't manage to make it work with only your github and now i'm stuck with mariadb, I put password in it but adminer can't connect to it and when I connect to mariadb container, and try mysql or mysql -u root -p mypassword, it just says access denied using password YES. Version of MariaDB mysql Ver 15.1 Distrib 10.4.18-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2. It's not the first time it does this to me with mysql
@@IBRACORP yes empty. I tried to remove the container and the image so nothing should be kept ? And start over but it does the same thing :/ maybe I need to do a deeper cleaning but I don't know how
Ok so you need to remember that your appdata folder holds persistent data for containers and it is not removed when you delete a container. 1. Go to the community app store and install the plugin called "Cleanup Appdata" 2. Delete your mariadb container and image as usual through the Docker tab 3. Go to Settings > Cleanup Appdata plugin 4. Check the box next to the container and delete Be very careful that you select only the one you want to delete, the plugin is unforgiving. But it's a great tool to remove the folder without worrying about permissions issues
@@IBRACORP Nice, looking forward! I just installed FreeIPA for learning purposes. Havent really figured out if the domain and realm should/could be a subomain of my regular domain or something like .localdomain/.local. Keep up the great content!
Hello Mate, thanks for the video. Very helpful! Just wondering if you can help me please, I have setup duplicati on Unraid and created a subdomain on cloudflare and setup a proxy host in NPM. When I go to my subdomain "backups.mydomain.com" it works absolutely fine but when I enter the authelia protect endpoint config in NPM and enter the access control rules in authelia config and then go to my subdomain I get to authelia login screen and I sign in and it doesn't open the duplicati page. I can see authelia redirected me to my subdomain in the address bar but it gives me a HTTP 400 error. I have had a look in authelia logs and this is what it says "level=debug msg="Redirection URL backups.mydomain.com/ is safe" method=POST path=/api/firstfactor remote_ip=XX.XX.XXX.XXX". I'm using the same protect endpoint config with Nextcloud and PsiTransfer and just change the container name in the config and they are working fine without any isues. Can you please help mate? Am I missing something here? It'll be much appreciated. Thank you
Hi mate, thank you for watching firstly. Have you tried through a incognito session to see if it's a cache issue? Also check the URL it's trying to forward you to see what protocol is being used (http or https) make sure that all matches your setup in NPM. You can join our Discord and ask there too. I haven't got duplicati running ATM but I can look it later. Might need more logs etc. Jump in discord and ask there then I can give you an email to send logs
Would there be any chance you can link a doc /video, or advise how I can use this with something like bitwarden? my bitwarden client (phone /tablet /laptops etc...) use my exposed service bitwarden.mydomain.com on my home network, and remotely. Everything works fine. I login, enter my 2FA and i'm golden. But with Authelia, it (obviously) no longer works because the clients can't login (at home or remotely) because of the extra authentication mechanisms in place. Been pulling my hair on this all afternoon, for both Bitwarden and Nextcloud, both hosted on unRAID
The only way to get around it to my knowledge is bypassing auth for the API of each application (if supported). For an example, you can look at Organizr which explains how to bypass it for Sonarr and Radarr
Thank you for watching our video! What are your thoughts on Authelia? Would you use it to protect your precious internal sites and applications? Let us know!
EDIT: You can find our updated 2022 Guide right here: th-cam.com/video/IWNypK2WxB0/w-d-xo.html
Any chance that I can do this without LDAP FREEIPA? I don't have enough resources to run another VM and only 1 user will be created which will be the admin account. Thank you.
Yes, you can use a file with the users in it. Check our docs out at docs.ibracorp.io
Great video
Thank you
Honestly the fact that you've made written instructions to go along with the video makes this SOOOO much more useful to me than just a multimedia (youtuve) tutorial. I feel like this is the absolute most effective way to teach - a written guide for technical reference, and a video to explain that whats and why's.
This isnt to say that any one channel is better than any other - SpaceInvader blazed the trail, with his tutorials being the gateway that enabled so many folks, as well as attracting tons of new people to unraid. I see this as more of an evolution, the "next step" so to speak.
Great work, man! Kudos 👍
Thank you mate that mean a lot. I put a lot of work into Authelia for myself initially and just wanted to make easier for others.
Spaceinvaderone is the OG I respect him and his work, he taught me everything at the start.
