Introduction
Welcome to the world of homelabs! As you transition from a local network self-hosted system to a publicly exposed one, securing your services becomes paramount. One of the most effective ways to enhance security is by implementing Multi-Factor Authentication (MFA) using Authelia. This guide will walk you through the advanced techniques for integrating Authelia with SWAG (Secure Web Application Gateway) reverse proxy to secure your services.
Authelia provides a robust authentication mechanism that includes Single Sign-On (SSO) and Multi-Factor Authentication (MFA). By pairing it with SWAG, you can ensure that each proxied service requires a login, adding a layer of security to your homelab. This tutorial is designed for both beginners and advanced users, covering everything from installation to advanced configuration and troubleshooting.
By the end of this guide, you’ll have a secure, MFA-enabled homelab that you can confidently expose to the public. Let’s get started!
Installation Instructions
Before diving into the installation, ensure you meet the following prerequisites:
- Self-hosted hardware with sufficient resources (e.g., Raspberry Pi, home server)
- Operating System: Linux distribution (e.g., Ubuntu, Debian)
- SWAG reverse proxy already installed and configured
- Basic knowledge of Docker and Docker Compose
Step 1: Install Docker and Docker Compose
- Update your package list:
- Install Docker:
- Start and enable Docker service:
- Install Docker Compose:
sudo apt update
sudo apt install docker.io
sudo systemctl start docker
sudo systemctl enable docker
sudo apt install docker-compose
Step 2: Set Up SWAG Reverse Proxy
If you haven’t already set up SWAG, follow these steps:
- Clone the SWAG repository:
- Navigate to the SWAG directory:
- Create a Docker Compose file for SWAG:
- Add the following content to the file:
- NET_ADMIN
- PUID=1000
- PGID=1000
- TZ=Europe/London
- URL=yourdomain.com
- SUBDOMAINS=www,
- VALIDATION=http
- EMAIL=your-email@domain.com
- ./config:/config
- 443:443
- 80:80
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Start SWAG:
- Verify SWAG is running:
git clone https://github.com/linuxserver/docker-swag.git swag
cd swag
nano docker-compose.yml
version: "3"
services:
swag:
image: linuxserver/swag
container_name: swag
cap_add:
environment:
volumes:
ports:
restart: unless-stopped
docker-compose up -d
docker ps
Step 3: Install and Configure Authelia
Now let’s set up Authelia:
- Create a directory for Authelia configuration:
- Navigate to the Authelia directory:
- Create a Docker Compose file for Authelia:
- Add the following content to the file:
- ./config:/config
- ./data:/var/lib/authelia
- TZ=Europe/London
- 9091:9091
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Create the Authelia configuration file:
- Add the following basic configuration:
- domain: yourdomain.com
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Create the user database file:
- Add a user for testing:
- admin
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Start Authelia:
- Verify Authelia is running:
mkdir -p ~/authelia/config ~/authelia/data
cd ~/authelia
nano docker-compose.yml
version: "3"
services:
authelia:
image: authelia/authelia
container_name: authelia
volumes:
environment:
ports:
restart: unless-stopped
nano config/configuration.yml
host: 0.0.0.0
port: 9091
log:
level: debug
jwt_secret: a_very_secret_key
default_redirection_url: https://yourdomain.com
totp:
issuer: authelia
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
policy: one_factor
session:
name: authelia_session
secret: a_very_secret_session_key
expiration: 3600
inactivity: 300
domain: yourdomain.com
storage:
local:
path: /var/lib/authelia/db.sqlite3
nano config/users_database.yml
users:
user1:
password: "$argon2id$v=19$m=65536,t=2,p=1$YXV0aGVsaWE$user_password_hash"
email: user1@domain.com
groups:
docker-compose up -d
docker ps
Main Content Sections
Integrating Authelia with SWAG
To protect your services with Authelia, you’ll need to configure SWAG to use Authelia as a forward authentication provider.
