Configuring Authelia w/ nginx proxy manager
### Files to be installed on nginx proxy server
#### auth.conf<p>
##/nginx/auth.conf\#Basic Authelia Config\#Send a subsequent request to Authelia to verify if the user is authenticated\#and has the right permissions to access the resource.
auth\_requestauth_request /authelia;
\#Set the \`target\_url\`target_url variable based on the request. It will be used to build the portal\#URL with the correct redirection parameter.
auth\_request\_setauth_request_set $target\_urltarget_url $scheme://$http\_host$request\_uri;http_host$request_uri;
\#Set the X-Forwarded-User and X-Forwarded-Groups with the headers\#returned by Authelia for the backends which can consume them.\#This is not safe, as the backend must make sure that they come from the\#proxy. In the future, it's gonna be safe to just use OAuth.
auth\_request\_setauth_request_set $user $upstream\_http\_remote\_user;upstream_http_remote_user;auth\_request\_setauth_request_set $groups $upstream\_http\_remote\_groups;upstream_http_remote_groups;auth\_request\_setauth_request_set $name $upstream\_http\_remote\_name;upstream_http_remote_name;auth\_request\_setauth_request_set $email $upstream\_http\_remote\_email;upstream_http_remote_email;proxy\_set\_headerproxy_set_header Remote-User $user;proxy\_set\_headerproxy_set_header Remote-Groups $groups;proxy\_set\_headerproxy_set_header Remote-Name $name;proxy\_set\_headerproxy_set_header Remote-Email $email;
\#If Authelia returns 401, then nginx redirects the user to the login portal.\#If it returns 200, then the request pass through to the backend.\#For other type of errors, nginx will handle them as usual.
error\_pageerror_page 401 =302 https://auth.EXAMPLE.COM/?rd=$target\_url;target_url; # Change domain to match yours
</p>
#### auth\_proxy.auth_proxy.conf<p>
##/nginx/auth\_proxy.auth_proxy.conf
location /authelia { internal; set $upstream\_autheliaupstream_authelia http://10.10.10.1:9091/api/verify; # Change IP & port to match Authelia server proxy\_pass\_request\_bodyproxy_pass_request_body off; proxy\_passproxy_pass $upstream\_authelia; upstream_authelia; proxy\_set\_headerproxy_set_header Content-Length "";
\#Timeout if the real server is dead proxy\_next\_upstreamproxy_next_upstream error timeout invalid\_headerinvalid_header http\_500http_500 http\_502http_502 http\_503;http_503; client\_body\_buffer\_sizeclient_body_buffer_size 128k; proxy\_set\_headerproxy_set_header Host $host; proxy\_set\_headerproxy_set_header X-Original-URL $scheme://$http\_host$request\_uri;http_host$request_uri; proxy\_set\_headerproxy_set_header X-Real-IP $remote\_addr;remote_addr; proxy\_set\_headerproxy_set_header X-Forwarded-For $remote\_addr; remote_addr; proxy\_set\_headerproxy_set_header X-Forwarded-Proto $scheme; proxy\_set\_headerproxy_set_header X-Forwarded-Host $http\_host;http_host; proxy\_set\_headerproxy_set_header X-Forwarded-Uri $request\_uri;request_uri; proxy\_set\_headerproxy_set_header X-Forwarded-Ssl on; proxy\_redirectproxy_redirect http:// $scheme://; proxy\_http\_versionproxy_http_version 1.1; proxy\_set\_headerproxy_set_header Connection ""; proxy\_cache\_bypassproxy_cache_bypass $cookie\_session;cookie_session; proxy\_no\_cacheproxy_no_cache $cookie\_session;cookie_session; proxy\_buffersproxy_buffers 4 32k;
send\_timeoutsend_timeout 5m; proxy\_read\_timeoutproxy_read_timeout 240; proxy\_send\_timeoutproxy_send_timeout 240; proxy\_connect\_timeoutproxy_connect_timeout 240;
}
</p>
### Advanced Configs for nginx hosts
#### For Authelia Proxy Host<p>
location / { set $upstream\_autheliaupstream_authelia http://10.10.10.1:9091; \#NEEDS TO MATCH YOUR AUTHELIA SERVER IP & PORT proxy\_passproxy_pass $upstream\_authelia;upstream_authelia; client\_body\_buffer\_sizeclient_body_buffer_size 128k;
\#Timeout if the real server is dead proxy\_next\_upstreamproxy_next_upstream error timeout invalid\_headerinvalid_header http\_500http_500 http\_502http_502 http\_503;http_503;
\#Advanced Proxy Config send\_timeoutsend_timeout 5m; proxy\_read\_timeoutproxy_read_timeout 360; proxy\_send\_timeoutproxy_send_timeout 360; proxy\_connect\_timeoutproxy_connect_timeout 360;
\#Basic Proxy Config proxy\_set\_headerproxy_set_header Host $host; proxy\_set\_headerproxy_set_header X-Real-IP $remote\_addr;remote_addr; proxy\_set\_headerproxy_set_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;proxy_add_x_forwarded_for; proxy\_set\_headerproxy_set_header X-Forwarded-Proto $scheme; proxy\_set\_headerproxy_set_header X-Forwarded-Host $http\_host;http_host; proxy\_set\_headerproxy_set_header X-Forwarded-Uri $request\_uri;request_uri; proxy\_set\_headerproxy_set_header X-Forwarded-Ssl on; proxy\_redirectproxy_redirect http:// $scheme://; proxy\_http\_versionproxy_http_version 1.1; proxy\_set\_headerproxy_set_header Connection ""; proxy\_cache\_bypassproxy_cache_bypass $cookie\_session;cookie_session; proxy\_no\_cacheproxy_no_cache $cookie\_session;cookie_session; proxy\_buffersproxy_buffers 64 256k;
