diff --git a/authelia.conf b/authelia.conf new file mode 100644 index 0000000..1ea9aa2 --- /dev/null +++ b/authelia.conf @@ -0,0 +1,33 @@ +location / { +set $upstream_authelia http://192.168.1.30:9091; # This example assumes a Docker deployment. Change the IP and Port to your setup +proxy_pass $upstream_authelia; +client_body_buffer_size 128k; + +#Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Advanced Proxy Config +send_timeout 5m; +proxy_read_timeout 360; +proxy_send_timeout 360; +proxy_connect_timeout 360; + +# Basic Proxy Config +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; + +# If behind reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network. +set_real_ip_from 192.168.1.0/24; +real_ip_recursive on; +} \ No newline at end of file diff --git a/configuration.yml b/configuration.yml new file mode 100644 index 0000000..bdc2efa --- /dev/null +++ b/configuration.yml @@ -0,0 +1,102 @@ +# yamllint disable rule:comments-indentation +--- +############################################################################### +# Authelia Configuration # +############################################################################### + +theme: dark #light/dark +jwt_secret: 9DGPzQy8SZQ7rV57V3DJnw #any text or number you want to add here to create jwt Token + +default_redirection_url: https://www.google.com/ #where to redirect for a non-existent URL + +server: + host: 0.0.0.0 + port: 9091 + path: "" + read_buffer_size: 4096 + write_buffer_size: 4096 + enable_pprof: false + enable_expvars: false + disable_healthcheck: false + tls: + key: "" + certificate: "" + +log: + level: debug + +totp: + issuer: akanealw.com #your authelia top-level domain + period: 30 + skew: 0 + +authentication_backend: + disable_reset_password: true + refresh_interval: 5m + file: + path: /config/users_database.yml #this is where your authorized users are stored + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 64 + + +access_control: + default_policy: deny + rules: + ## bypass rule + - domain: "auth.akanealw.com" #This should be your authentication URL + policy: bypass + - domain: "bitwarden.akanealw.com" #example domain to protect + policy: bypass + - domain: "webdav.akanealw.com" #example subdomain to protect + policy: bypass + - domain: "meshcentral.akanealw.com" #example subdomain to protect + policy: bypass + + ## one_factor rule + - domain: "codeserver.akanealw.com" + policy: one_factor + + ## two_factor rule + - domain: "" + policy: two_factor + + #add or remove additional subdomains as necessary. currenlty only supports ONE top-level domain + #any time you add a new subdomain, you will need to restart the Authelia container to recognize the new settings/rules + +session: + name: authelia_session + secret: 9DGPzQy8SZQ7rV57V3DJnw #any text or number you want to add here to create jwt Token + expiration: 3600 # 1 hour + inactivity: 300 # 5 minutes + domain: akanealw.com # Should match whatever your root protected domain is + +regulation: + max_retries: 3 + find_time: 10m + ban_time: 12h + +storage: + local: + path: /config/db.sqlite3 #this is your databse. You could use a mysql database if you wanted, but we're going to use this one. + encryption_key: iiB7C8Bn4A2gAhzs2fWaggUug76PZ4LU #added Dec 5 2021 + +notifier: + disable_startup_check: true #true/false + smtp: + username: akanealw@gmail.com #your email address + password: qlvmffuzpscltdgz #your email password + host: smtp.gmail.com #email smtp server + port: 587 #email smtp port + sender: akanealw@gmail.com + identifier: proxyserver + subject: "[Authelia] {title}" #email subject + startup_check_address: akanealw@gmail.com + disable_require_tls: false + disable_html_emails: false + tls: + skip_verify: false + minimum_version: TLS1.2 diff --git a/docker-compose.yml b/docker-compose.yml index f3fc3b0..455fb73 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,18 @@ version: '3' services: + authelia: + container_name: authelia + hostname: authelia + image: authelia/authelia + environment: + - TZ=America/Chicago + ports: + - 9091:9091 + restart: always + volumes: + - ./appdata/authelia/config:/config + dozzle: container_name: dozzle hostname: dozzle diff --git a/protected_domain.conf b/protected_domain.conf new file mode 100644 index 0000000..f477d90 --- /dev/null +++ b/protected_domain.conf @@ -0,0 +1,75 @@ +location /authelia { +internal; +set $upstream_authelia http://192.168.1.30:9091/api/verify; +proxy_pass_request_body off; +proxy_pass $upstream_authelia; +proxy_set_header Content-Length ""; + +# Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; +client_body_buffer_size 128k; +proxy_set_header Host $host; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 4 32k; + +send_timeout 5m; +proxy_read_timeout 240; +proxy_send_timeout 240; +proxy_connect_timeout 240; +} + +location / { +set $upstream_container_name $forward_scheme://$server:$port; +proxy_pass $upstream_container_name; + +auth_request /authelia; +auth_request_set $target_url https://$http_host$request_uri; +auth_request_set $user $upstream_http_remote_user; +auth_request_set $email $upstream_http_remote_email; +auth_request_set $groups $upstream_http_remote_groups; +proxy_set_header Remote-User $user; +proxy_set_header Remote-Email $email; +proxy_set_header Remote-Groups $groups; + +error_page 401 =302 https://auth.akanealw.com/?rd=$target_url; + +client_body_buffer_size 128k; + +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +send_timeout 5m; +proxy_read_timeout 360; +proxy_send_timeout 360; +proxy_connect_timeout 360; + +proxy_set_header Host $host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection upgrade; +proxy_set_header Accept-Encoding gzip; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Forwarded-Ssl on; +proxy_redirect http:// $scheme://; +proxy_http_version 1.1; +proxy_set_header Connection ""; +proxy_cache_bypass $cookie_session; +proxy_no_cache $cookie_session; +proxy_buffers 64 256k; + +set_real_ip_from 192.168.1.0/24; +real_ip_recursive on; +} \ No newline at end of file diff --git a/users_database.yml b/users_database.yml new file mode 100644 index 0000000..9b91867 --- /dev/null +++ b/users_database.yml @@ -0,0 +1,8 @@ +users: + akanealw: #username for user 1. change to whatever you'd like + displayname: "akanealw" #whatever you want the display name to be + password: "$argon2i$v=19$m=1024,t=1,p=8$eTQ3MXdqOGFiaDZoMUtMVw$OeHWQSg9zGKslOepe5t4D1T9BZJjHA1Z+doxZrZYDgI" #generated at https://argon2.online/ + email: akanealw@gmail.com #whatever your email address is + groups: #enter the groups you want the user to be part of below + - admins + \ No newline at end of file