securing your homelab with authelia advanced techniques for multi factor authentication

Securing Your Homelab with Authelia: Advanced Techniques for Multi-Factor Authentication

Introduction

Welcome to the world of homelabs! As you transition from a local network self-hosted system to a publicly exposed one, securing your services becomes paramount. One of the most effective ways to enhance security is by implementing Multi-Factor Authentication (MFA) using Authelia. This guide will walk you through the advanced techniques for integrating Authelia with SWAG (Secure Web Application Gateway) reverse proxy to secure your services.

Authelia provides a robust authentication mechanism that includes Single Sign-On (SSO) and Multi-Factor Authentication (MFA). By pairing it with SWAG, you can ensure that each proxied service requires a login, adding a layer of security to your homelab. This tutorial is designed for both beginners and advanced users, covering everything from installation to advanced configuration and troubleshooting.

By the end of this guide, you’ll have a secure, MFA-enabled homelab that you can confidently expose to the public. Let’s get started!

Installation Instructions

Before diving into the installation, ensure you meet the following prerequisites:

  • Self-hosted hardware with sufficient resources (e.g., Raspberry Pi, home server)
  • Operating System: Linux distribution (e.g., Ubuntu, Debian)
  • SWAG reverse proxy already installed and configured
  • Basic knowledge of Docker and Docker Compose

Step 1: Install Docker and Docker Compose

  1. Update your package list:
  2. sudo apt update

  3. Install Docker:
  4. sudo apt install docker.io

  5. Start and enable Docker service:
  6. sudo systemctl start docker

    sudo systemctl enable docker

  7. Install Docker Compose:
  8. sudo apt install docker-compose

Step 2: Set Up SWAG Reverse Proxy

If you haven’t already set up SWAG, follow these steps:

  1. Clone the SWAG repository:
  2. git clone https://github.com/linuxserver/docker-swag.git swag

  3. Navigate to the SWAG directory:
  4. cd swag

  5. Create a Docker Compose file for SWAG:
  6. nano docker-compose.yml

  7. Add the following content to the file:
  8. version: "3"

    services:

    swag:

    image: linuxserver/swag

    container_name: swag

    cap_add:

    • NET_ADMIN

    environment:

    • PUID=1000
    • PGID=1000
    • TZ=Europe/London
    • URL=yourdomain.com
    • SUBDOMAINS=www,
    • VALIDATION=http
    • EMAIL=your-email@domain.com

    volumes:

    • ./config:/config

    ports:

    • 443:443
    • 80:80

    restart: unless-stopped

  9. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  10. Start SWAG:
  11. docker-compose up -d

  12. Verify SWAG is running:
  13. docker ps

Step 3: Install and Configure Authelia

Now let’s set up Authelia:

  1. Create a directory for Authelia configuration:
  2. mkdir -p ~/authelia/config ~/authelia/data

  3. Navigate to the Authelia directory:
  4. cd ~/authelia

  5. Create a Docker Compose file for Authelia:
  6. nano docker-compose.yml

  7. Add the following content to the file:
  8. version: "3"

    services:

    authelia:

    image: authelia/authelia

    container_name: authelia

    volumes:

    • ./config:/config
    • ./data:/var/lib/authelia

    environment:

    • TZ=Europe/London

    ports:

    • 9091:9091

    restart: unless-stopped

  9. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  10. Create the Authelia configuration file:
  11. nano config/configuration.yml

  12. Add the following basic configuration:
  13. host: 0.0.0.0

    port: 9091

    log:

    level: debug

    jwt_secret: a_very_secret_key

    default_redirection_url: https://yourdomain.com

    totp:

    issuer: authelia

    authentication_backend:

    file:

    path: /config/users_database.yml

    access_control:

    default_policy: deny

    rules:

    • domain: yourdomain.com

    policy: one_factor

    session:

    name: authelia_session

    secret: a_very_secret_session_key

    expiration: 3600

    inactivity: 300

    domain: yourdomain.com

    storage:

    local:

    path: /var/lib/authelia/db.sqlite3

  14. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  15. Create the user database file:
  16. nano config/users_database.yml

  17. Add a user for testing:
  18. users:

    user1:

    password: "$argon2id$v=19$m=65536,t=2,p=1$YXV0aGVsaWE$user_password_hash"

    email: user1@domain.com

    groups:

    • admin

  19. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  20. Start Authelia:
  21. docker-compose up -d

  22. Verify Authelia is running:
  23. docker ps

Main Content Sections

Integrating Authelia with SWAG

To protect your services with Authelia, you’ll need to configure SWAG to use Authelia as a forward authentication provider.