\#If behind reverse proxy, forwards the correct IP \#set\_real\_ip\_from#set_real_ip_from 10.0.0.0/8; \#set\_real\_ip\_from#set_real_ip_from 172.0.0.0/8; \#set\_real\_ip\_from#set_real_ip_from 192.168.0.0/16; \#set\_real\_ip\_from#set_real_ip_from fc00::/7; real\_ip\_headerreal_ip_header X-Forwarded-For; real\_ip\_recursivereal_ip_recursive on;
}
</p>
#### For Protected Proxy Hosts<p>
include /data/nginx/snippets/auth_proxy.conf;
location / {
proxy\_passproxy_pass http://10.10.10.20:80; \#Match IP:port of destination content server proxy\_set\_headerproxy_set_header Host $host; proxy\_set\_headerproxy_set_header X-Real-IP $remote_addr; proxy\_set\_headerproxy_set_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;proxy_add_x_forwarded_for;
include /data/nginx/snippets/auth.conf; \#Protect this endpoint
}
</p>
### Files to be installed on Authelia server
#### users\_database.users_database.yml<p>
##/config/users\_database.users_database.yml
users: USER: displayname: "USER" password: "$argon2id$v=19$m=65536,t=1,p=<INSERT ARGON HASHED PASSWORD>" email: USER@EXAMPLE.COM groups: - admins
</p>
#### configuration.yml<p>
###/config/configuration.yml \#yamllint disable rule:comments-indentation
---
#################################
#################################\# Authelia Configuration \#
#################################
#################################
\#\#Note:##Note: the container by default expects to find this file at /config/configuration.yml.
theme: dark
jwt_secret: <INSERT SUPER SECRET PASSWORD HERE>
default\_redirection\_url:default_redirection_url: https://LANDINGPAGE.EXAMPLE.COM
##\#\#Server##Server Configuration
##
server: host: 0.0.0.0 port: 9091 path: ""
asset_path: /config/assets/
read_buffer_size: 4096 write\_buffer\_size:write_buffe_size: 4096 enable\_pprof:enable_pprof: false enable\_expvars:enable_expvars: false disable\_healthcheck:disable_healthcheck: false
\#\#Log##Log Configuration
##
log: level: debug file\_path:file_path: /config/authelia.log
keep_stdout: false
##\#\#TOTP##TOTP Configuration
##\#\#Parameters##Parameters used for TOTP generation.
totp: issuer: EXAMPLE.COM algorithm: sha1 digits: 6 period: 30 skew: 1
##\#\#NTP##NTP Configuration
##\#\#This##This is used to validate the servers time is accurate enough to validate TOTP.
ntp: address: "pool.time.org:123" version: 4 max\_desync:max_desync: 3s disable\_startup\_check:disable_startup_check: false disable\_failure:disable_failure: false
##\#\#Authentication##Authentication Backend Provider Configuration
##\#\#Used##Used for verifying user passwords and retrieve information such as email address and groups users belong to.
##\#\#The##The available providers are: \`file\, \`\`ldap\. You must use only one of these providers.`\authentication\_backend:authentication_backend:
disable\_reset\_password:disable_reset_password: false refresh\_interval:refresh_interval: 5m
file: path: /config/users_database.yml password: algorithm: argon2id iterations: 1 key\_length:key_length: 32 salt\_length:salt_length: 16 memory: 1024 parallelism: 8
access\_control:access_control: default\_policy:default_policy: deny rules: - domain: - "*.pub.EXAMPLE.COM" - "auth.EXAMPLE.COM" policy: bypass - domain: "*.EXAMPLE.COM" subject: "group:admin" policy: one\_factorone_factor - domain: "*.EXAMPLE.COM" policy: one\_factorone_factor - domain: "*.priv.EXAMPLE.COM" policy: two\_factor
two_factor
##\#\#Session##Session Provider Configuration
##\#\#The##The session cookies identify the user once logged in.\#\#The##The available providers are: \`memory\, \`\`redis\. Memory is the provider unless redis is defined.`\
session: name: authelia\_sessionauthelia_session domain: EXAMPLE.COM same\_site:same_site: lax secret: <INSERT AUTHELIA SECRET HERE> expiration: 1h inactivity: 5m remember\_me\_duration:remember_me_duration: 1M
##\#\#Regulation##Regulation Configuration
##\#\#This##This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made in a short period of time.
regulation: max\_retries:max_retries: 3 find\_time:find_time: 2m ban\_time:ban_time: 5m
##\#\#Storage##Storage Provider Configuration
##\#\#The##The available providers are: \`local\, \`\`mysql\, \`\`postgres\. You must use one and only one of these providers.`\
storage: encryption\_key:encryption_key: <INSERT DATABASE KEY HERE> local: path: /config/db.sqlite3
##\#\#Notification##Notification Provider
##\#\#Notifications##Notifications are sent to users when they require a password reset, a U2F registration or a TOTP registration.\#\#The##The available providers are: filesystem, smtp. You must use only one of these providers.
notifier: disable\_startup\_check:disable_startup_check: false filesystem: filename: /config/notification.txt
...
</p>