Simple Self-Hosted Security with Authelia
Рет қаралды 17,641
Күн бұрын
@apalrdsadventures 4 ай бұрын
Now is the best time to buy FlexiSpot Ergonomic Chair. 30 days free return, try it with confidence! Use code "C730" for $30 off! US: bit.ly/4c8Tq2z CA: bit.ly/4aWkpNQ
@KeithHanlan 4 ай бұрын
I like how this proxy setup is able to support differing policies for different URIs. Once you have authenticated without 2FA for a non-config URI, your config is still protected. This sort of behaviour from built in authentication would require much more work for the developers and consequently introduce risk. Very slick. Once again, thank you for sharing your experience!
@BartomiejSacharski 4 ай бұрын
About Frigate not having authentication - the current beta (0.14) has authentication exposed on port 8080, with 5000 being now considered an "internal endpoint", that should isolated from "normal" network.
@nezu_cc 3 ай бұрын
I've been running authelia with docker and traefik and it's amazing. All the apps that have OIDC use OIDC the rest use proxy auth. The nice thing about using it with services like traefik is that once set up it's a single line in the YML to enable it for a service. God, I love Docker. I've even started adding OIDC auth to my own projects since it makes auth so much simpler to manage in the long run.
@georgH 4 ай бұрын
I use a different approach, none of my services are exposed to the internet except for v2ray. I used v2ray when I lived in a country with censored internet and I keep using it to connect to my services securely. Because it can be set up to work over standard https, it works everywhere, even in places were wireguad and OpenVPN are blocked (which is very common nowadays). Because nothing is exposed, I use the DNS method of renewing the letsencrypt certificate instead of the https.
@Darkk6969 4 ай бұрын
Yep. I use pfsense's HAProxy and ACME to handle the certificates for Let's Encrypt. Real happy that it supports DNS to verify the domain.
@dvntaudio8106 3 ай бұрын
Awesome to see someone that uses v2ray! I discovered that through the "hysteria toolkit". I found it fascinating and functional..🐯🙏
@RyanParmeter 4 ай бұрын
I've been able to get Authentik working for a simple setup and plan to expand. It can act as an LDAP (and other) user stores for wide compatibility.
@dirtybrokkoli 4 ай бұрын
Is the setup as "simple" as the authelia setup seems here? And how easy is it to integrate it with common applications like nextcloud, jellyfin, etc?
@LaurenceHartje 4 ай бұрын
I'm running Windows AD on my homelab and Keycloak for handling the SSO to OIDC apps (Portainer, Paperless-NGX, PGAdmin, XO-CE and Proxmox [as I'm experimenting with different hypervisors at the moment]). Nothing exposed publicly, remote access is all over Wireguard.
@kkoppa 3 ай бұрын
That's great. Do you know one can setup Keycloak to handle SSO for non OIDS apps?
@lightechoes 4 ай бұрын
Great stuff as always. I've been thinking about authentication for a while.
@olokelo 4 ай бұрын
Thank you for the video! As for my current setup I don't run any authentication server however I'm using client TLS certificates and Wireguard for remote access. I think that's secure enough.
@apalrdsadventures 4 ай бұрын
client TLS certs are an extremely secure form of auth if the CA is properly hardened / offline I've been using client tls certs before I had this setup, it's just a pain to re-key clients every few months.
@kd7gp 4 ай бұрын
@@apalrdsadventures hello, can authella be used to add 2FA to wireguard?
@hanley-development 4 ай бұрын
Authentik is great and works with duo push.
@Felix-ve9hs 4 ай бұрын
Pretty cool, definitely something I'll take a look at the next time I rework my home network :^)
@alex.prodigy 3 ай бұрын
Awesome video , thanks! I know there are many solutions like this , but since you are already using caddy ... probably caddy-security would make sense here
@codeman99-dev 4 ай бұрын
I intend to setup authentik at some point. It's probably way too much for my needs. That said, I know there's documentation for the one application I actually host. Heh.
@netroy 4 ай бұрын
7:00 For SMTP I run local mailpit. It's pretty good.
@apalrdsadventures 4 ай бұрын
That looks super useful, especially in a test environment
@Unselfless 3 ай бұрын
I've been looking at Authelia, Authentik, and Zitadel for my own homelab. Is there anything in particular about one that makes it better than another? I can't seem to find too many videos about Zitadel
@TheUkeloser 4 ай бұрын
I work for a network security company that provides, among other things, a large enterprise grade authentication platform, and I get it for free for "testing" purposes, so I run that in my lab. Way overkill, but it does RADIUS, LDAP, SAML, etc. so I can make it work with just about anything I want to run. Definitely don't recommend it for home labbers though, since even the smallest VM license is 4 figures.