I look forward to making more with the style in future.
Cheers!
Bro.... how do you not have more subscribers? These videos are gold! Not only got me set up but now I understand the process along the way! Seriously can't thank you enough
Thank you mate really appreciate that. Help share my work and hopefully the word will spread :)
Look forward to more soon
Is it possible to use this set up for VM’s/external servers on the same network? It seems the authelia set up (with the configuration in the video) is only suited to docker containers. Would it be possible to adjust it for external servers or VM’s? For example, I would like to push my HomeAssistant VM web access public but am not willing to do it unless it’s secured with Authelia
Also to note, you can add a few rules to the authelia configuration file to block web access but allow api access. That allows you to use phone applications that access sonarr/radarr/home assistant without compromising security as the web page is still blocked
@@hawks5196 You sure can mate. Doesn't have to be a container, you would just use hostnames and IP's of the VM's to my knowledge
@@hawks5196 Spot on thank you for sharing! This is a very important point and easier than doing it in each proxy config.
This whole channel is a wealth of excellent, clear cut, thought out, well presented information. Keep up the good work mate!
Thank you very much ❤️
I don't think you could comprehend how helpful this was!
I don't think I can, which is why I appreciate when people tell me! Cheers
Something important in case the web-ui doesn't come up for you as it did for me.
At the very top of the configuration do NOT change the HOST and the PORT numbers.
These must always be 0.0.0.0 and 9091 even if you have specified different port for your container (I had to change it cause I run transmission on that port).
It took me an hour to realize my mistake...
Other than that... I really appreciate the time and effort you put for this guide and video IBRACORP (twice).
I followed your instructions and I now have it running on my openmediavault server. Thanks!!!
Subscribed*
Hi Kornimar, thank you for the kind words and for subscribing it's greatly appreciated.
And thank you for sharing your solution, I wasn't aware of this tip so hopefully it will help others out.
Welcome aboard!
Nice. In the first 10 minutes I was like "nah, don't need this.."
Later on I was like "hmm.. Interesting 🤔"
Now I'm like "f*c|< yeah. Want this"
Thanks for the video 😘
Haha you're welcome. It's free and you've got nothing better to do so why not
This was Awesome I got this working like a charm, I love the pace you use and how you explain things.
Cheers Hose! Glad you enjoyed it mate thanks for watching 🙂
Thank you so much for all your content, big thank to all the team
Thanks for the kind words and for watching 🙂
Does this method works if i use only local acces ? Without the need to open port & port forwarding. Will acces the app remotely via tailscale
Hey, as of March 2023 can't seem to get past the Redis install on 6.11.x. Getting permission denied in the logs for the Redis docker. Tried following a forum post about using install command for folder prior to install but still not working. In fact, seems to have created a redis folder somewhere else on the server I can't find. Can you provide updated instructions with the change in non-root dockers?
Thank you, but how can I use authelia with nextcloud, hassio, bitwarden android apps?
Use SWAG as your reverse proxy and enable the sites you have in proxy configs
Thanks for the deep dive bro! Very much appreciated
Very welcome mate thank you for the suggestion
@@IBRACORP I seem to have come across a small issue that I can't isolate. I can authenticate via authelia, for example when I hit sonarr.mydomain.com however after authentication, I get a screen that says I've authenticated, that's it. It doesn't redirect me to sonarr.mydomain.com. Any suggestions?
Have you tried checking the protected endpoint configuration in NPM? The redirection line should be in there, just check it. I do believe this has been come across before, the unraid forum might have the answer (in description). I'll see if I find it
Also what do the logs tell you for Authelia?
@@IBRACORP hey I was able to figure it out. I missed the YOUR DOMAIN part lol...oversight...
Hello, thank you for all of your video.
The cloudflare video allowed me to secure my server. Thanks
Hey Rachid, thank you for the kind feedback and support, really appreciate it.
I just noticed your donation, thank you again for your support. Look forward to getting more content out for you.
@@IBRACORP no problem with pleasure. 😁😁😁
Nice job. But.. when reaching overseer, you will still need to log in there as well? No single sign-on?
This will be covered in an upcoming video
my config file is asking for a storage encryption_key but I can't see it being mentioned here? The template from the website looks a good bit different to the one you use.
