Now is the best time to buy FlexiSpot Ergonomic Chair. 30 days free return, try it with confidence! Use code "C730" for $30 off! US: bit.ly/4c8Tq2z CA: bit.ly/4aWkpNQ
@KeithHanlan4 ай бұрын
I like how this proxy setup is able to support differing policies for different URIs. Once you have authenticated without 2FA for a non-config URI, your config is still protected. This sort of behaviour from built in authentication would require much more work for the developers and consequently introduce risk. Very slick. Once again, thank you for sharing your experience!
@BartomiejSacharski4 ай бұрын
About Frigate not having authentication - the current beta (0.14) has authentication exposed on port 8080, with 5000 being now considered an "internal endpoint", that should isolated from "normal" network.
@nezu_cc3 ай бұрын
I've been running authelia with docker and traefik and it's amazing. All the apps that have OIDC use OIDC the rest use proxy auth. The nice thing about using it with services like traefik is that once set up it's a single line in the YML to enable it for a service. God, I love Docker. I've even started adding OIDC auth to my own projects since it makes auth so much simpler to manage in the long run.
@georgH4 ай бұрын
I use a different approach, none of my services are exposed to the internet except for v2ray. I used v2ray when I lived in a country with censored internet and I keep using it to connect to my services securely. Because it can be set up to work over standard https, it works everywhere, even in places were wireguad and OpenVPN are blocked (which is very common nowadays). Because nothing is exposed, I use the DNS method of renewing the letsencrypt certificate instead of the https.
@Darkk69694 ай бұрын
Yep. I use pfsense's HAProxy and ACME to handle the certificates for Let's Encrypt. Real happy that it supports DNS to verify the domain.
@dvntaudio81063 ай бұрын
Awesome to see someone that uses v2ray! I discovered that through the "hysteria toolkit". I found it fascinating and functional..🐯🙏
@RyanParmeter4 ай бұрын
I've been able to get Authentik working for a simple setup and plan to expand. It can act as an LDAP (and other) user stores for wide compatibility.
@dirtybrokkoli4 ай бұрын
Is the setup as "simple" as the authelia setup seems here? And how easy is it to integrate it with common applications like nextcloud, jellyfin, etc?
@LaurenceHartje4 ай бұрын
I'm running Windows AD on my homelab and Keycloak for handling the SSO to OIDC apps (Portainer, Paperless-NGX, PGAdmin, XO-CE and Proxmox [as I'm experimenting with different hypervisors at the moment]). Nothing exposed publicly, remote access is all over Wireguard.
@kkoppa3 ай бұрын
That's great. Do you know one can setup Keycloak to handle SSO for non OIDS apps?
@lightechoes4 ай бұрын
Great stuff as always. I've been thinking about authentication for a while.
@olokelo4 ай бұрын
Thank you for the video! As for my current setup I don't run any authentication server however I'm using client TLS certificates and Wireguard for remote access. I think that's secure enough.
@apalrdsadventures4 ай бұрын
client TLS certs are an extremely secure form of auth if the CA is properly hardened / offline I've been using client tls certs before I had this setup, it's just a pain to re-key clients every few months.
@kd7gp4 ай бұрын
@@apalrdsadventures hello, can authella be used to add 2FA to wireguard?
@hanley-development4 ай бұрын
Authentik is great and works with duo push.
@Felix-ve9hs4 ай бұрын
Pretty cool, definitely something I'll take a look at the next time I rework my home network :^)
@alex.prodigy3 ай бұрын
Awesome video , thanks! I know there are many solutions like this , but since you are already using caddy ... probably caddy-security would make sense here
@codeman99-dev4 ай бұрын
I intend to setup authentik at some point. It's probably way too much for my needs. That said, I know there's documentation for the one application I actually host. Heh.
@netroy4 ай бұрын
7:00 For SMTP I run local mailpit. It's pretty good.
@apalrdsadventures4 ай бұрын
That looks super useful, especially in a test environment
@Unselfless3 ай бұрын
I've been looking at Authelia, Authentik, and Zitadel for my own homelab. Is there anything in particular about one that makes it better than another? I can't seem to find too many videos about Zitadel
@TheUkeloser4 ай бұрын
I work for a network security company that provides, among other things, a large enterprise grade authentication platform, and I get it for free for "testing" purposes, so I run that in my lab. Way overkill, but it does RADIUS, LDAP, SAML, etc. so I can make it work with just about anything I want to run. Definitely don't recommend it for home labbers though, since even the smallest VM license is 4 figures.