@almc8445 4 ай бұрын
RADIUS, LDAP, SAML… Kerberos, NTLM, OIDC, OAuth 2… Fk me no wonder so many apps don’t implement SSO, it shouldn’t be this hard…
@apalrdsadventures 4 ай бұрын
Part of the issue is that different industries have different historical standards which they follow. RADIUS came from dial-up authentication and became the standard in everything networking (like 802.1X), OIDC/OAuth run over HTTP(s) so they can be done by web apps without an installed client, and Kerberos is a great solution and could be universal but is really only possible on domain-joined computers (at least with current implementations), unfortunately.
@almc8445 4 ай бұрын
@@apalrdsadventures Yeah it definitely makes sense how we got to this point, just sad we haven't seen a unified push to adopt or build a universal standard. And I don't think we're likely to see it happen in my lifetime...
@colinstu 4 ай бұрын
Frigate has been on my list to mess around with. TIL that it didn't have auth yet. (but seeing in another comment saying it does now in beta)
@dirtybrokkoli 4 ай бұрын
Currently i do not host any service that does not have it's own authentication but authelia looks pretty good, do you know if authelia could in theory authenticate the user on the backend service, like some kind of sso? Without using ldap? That would help me get rid of one reverse proxy and really simplify my setup but i would prefer to keep it simple instead of adding a behemoth like ldap
@apalrdsadventures 4 ай бұрын
File and LDAP are the options with Authelia. LDAP is a bit of a lowest common denominator, it's so old that it's generally the core of most big networks. Some more complex options support other backends, for example Keycloak supports Kerberos.
@lifefromscratch2818 4 ай бұрын
Someday I would like to get far enough with my learning where I feel comfortable trying to implement a single sign on solution.
@Cynyr 4 ай бұрын
I'd like to run a single sign on thing, but covering web apps; user accounts on lxcs, smb shares, real hosts, and windows computers; and managing ssh keys is just too much. None of my services (except wireguard) are publicly accessible, so i basically have 0 authentication on services.
@derplattenbau 4 ай бұрын
Great Video, are there any GUI available for managing Authelia? If so, could you create a video?
@apalrdsadventures 4 ай бұрын
Authelia itself has a GUI for managing password reset and TOTP/WebAuthn configuration. The only thing 'missing' is the initial user creation.
@darkpixel1128 4 ай бұрын
if you connect to an LDAP service you can create users with a GUI. LLDAP is an easy, lightweight way to do this
@apalrdsadventures 4 ай бұрын
I'm expecting this to be used by people with
@random_name- 3 ай бұрын
openldap Please for user management.. Will be perfect for next integrations and some GUI also for openldap. thank you
@userou-ig1ze 4 ай бұрын
I thought I'm a homelab guy, but then I found myself not know what frigate is. Taking my hat, eating it, and taking my leave
@apalrdsadventures 4 ай бұрын
It's more popular when there's overlap with Home Automation, but it's also an app I use that has no authentication and made a good demo
@kriansa 4 ай бұрын
What's the app you use to create these diagrams?
@apalrdsadventures 4 ай бұрын
draw.io
@TheSmiddy 4 ай бұрын
my homelab SSO solution is password reuse :P
@thaddeuscleo5920 4 ай бұрын
Hello apalrds would you Zitadel SSO server?
@Tntdruid 4 ай бұрын
Blog link -> 404 - Page not found...
@apalrdsadventures 4 ай бұрын
fixed
@DawidKellerman 4 ай бұрын
Can I beg a keycloak video?
@apalrdsadventures 4 ай бұрын
I'll consider it... it does Kerberos so maybe
@DawidKellerman 4 ай бұрын
@@apalrdsadventures Thank you! I don't have much experience with Kerberos Know there are some cool SSO Stuff
@apalrdsadventures 4 ай бұрын
Kerberos is actually quite old (Developed in the 80s), so it's unrelated to 'modern' standards like TLS and doesn't even use public key cryptography at all (purely AES). So while it's extremely well designed from a security and usability standpoint, it's hard to integrate into web apps and requires a client program. Microsoft Active Directory uses Kerberos auth for domain joined computers, so that's where it's most commonly used. The client requirement means it's really only usable on domain-joined or similarly managed devices.
@KaiStarkk 2 ай бұрын
Would also be very keen to see Keycloak. Initially research seems to indicate that it’s the best of the three. Authentik is maintained by a single guy, nothing against that person but it means that CVE’s would be slower to fix (as demonstrated by main being left broken for several days while he was on holiday). Hopefully more people jump in to support him but until then. Meanwhile keycloak has red hat behind it. Since we’re talking about a critical security application, this is significant
@АлексейМиллер-щ7ч 4 ай бұрын
круто, но слишком замороченная настройка
@lavishjaat 4 ай бұрын
First 😅