Thanks for the guide btw! Very useful! 🙂
Thank you for watching :)
having a lot of problems when starting mine:
getting follow errors:
- authentication_backend: you must ensure either the 'file' or 'ldap' authentication backend is configured"
"Configuration: access control: 'default_policy' option 'deny' is invalid: when no rules are specified it must be 'two_factor' or 'one_factor'"
Configuration: storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided"
"Configuration: storage: option 'encryption_key' is required"
notifier: you must ensure either the 'smtp' or 'filesystem' notifier is configured"
how do you move the containers i tried doing it just now and all it did was highlight the words
Thank you for your video , you helped me alot
Hey there q8rix, you're welcome thank you for watching/subscribing
Using this video and your other freeIPA one, I banged my head against a wall attempting to authenticate this from my AD domain for a couple days. I couldnt figure out why it wouldnt work. Finally I commented out the additional_users and additional_groups entries and BAM! What I discovered is if all your users and groups are in the OU=Users and OU=Groups OUs respectively (As I suspect many home labs are) it will just silently fail if you point the "additional" entries to those same OUs. Gotta just comment it out. Thought I would share and save someone else heart ache
Thanks for sharing Anthony great tips! It's important to note that my template for LDAP is based on FreeIPA LDAP scheme and so the search queries will be different if using MS Active Directory for example
@@IBRACORP understood, I would be happy to share my working (2016) AD conf entries if you would like them to disseminate them
That would be great! I could share them in the instructions for people running AD as their backend. If you like you can email them, support @ ibracorp . io
Awesome and unique content..... ❤️❤️❤️❤️
I think the additional config files are missing now that the GitHub is gone. I think they’re missing from the written guide.
Ah, good catch - I'll update the guide to include that
I have set up two "proxies" one fore overseer and one for guacamole. I configuration.yml I have only entries for domain and policy:one_factor. If I go to my overseerr domain i get to log in using authelia. But ig I close the overseerr window and try to go to my overseerr domain again I get a authelia message saying that I am already logged in and only gives me the option to logout. If I want to access overseerr again I have to click logout, wait for the login page to show. I then need to close that window and enter my overseerr domain again. Is there something I have missed ?
Great video, as the other ones. You rock!!!!
Do you know if it's some way to use authelia and bitwarden together, with the app - windows, firefox, android, ios etc?
Thanks
Thanks Daniel, appreciate the feedback. I do have bitwarden myself but I chose not to use Authelia.
It will likely work except for maybe the apps. Usually, if there's an app that uses an API, in NGINX Proxy Manager, under the location section of a proxy, you can tell it to ignore authentication for the API. This is usually what allows the apps to function unrestricted. I think I'll need to make a video on it
@@IBRACORP I just finished watching video at your recommendation in the other cloudfare video. .. It would be great if you could make a video that explained this process of setting up ignore for API!. I am thinking of converting over from SWAG to NginxProxy manager... and with authelia being able to do the fail 2ban stuff... and then cloudflare the geoIP blocking would have coverage with a lot more flexibility within nginxproxy manager..
I do wonder with the setup for the MariaDB and adminer... I already had a MariaDB setup from a Spaceinvader video for nextcloud. This was without the adminer which looks alot nicer for config.. Would adding the adminer docker pickup or mess up the mariaDB I previously created?
Thanks in advance your videos and responses have been awesome
I think I'll need to do a follow up on it. I've added it to my list to do, thank you for the suggestion.
I'll explain how to bypass APIs so you can seperate protection in it so give me some time and you'll see it :)
As for Admininer it will not hurt your existing config. All it does is provide a GUI to work with your databases. As long as it's a supported database type (which there are plenty) you can connect to it and manage it
Thanks for cool video ,but i dont have any config file after created docker ?!?
no dice. i commented out the ldap but still getting fatal ldap error 200.
Are you still having issues with this? We have an updated video/guide if you want to try again.
First let me say i love your channel! Second, I have tried this guide 3 times now from scratch and i can't get it to start up. It keeps saying Provide JWT secret. I have gone though the video countless times and still get the same result. I know it will end up being a user error since i am new to docker and unraid, it's just frustrating. One sugestion for future videos if i may, use the same configuration file that you provide (not truncated). It makes it confusing when half the config options are not shown on your screen. (for a Noob at least) Thanks for the great content and i will keep plugging along until i figure it out.
question for you, what do I need to change in the Protected Endpoint.conf to point to a non-container item.. say another address on my local network? What do I replace CONTAINERNAME with?
