Skip to main content

Configuring Authelia w/ nginx proxy manager

### Files to be installed on nginx proxy server

#### auth.conf<p>
##/nginx/auth.conf
\#Basic Authelia Config
\#Send a subsequent request to Authelia to verify if the user is authenticated
\#and has the right permissions to access the resource.

auth\_request /authelia;

\#Set the \`target\_url\` variable based on the request. It will be used to build the portal
\#URL with the correct redirection parameter.

auth\_request\_set $target\_url $scheme://$http\_host$request\_uri;

\#Set the X-Forwarded-User and X-Forwarded-Groups with the headers
\#returned by Authelia for the backends which can consume them.
\#This is not safe, as the backend must make sure that they come from the
\#proxy. In the future, it's gonna be safe to just use OAuth.

auth\_request\_set $user $upstream\_http\_remote\_user;
auth\_request\_set $groups $upstream\_http\_remote\_groups;
auth\_request\_set $name $upstream\_http\_remote\_name;
auth\_request\_set $email $upstream\_http\_remote\_email;
proxy\_set\_header Remote-User $user;
proxy\_set\_header Remote-Groups $groups;
proxy\_set\_header Remote-Name $name;
proxy\_set\_header Remote-Email $email;

\#If Authelia returns 401, then nginx redirects the user to the login portal.
\#If it returns 200, then the request pass through to the backend.
\#For other type of errors, nginx will handle them as usual.

error\_page 401 =302 https://auth.EXAMPLE.COM/?rd=$target\_url; # Change domain to match yours
</p>

#### auth\_proxy.conf<p>
##/nginx/auth\_proxy.conf
location /authelia {
    internal;
    set $upstream\_authelia http://10.10.10.1:9091/api/verify; # Change IP & port to match Authelia server
    proxy\_pass\_request\_body off;
    proxy\_pass $upstream\_authelia;    
    proxy\_set\_header Content-Length "";

    \#Timeout if the real server is dead
    proxy\_next\_upstream error timeout invalid\_header http\_500 http\_502 http\_503;
    client\_body\_buffer\_size 128k;
    proxy\_set\_header Host $host;
    proxy\_set\_header X-Original-URL $scheme://$http\_host$request\_uri;
    proxy\_set\_header X-Real-IP $remote\_addr;
    proxy\_set\_header X-Forwarded-For $remote\_addr; 
    proxy\_set\_header X-Forwarded-Proto $scheme;
    proxy\_set\_header X-Forwarded-Host $http\_host;
    proxy\_set\_header X-Forwarded-Uri $request\_uri;
    proxy\_set\_header X-Forwarded-Ssl on;
    proxy\_redirect http:// $scheme://;
    proxy\_http\_version 1.1;
    proxy\_set\_header Connection "";
    proxy\_cache\_bypass $cookie\_session;
    proxy\_no\_cache $cookie\_session;
    proxy\_buffers 4 32k;

    send\_timeout 5m;
    proxy\_read\_timeout 240;
    proxy\_send\_timeout 240;
    proxy\_connect\_timeout 240;
}
</p>

### Advanced Configs for nginx hosts

#### For Authelia Proxy Host<p>
location / {
  set $upstream\_authelia http://10.10.10.1:9091; \#NEEDS TO MATCH YOUR AUTHELIA SERVER IP & PORT
  proxy\_pass $upstream\_authelia;
  client\_body\_buffer\_size 128k;

  \#Timeout if the real server is dead
  proxy\_next\_upstream error timeout invalid\_header http\_500 http\_502 http\_503;

  \#Advanced Proxy Config
  send\_timeout 5m;
  proxy\_read\_timeout 360;
  proxy\_send\_timeout 360;
  proxy\_connect\_timeout 360;

  \#Basic Proxy Config
  proxy\_set\_header Host $host;
  proxy\_set\_header X-Real-IP $remote\_addr;
  proxy\_set\_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;
  proxy\_set\_header X-Forwarded-Proto $scheme;
  proxy\_set\_header X-Forwarded-Host $http\_host;
  proxy\_set\_header X-Forwarded-Uri $request\_uri;
  proxy\_set\_header X-Forwarded-Ssl on;
  proxy\_redirect  http://  $scheme://;
  proxy\_http\_version 1.1;
  proxy\_set\_header Connection "";
  proxy\_cache\_bypass $cookie\_session;
  proxy\_no\_cache $cookie\_session;
  proxy\_buffers 64 256k;