- Edit your SWAG configuration file:
- Add the following configuration to enable Authelia:
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Restart SWAG to apply changes:
nano ~/swag/config/nginx/site-confs/default
location / {
proxy_pass http://your_service;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_authelia http://authelia:9091;
proxy_set_header X-Forwarded-User $remote_user;
auth_request /authelia;
auth_request_set $target_url $request_uri;
error_page 401 = @error401;
location = /authelia {
internal;
proxy_pass $upstream_authelia/api/verify;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URL $target_url;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location @error401 {
internal;
proxy_pass $upstream_authelia/?rd=$target_url;
}
}
docker-compose restart swag
Configuring Multi-Factor Authentication (MFA)
To enable MFA in Authelia, you’ll need to configure TOTP (Time-based One-Time Password) or WebAuthn.
Configuring TOTP
- Edit the Authelia configuration file:
- Ensure the following lines are present:
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Restart Authelia:
nano ~/authelia/config/configuration.yml
totp:
issuer: authelia
docker-compose restart authelia
Configuring WebAuthn
- Edit the Authelia configuration file:
- Add the following lines:
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Restart Authelia:
nano ~/authelia/config/configuration.yml
webauthn:
display_name: "Authelia"
attestation: "direct"
user_verification: "discouraged"
timeout: 60s
docker-compose restart authelia
Practical Examples or Case Studies
Let’s walk through a practical example of securing a Nextcloud instance with Authelia and SWAG.
- Ensure Nextcloud is running behind the SWAG reverse proxy.
- Edit your SWAG configuration file for Nextcloud:
- Add the following configuration to enable Authelia for Nextcloud:
- Save and exit the editor (
Ctrl+O
,Enter
,Ctrl+X
). - Restart SWAG to apply changes:
- Access your Nextcloud instance and verify that Authelia prompts for authentication.
nano ~/swag/config/nginx/site-confs/nextcloud
location / {
proxy_pass http://nextcloud;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_authelia http://authelia:9091;
proxy_set_header X-Forwarded-User $remote_user;
auth_request /authelia;
auth_request_set $target_url $request_uri;
error_page 401 = @error401;
location = /authelia {
internal;
proxy_pass $upstream_authelia/api/verify;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URL $target_url;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location @error401 {
internal;
proxy_pass $upstream_authelia/?rd=$target_url;
}
}
docker-compose restart swag
Tips, Warnings, and Best Practices
Here are some important considerations and best practices for securing your homelab with Authelia:
- Regular Updates: Keep your software up to date to benefit from the latest security patches and features.
- Backup Configurations: Regularly backup your Authelia and SWAG configuration files.
- Use Strong Passwords: Ensure that all passwords and secrets are strong and unique.
- Monitor Logs: Regularly check Authelia and SWAG logs for any suspicious activity.
- Test MFA: Periodically test your MFA setup to ensure it’s functioning correctly.
Conclusion
By following this guide, you’ve successfully secured your homelab with Authelia and SWAG, adding an essential layer of protection through Multi-Factor Authentication. This setup not only enhances security but also provides a seamless user experience with Single Sign-On (SSO) capabilities. As you expose more services to the public, continue to follow best practices and keep your environment secure.
If you have any questions or need further assistance, feel free to leave a comment. Happy hosting!
Additional Resources
- Authelia Documentation – Official documentation for Authelia.
- SWAG Documentation – Official documentation for SWAG.
- SWAG Docker Hub – SWAG Docker image on Docker Hub.
- Authelia Docker Hub – Authelia Docker image on Docker Hub.
Frequently Asked Questions (FAQs)
Q: Can I use Authelia with other reverse proxies?
A: Yes, Authelia can be integrated with other reverse proxies like Nginx and Traefik. The configuration steps will vary slightly.
Q: How do I reset my Authelia password?
A: You can reset your password by editing the users_database.yml
file and updating the password hash.
Q: Can I use Authelia for multiple domains?
A: Yes, you can configure Authelia to handle authentication for multiple domains by updating the access_control
rules in the configuration file.
Troubleshooting Guide
Here are some common issues and solutions:
- Authelia not prompting for authentication: Ensure that the SWAG configuration file correctly points to the Authelia authentication endpoint.
- Session issues: Check the session configuration in
configuration.yml
and ensure that the session secret is correctly set. - MFA not working: Verify that TOTP or WebAuthn is correctly configured and that the time on your server is synchronized.
For more detailed troubleshooting, refer to the Authelia documentation.
Thank you for following this guide, and best of luck securing your homelab!