Should just be the hostname mate
Anyone else having an issue with radarr and sonarr not sending data back to the host once connected? I.e. saving settings or trying to download new media on the domain does nothing on the host side?
I have other dockers that run with no problems (overseerrr, SABnzbd, nextcloud, etc.).
Finally got it working, the one thing that messed me up was the yml code. In other yml/yaml coding I have done if anything that you use contains a non alpha character you need to use (") quotes. Almost all my passwords do and that took me hours to figure out. Something about forest and trees. LOL
Where can we go for the to replace the key generator it has been changed now thank you in advance.
Here's a good one: randomkeygen.com/
@@IBRACORP Awesome thank you this is where I ended up at.
Do you plan to make a video about setting up LDAP for Authelia and Windows auth? Thats a project i want to implement since ages ago, but i never found a combination of tutorials and (free, selfhosted) software for that.
We are actually yes. We'll be covering Authelia in depth and up to date, including LDAP, very soon 😉
I recently updated the app and now i'm getting
time="2021-04-16T19:49:31+01:00" level=error msg="invalid configuration key 'notifier.smtp.disable_verify_cert' was replaced by 'notifier.smtp.tls.skip_verify'"
time="2021-04-16T19:49:31+01:00" level=error msg="invalid configuration key `notifier.smtp.trusted_cert` it has been removed, option has been replaced by the global option `certificates_directory`"
how do I deal with this?
I will be updating the config files soon but you can comment out the first part and replace the key with the one it's telling you in logs.
EDIT: Files updated on Git!
Thank you for this guide! Will you be able to create a guide to switch the username/password database from file to LDAP? Currently I have Authelia set up but I would want to expand to more users and with a file I will have to create each user account manually.
Hi Bobokun, you're very welcome! yeah it's definitely on the list because I will actually install a LDAP server then configure Authelia to use it
Can't seem to edit the config.yml authelia creates.
Every other container I can edit anything in, including mariadb which was just installed.
Windows saying I don't have read permission, to exclusively that folder.
Hi Marshy, yeah permissions can be annoying sometimes. You can run commands in unraid to give yourself permission or use Krusader to navigate to the file and change permissions of there too.
The easiest thing I find is use Krusader to delete it from appdata and create your own one on your local machine then paste that in.
@@IBRACORP that's all it was. Cheese mate
When you setup adminer, shouldn't it be better to just give the docker net ip:port instead your LAN port?
That's a good idea, never tried it actually. Thanks for the tip!
i have got authelia up and running after your great video. now i have a problem with getting api key from the different services i have to bypass it. lets say sonarr i want a more secure login, but i would want the api key from sonarr to work with other applications. how would i do this? i dont really understand how to set that up.
Hmm if you watch my latest Organizr video for server auth it should be similar by bypassing the URL for an API endpoint in your reverse proxy. Check it out and let me know if that's what you mean
hey, thanks for the video. ive tried to implement this in my server, but when i try to access radarr it asks me to connect and after i put in the username+password is just says "Authenticated" and doesnt move on to radarr. i tried to re-install, re-configure all configs that you added to the guide and nothing.. can anyone help me fix thix? :(
great content - for your future videos you could increase the font size a little bit, especially when showing config files in text editor (like notepad++ and so on).
Thank you mate, you're definitely right I didn't pick up on that. I will make it easier in future
@@IBRACORP also you can attach text files
Thanks a lot for this tuorial, it helped a lot ! With this configuration, I have an issue when I go to auth.mydomain.com, it does not force a redirection to https (Even though "Force SSL" is active on the Nginx Proxy Manager. Is this caused by a setting in the custom Nginx configuration ? I don't have this issue with my other services
Hey there, thanks for watching. I'm glad you found it useful.
That's odd, there should always been https active. Are you using my config exactly as is?
Might be worth checking your Authelia logs to see if anything is happening.
If you read the advanced config it should be https as far as I remember
Hi Thx a lot for the overview for Authelia. I just have one issue will this install. The argon2id part does not work. I did change the name and did all the things u said we needed to change but it will not start Authelia. Any idea´s??
What sort of issue are you facing? Do the logs tell you anything?