  \#If behind reverse proxy, forwards the correct IP
  \#set\_real\_ip\_from 10.0.0.0/8;
  \#set\_real\_ip\_from 172.0.0.0/8;
  \#set\_real\_ip\_from 192.168.0.0/16;
  \#set\_real\_ip\_from fc00::/7;
  real\_ip\_header X-Forwarded-For;
  real\_ip\_recursive on;
}
</p>

#### For Protected Proxy Hosts<p>
include /data/nginx/snippets/auth_proxy.conf;

location / {

    proxy\_pass http://10.10.10.20:80;    \#Match IP:port of destination content server
    proxy\_set\_header Host $host;
    proxy\_set\_header X-Real-IP $remote_addr;
    proxy\_set\_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;

    include /data/nginx/snippets/auth.conf; \#Protect this endpoint
}
</p>

### Files to be installed on Authelia server

#### users\_database.yml<p>
##/config/users\_database.yml 
users:
  USER:
    displayname: "USER"
    password: "$argon2id$v=19$m=65536,t=1,p=<INSERT ARGON HASHED PASSWORD>"
    email: USER@EXAMPLE.COM
    groups:
      - admins
</p>

#### configuration.yml<p>
###/config/configuration.yml 
\#yamllint disable rule:comments-indentation
---
#################################
#################################
\#                     Authelia Configuration                           \#
#################################
#################################

\#\#Note: the container by default expects to find this file at /config/configuration.yml.

theme: dark
jwt_secret: <INSERT SUPER SECRET PASSWORD HERE>

default\_redirection\_url: https://LANDINGPAGE.EXAMPLE.COM

##
\#\#Server Configuration
##
server:
  host: 0.0.0.0
  port: 9091
  path: ""
  # asset\_path: /config/assets/
  read\_buffer\_size: 4096
  write\_buffer\_size: 4096
  enable\_pprof: false
  enable\_expvars: false
  disable\_healthcheck: false

\#\#Log Configuration
##
log:
  level: debug
  file\_path: /config/authelia.log
  # keep\_stdout: false

##
\#\#TOTP Configuration
##
\#\#Parameters used for TOTP generation.
totp:
  issuer: EXAMPLE.COM
  algorithm: sha1
  digits: 6
  period: 30
  skew: 1

##
\#\#NTP Configuration
##
\#\#This is used to validate the servers time is accurate enough to validate TOTP.
ntp:
  address: "pool.time.org:123"
  version: 4
  max\_desync: 3s
  disable\_startup\_check: false
  disable\_failure: false

##
\#\#Authentication Backend Provider Configuration
##
\#\#Used for verifying user passwords and retrieve information such as email address and groups users belong to.
##
\#\#The available providers are: \`file\`, \`ldap\`. You must use only one of these providers.
authentication\_backend:

  disable\_reset\_password: false
  refresh\_interval: 5m

  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key\_length: 32
      salt\_length: 16
      memory: 1024
      parallelism: 8

access\_control:
  default\_policy: deny
  rules:
   - domain:
       - "*.pub.EXAMPLE.COM"
       - "auth.EXAMPLE.COM"
     policy: bypass
   - domain: "*.EXAMPLE.COM"
     subject: "group:admin"
     policy: one\_factor
   - domain: "*.EXAMPLE.COM"
     policy: one\_factor
  - domain: "*.priv.EXAMPLE.COM"
     policy: two\_factor
 
##
\#\#Session Provider Configuration
##
\#\#The session cookies identify the user once logged in.
\#\#The available providers are: \`memory\`, \`redis\`. Memory is the provider unless redis is defined.
session:
  name: authelia\_session
  domain: EXAMPLE.COM
  same\_site: lax
  secret: <INSERT AUTHELIA SECRET HERE>
  expiration: 1h
  inactivity: 5m
  remember\_me\_duration: 1M

##
\#\#Regulation Configuration
##
\#\#This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made in a short period of time.
regulation:
  max\_retries: 3
  find\_time: 2m
  ban\_time: 5m

##
\#\#Storage Provider Configuration
##
\#\#The available providers are: \`local\`, \`mysql\`, \`postgres\`. You must use one and only one of these providers.
storage:
  encryption\_key: <INSERT DATABASE KEY HERE>
  local:
    path: /config/db.sqlite3

##
\#\#Notification Provider
##
\#\#Notifications are sent to users when they require a password reset, a U2F registration or a TOTP registration.
\#\#The available providers are: filesystem, smtp. You must use only one of these providers.
notifier:
  disable\_startup\_check: false
  filesystem:
    filename: /config/notification.txt
...
</p>

Back to top