  1. Edit your SWAG configuration file:
  2. nano ~/swag/config/nginx/site-confs/default

  3. Add the following configuration to enable Authelia:
  4. location / {

    proxy_pass http://your_service;

    include /config/nginx/proxy.conf;

    include /config/nginx/resolver.conf;

    set $upstream_authelia http://authelia:9091;

    proxy_set_header X-Forwarded-User $remote_user;

    auth_request /authelia;

    auth_request_set $target_url $request_uri;

    error_page 401 = @error401;

    location = /authelia {

    internal;

    proxy_pass $upstream_authelia/api/verify;

    proxy_set_header Content-Length "";

    proxy_set_header X-Original-URL $target_url;

    proxy_set_header X-Real-IP $remote_addr;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto $scheme;

    }

    location @error401 {

    internal;

    proxy_pass $upstream_authelia/?rd=$target_url;

    }

    }

  5. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  6. Restart SWAG to apply changes:
  7. docker-compose restart swag

Configuring Multi-Factor Authentication (MFA)

To enable MFA in Authelia, you’ll need to configure TOTP (Time-based One-Time Password) or WebAuthn.

Configuring TOTP

  1. Edit the Authelia configuration file:
  2. nano ~/authelia/config/configuration.yml

  3. Ensure the following lines are present:
  4. totp:

    issuer: authelia

  5. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  6. Restart Authelia:
  7. docker-compose restart authelia

Configuring WebAuthn

  1. Edit the Authelia configuration file:
  2. nano ~/authelia/config/configuration.yml

  3. Add the following lines:
  4. webauthn:

    display_name: "Authelia"

    attestation: "direct"

    user_verification: "discouraged"

    timeout: 60s

  5. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  6. Restart Authelia:
  7. docker-compose restart authelia

Practical Examples or Case Studies

Let’s walk through a practical example of securing a Nextcloud instance with Authelia and SWAG.

  1. Ensure Nextcloud is running behind the SWAG reverse proxy.
  2. Edit your SWAG configuration file for Nextcloud:
  3. nano ~/swag/config/nginx/site-confs/nextcloud

  4. Add the following configuration to enable Authelia for Nextcloud:
  5. location / {

    proxy_pass http://nextcloud;

    include /config/nginx/proxy.conf;

    include /config/nginx/resolver.conf;

    set $upstream_authelia http://authelia:9091;

    proxy_set_header X-Forwarded-User $remote_user;

    auth_request /authelia;

    auth_request_set $target_url $request_uri;

    error_page 401 = @error401;

    location = /authelia {

    internal;

    proxy_pass $upstream_authelia/api/verify;

    proxy_set_header Content-Length "";

    proxy_set_header X-Original-URL $target_url;

    proxy_set_header X-Real-IP $remote_addr;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto $scheme;

    }

    location @error401 {

    internal;

    proxy_pass $upstream_authelia/?rd=$target_url;

    }

    }

  6. Save and exit the editor (Ctrl+O, Enter, Ctrl+X).
  7. Restart SWAG to apply changes:
  8. docker-compose restart swag

  9. Access your Nextcloud instance and verify that Authelia prompts for authentication.

Tips, Warnings, and Best Practices

Here are some important considerations and best practices for securing your homelab with Authelia:

  • Regular Updates: Keep your software up to date to benefit from the latest security patches and features.
  • Backup Configurations: Regularly backup your Authelia and SWAG configuration files.
  • Use Strong Passwords: Ensure that all passwords and secrets are strong and unique.
  • Monitor Logs: Regularly check Authelia and SWAG logs for any suspicious activity.
  • Test MFA: Periodically test your MFA setup to ensure it’s functioning correctly.

Conclusion

By following this guide, you’ve successfully secured your homelab with Authelia and SWAG, adding an essential layer of protection through Multi-Factor Authentication. This setup not only enhances security but also provides a seamless user experience with Single Sign-On (SSO) capabilities. As you expose more services to the public, continue to follow best practices and keep your environment secure.

If you have any questions or need further assistance, feel free to leave a comment. Happy hosting!

Additional Resources

Frequently Asked Questions (FAQs)

Q: Can I use Authelia with other reverse proxies?

A: Yes, Authelia can be integrated with other reverse proxies like Nginx and Traefik. The configuration steps will vary slightly.

Q: How do I reset my Authelia password?

A: You can reset your password by editing the users_database.yml file and updating the password hash.

Q: Can I use Authelia for multiple domains?

A: Yes, you can configure Authelia to handle authentication for multiple domains by updating the access_control rules in the configuration file.

Troubleshooting Guide

Here are some common issues and solutions:

  • Authelia not prompting for authentication: Ensure that the SWAG configuration file correctly points to the Authelia authentication endpoint.
  • Session issues: Check the session configuration in configuration.yml and ensure that the session secret is correctly set.
  • MFA not working: Verify that TOTP or WebAuthn is correctly configured and that the time on your server is synchronized.

For more detailed troubleshooting, refer to the Authelia documentation.

Thank you for following this guide, and best of luck securing your homelab!

Leave a Reply

Your email address will not be published. Required fields are marked *