@@IBRACORP Hi thx for replay. The Argon2id didnt work for me so I went on will LDAP. Now the problem I have is that authelia doesnot take the user and password I have in FreeIPA, but in Organizer it works... I have to look in to that and see what that can be...
Best Regards André
It will be the user and group filters. I have example on my Github that can use for FreeIPA
@@IBRACORP Q... Do I need users_database even with LDAP??
Nope
How would I put a virtual machine or another machine behind NGINX/authelia?
I have HASSIO installed as a virtual machine on unraid. I want to expose it behind authelia. I plan to move it to a proxmox installation eventually although it will keep the same IP. Is this possible?
If it has a reverse proxy address you just apply the config just like anything else!
@@IBRACORP Hey! Thanks for replying.
I'm referring specifically to where the authelia config uses the docker name:
i.e.
"location / {
set $upstream_XXXXXXX $forward_scheme://$server:$port;
proxy_pass $upstream_XXXXXXXl;"
I'm not sure how to redirect that to 192.169.x.xxx:XXXX or homeassistant.local:XXXX
I'm read the authelia docs and unfortunately it's not annotated well enough for it to quite click
The upstream can be anything so just put hassio for example.
Everything else is on the reverse proxy ✌️
@@IBRACORP yep. yep. That was the first thing I tried and somehow it didn't work.
Works perfectly, thanks.
I finally attempted this awesome tutorial. However I must be the only one that failed at it. When I log into Authelia to authenticate Jackett I get a 403 error. Any clues as why this is happening? I did pick a plain text word and used the HASH generator.
Check your rules section in Authelia config file Sean. Try using a wildcard rule like "*.domain.tld"
I have a question about MariaDB, I see Authelia requires a database but so does Nextcloud and Nginx how does that work? Can there be multiple database in the one MariaDB container and these DBs handle difference applications? If so, can you do a video on that if time permits? Great tutorial I trying to follow along and have a similar setup for my HomeLab. Going forward I will ask question at your email addy above. Again thank you for all your hard work on the videos. They are truly helpful!
Hi Sean, thanks for watching!
To answer your question, yes you really only need one mariadb container (usually) because you can have multiple databases inside of it by simply creating more.
An advantage of creating a whole new container might be for having it on a different VLAN but usually the one is enough for us homelabbers.
Please don't worry you can ask questions here on our TH-cam, for anything too hard to answer here we have Discord too. Thank you for coming back and checking out the channel appreciate your support
hey ibracorp when i try to start authelia i get a "Error malformed yaml: line 228: did not find expected key" thats the "file" part of the config.yml i have tried different passwords and hash's i have put the plain text password in the password field and left it blank like in your video but nothing seems to work. any ideas?
usually it means you have an extra space or wrong indentation. YAML is very particular :)
@@IBRACORP thanks for the reply! i still cant figure it out :( i have it open on visual studio and it says theres a bad indentation mapping on 229 which is "file:" but i dont think thats the real cause because the template has the same "error" man i wish u could see what im seeing i feel like its going to be something dumb lol
@@homerogonzalez2909 Join our Discord mate we'd love to help discord.gg/VWAG7rZ
@@IBRACORP thanks man will do!
@@IBRACORP thanks for the great videos and awesome discord community thanks you guys i got it figured out!
Hello All Great guide. I do have an issue where its not redirecting to Overserr. I follow d the guide to the letter, When I log in it does show the Hi Marvin! Authenticated but it does not redirect
Hi Marvin, please check the code pasted into NGINX Proxy Manager for both Authelia and Overseer. There's is likely a placeholder that's hasn't been changed yet.
Otherwise please check Authelia logs and see what it says
@@IBRACORP The message I am getting from the logs are the target URL "MYURL" is not under the protected domain "myDomain". By the way thanks so much for the help.
Ok so that means in your config yml file the protected domain field is either missing or different to the one you are trying to protect. They need to be the same
@@IBRACORP Ha thanks for the help found the issue was a capital letters in my domain name, Also you have some extra spaces in "Protected endpoint" @ the end of "proxy_pass $upstream_authelia;"
Thanks so much for the support you rock dude !!
My absolute pleasure glad it's all sorted my friend. Enjoy :)
And thanks I'll take a look after work and fix it
Greetings from Australia! Followed this as close as possible but can't get Authelia to start. Logs give "Unable to initialize SQL database: Error 1045: Access denied for user 'authelia'@'172.18.0.1' (using password: YES)". Any idea what I'm doing wrong?