@almc84454 ай бұрын
RADIUS, LDAP, SAML… Kerberos, NTLM, OIDC, OAuth 2… Fk me no wonder so many apps don’t implement SSO, it shouldn’t be this hard…
@apalrdsadventures4 ай бұрын
Part of the issue is that different industries have different historical standards which they follow. RADIUS came from dial-up authentication and became the standard in everything networking (like 802.1X), OIDC/OAuth run over HTTP(s) so they can be done by web apps without an installed client, and Kerberos is a great solution and could be universal but is really only possible on domain-joined computers (at least with current implementations), unfortunately.
@almc84454 ай бұрын
@@apalrdsadventures Yeah it definitely makes sense how we got to this point, just sad we haven't seen a unified push to adopt or build a universal standard. And I don't think we're likely to see it happen in my lifetime...
@colinstu4 ай бұрын
Frigate has been on my list to mess around with. TIL that it didn't have auth yet. (but seeing in another comment saying it does now in beta)
@dirtybrokkoli4 ай бұрын
Currently i do not host any service that does not have it's own authentication but authelia looks pretty good, do you know if authelia could in theory authenticate the user on the backend service, like some kind of sso? Without using ldap? That would help me get rid of one reverse proxy and really simplify my setup but i would prefer to keep it simple instead of adding a behemoth like ldap
@apalrdsadventures4 ай бұрын
File and LDAP are the options with Authelia. LDAP is a bit of a lowest common denominator, it's so old that it's generally the core of most big networks. Some more complex options support other backends, for example Keycloak supports Kerberos.
@lifefromscratch28184 ай бұрын
Someday I would like to get far enough with my learning where I feel comfortable trying to implement a single sign on solution.
@Cynyr4 ай бұрын
I'd like to run a single sign on thing, but covering web apps; user accounts on lxcs, smb shares, real hosts, and windows computers; and managing ssh keys is just too much. None of my services (except wireguard) are publicly accessible, so i basically have 0 authentication on services.
@derplattenbau4 ай бұрын
Great Video, are there any GUI available for managing Authelia? If so, could you create a video?
@apalrdsadventures4 ай бұрын
Authelia itself has a GUI for managing password reset and TOTP/WebAuthn configuration. The only thing 'missing' is the initial user creation.
@darkpixel11284 ай бұрын
if you connect to an LDAP service you can create users with a GUI. LLDAP is an easy, lightweight way to do this
@apalrdsadventures4 ай бұрын
I'm expecting this to be used by people with
@random_name-3 ай бұрын
openldap Please for user management.. Will be perfect for next integrations and some GUI also for openldap. thank you
@userou-ig1ze4 ай бұрын
I thought I'm a homelab guy, but then I found myself not know what frigate is. Taking my hat, eating it, and taking my leave
@apalrdsadventures4 ай бұрын
It's more popular when there's overlap with Home Automation, but it's also an app I use that has no authentication and made a good demo
@kriansa4 ай бұрын
What's the app you use to create these diagrams?
@apalrdsadventures4 ай бұрын
draw.io
@TheSmiddy4 ай бұрын
my homelab SSO solution is password reuse :P
@thaddeuscleo59204 ай бұрын
Hello apalrds would you Zitadel SSO server?
@Tntdruid4 ай бұрын
Blog link -> 404 - Page not found...
@apalrdsadventures4 ай бұрын
fixed
@DawidKellerman4 ай бұрын
Can I beg a keycloak video?
@apalrdsadventures4 ай бұрын
I'll consider it... it does Kerberos so maybe
@DawidKellerman4 ай бұрын
@@apalrdsadventures Thank you! I don't have much experience with Kerberos Know there are some cool SSO Stuff
@apalrdsadventures4 ай бұрын
Kerberos is actually quite old (Developed in the 80s), so it's unrelated to 'modern' standards like TLS and doesn't even use public key cryptography at all (purely AES). So while it's extremely well designed from a security and usability standpoint, it's hard to integrate into web apps and requires a client program. Microsoft Active Directory uses Kerberos auth for domain joined computers, so that's where it's most commonly used. The client requirement means it's really only usable on domain-joined or similarly managed devices.
@KaiStarkk2 ай бұрын
Would also be very keen to see Keycloak. Initially research seems to indicate that it’s the best of the three. Authentik is maintained by a single guy, nothing against that person but it means that CVE’s would be slower to fix (as demonstrated by main being left broken for several days while he was on holiday). Hopefully more people jump in to support him but until then. Meanwhile keycloak has red hat behind it. Since we’re talking about a critical security application, this is significant