Hi mate, have you configured your SQL server in the Authelia config file? It's trying to connect to a 172.18.0.1 address. It should be the the unraid servers IP along with the port of your SQL database.
Also, confirm your credentials are correct as it might also be a password or username issue.
@@IBRACORP hey mate, i've definitely amended the config with the correct info. Upon further inspection, i think it may be an issue with mariadb. Logging in to the authelia user in Adminer shows the following "Warning: PDO::query(): SQLSTATE[42000]: Syntax error or access violation: 1044 Access denied for user 'authelia'@'172.17.0.1' to database 'information_schema' in /var/www/html/adminer.php on line 185". Sorry if this is something silly!
Definitely a password issue in my opinion then. You should just reset the password for that database user and make sure you've given the user full privileges as I've shown
@@IBRACORP Got it! In the end the problem was twofold. Both Redis and mariadb didn't seem to like my passwords consisting exclusively of just numbers (0-9). Also it seems creating the database with Adminer using any other sequence than the one shown in the video will cause problems setting privileges. Appreciate the hands-on support!
Interesting find, never came across that before. Thanks for coming back with the solution, might help others in future.
And no worries glad to help
Where is the link to the current config files?
In the description
@@IBRACORP i must be going blind. Either way Authelia is back up and running, now on to Traefik
No worries! You can find them in our docs which is updated often docs.ibracorp.io
The config you are editing in the video is different to the config.template on the github. Are you using the default config or the one from github?
The config on our Git is always up to date. Use that
Is it possible that you could help me get two-factor fixed? It states "There was a problem initiating the registration process" whenever I try to use it.
Still having issues? Feel free to ask in our Discord!
@@IBRACORP Thanks for replying, but I managed to figure it out! Turned out I had a silly typo in my configuration.yml file
The number one root cause haha. Glad you got it sorted
@@IBRACORP As am I. Thanks a lot for the incredibly useful video!
My pleasure thank you for watching once again, it means a lot
Very good video! I am curious to know if I can use authenlia to log in nextcloud. Specialy when Nextcloud has multiple user account .
Anyway good work.
You sure can mate. The hard part is getting the Nextcloud app to connect, but if you know the API details you can configure in proxy to bypass Authelia.
You can also use LDAP like I do for both Nextcloud and Authelia so they share the same users.
I will be making a video on this soon
@@IBRACORP bypass Authelia ? You cannot use Authelia SSO for nextcloud ?
I believe you can but I don't know for sure as I haven't implemented it over Nextcloud for myself personally. I know some of my members have though, sorry I can't say for sure
@@IBRACORP thank you for your answer and all your work.
My pleasure
how were you able to just open the config in windows. always tells me i need permission
Check your share permissions in unraid, if it's protected when you go to access that share you need to make sure you are providing the credential of a user with permission
hi everyone i just set up authelia, but i have 2 problems with apache guacamole and radarr, the question is when i tip first time my adress guacamole, login in authelia and login in apache guacamole, and everything works fine, but second time when i close the page and retype the adress, give to me a blank page and don't show anything (in adress bar show this adress guacamole.*******.com/#/ i hide my adress for security), to show page correctly i need to clear the cache of my web browser
the second doubt its, i type my radarr adress the adress show the authelia login page, i login and show the radarr login page, but when i click on the login buton they return whit page error HTTP ERROR 400, can anyone support me, i'm a newbie, i was learning to make a nice reverse proxy
Hi Eric,
Does this happen without authelia in use? If not please check all your settings in Authelia config file making sure the cookie sections are correct and and your domain is correct.
Do you have any logs for Authelia? What do they say?
i dont change anything on cookies section on config.yml (appdata), when i try to reach the adress of my apache guacamole the log show this
time="2021-03-14T02:40:29-03:00" level=info msg="Access to guacamole.******.com/api/languages (method unknown) is not authorized to user , sending 401 response" method=GET path=/api/verify remote_ip=172.68.25.163
Like I said your rules are incorrect. Check your config file rules section. See the official Authelia docs for more information
You might want to use a wildcard rule. Example: "*.domain.com"
hi man the bug of acess to guacamole its solved, if i just tip the adress they show me the blank page, if before i just tip and refresh page, show for me the login page correctly, but the radarr bug its not solved, i use the authelia login and the login form (login page) who came with radarr, if i just disable the form (login page), and just stay only authelia autentication page, before login in authelia redirectly with no problem to radarr homepage, but if i enable the form (login page) before i make the login, they return with page HTTP ERROR 400, anyone have this bug
great video, I didn't manage to make it work with only your github and now i'm stuck with mariadb, I put password in it but adminer can't connect to it and when I connect to mariadb container, and try mysql or mysql -u root -p mypassword, it just says access denied using password YES.
Version of MariaDB mysql Ver 15.1 Distrib 10.4.18-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2. It's not the first time it does this to me with mysql
Is the mariadb empty? Might be easier to just blow it away and start again to make sure the password is correct
@@IBRACORP yes empty. I tried to remove the container and the image so nothing should be kept ? And start over but it does the same thing :/ maybe I need to do a deeper cleaning but I don't know how
Ok so you need to remember that your appdata folder holds persistent data for containers and it is not removed when you delete a container.
1. Go to the community app store and install the plugin called "Cleanup Appdata"
2. Delete your mariadb container and image as usual through the Docker tab
3. Go to Settings > Cleanup Appdata plugin
4. Check the box next to the container and delete
Be very careful that you select only the one you want to delete, the plugin is unforgiving. But it's a great tool to remove the folder without worrying about permissions issues
Thanks for the awesome video.
I would be interested in how you setup FreeIPA
Thanks Mario. FreeIPA is in the works. I hope to do it soon
@@IBRACORP Nice, looking forward! I just installed FreeIPA for learning purposes. Havent really figured out if the domain and realm should/could be a subomain of my regular domain or something like .localdomain/.local. Keep up the great content!
It can definitely be part of your existing domain. I'll show you how. Give me some time to prepare for it and I'll get one out there
Hello Mate, thanks for the video. Very helpful!
Just wondering if you can help me please, I have setup duplicati on Unraid and created a subdomain on cloudflare and setup a proxy host in NPM.
When I go to my subdomain "backups.mydomain.com" it works absolutely fine but when I enter the authelia protect endpoint config in NPM and enter the access control rules in authelia config and then go to my subdomain I get to authelia login screen and I sign in and it doesn't open the duplicati page. I can see authelia redirected me to my subdomain in the address bar but it gives me a HTTP 400 error.
I have had a look in authelia logs and this is what it says "level=debug msg="Redirection URL backups.mydomain.com/ is safe" method=POST path=/api/firstfactor remote_ip=XX.XX.XXX.XXX".
I'm using the same protect endpoint config with Nextcloud and PsiTransfer and just change the container name in the config and they are working fine without any isues.
Can you please help mate? Am I missing something here? It'll be much appreciated.
Thank you
Hi mate, thank you for watching firstly.
Have you tried through a incognito session to see if it's a cache issue?
Also check the URL it's trying to forward you to see what protocol is being used (http or https) make sure that all matches your setup in NPM.
You can join our Discord and ask there too. I haven't got duplicati running ATM but I can look it later. Might need more logs etc. Jump in discord and ask there then I can give you an email to send logs
@@IBRACORP Right no worries mate, I'll message you on Discord then. Thank you!
you are amazing
your unraid ip is 192.168.1.101 and why the custom network ip is still 192.168.1.101? all of your dockers are running in bridge mode.
Because they are bridged. But they talk to eachother on the customer docker network on the left side of the mapping
Would there be any chance you can link a doc /video, or advise how I can use this with something like bitwarden?
my bitwarden client (phone /tablet /laptops etc...) use my exposed service bitwarden.mydomain.com on my home network, and remotely. Everything works fine. I login, enter my 2FA and i'm golden.
But with Authelia, it (obviously) no longer works because the clients can't login (at home or remotely) because of the extra authentication mechanisms in place.
Been pulling my hair on this all afternoon, for both Bitwarden and Nextcloud, both hosted on unRAID
The only way to get around it to my knowledge is bypassing auth for the API of each application (if supported). For an example, you can look at Organizr which explains how to bypass it for Sonarr and Radarr
@@IBRACORP I'll look into that, thank you
Finally i can now have 2FA 😋
The best option!
15:57 rickroll