proxmox
Simple Self-Hosted Security with Authelia
Simple Self-Hosted Security with Authelia
#Simple #SelfHosted #Security #Authelia
“apalrd’s adventures”
In this video, I’m setting up Authelia. It’s a very lightweight authentication service, which can be used to provide authentication to services which don’t natively support any form of authentication. I think this is a great choice for small scale homelab environments, as it’s simple to run and…
source
To see the full content, share this page by clicking one of the buttons below |
Now is the best time to buy FlexiSpot Ergonomic Chair. 30 days free return, try it with confidence! Use code "C730" for $30 off!
US: https://bit.ly/4c8Tq2z
CA: https://bit.ly/4aWkpNQ
my homelab SSO solution is password reuse 😛
What's the app you use to create these diagrams?
I'm using cloudflare tunnels to access my homelab services, as long as they provide authentication. With frigate I prefer not to expose it since it doesn't provide any auth.
Messing with proxies inside my network is something I would like to avoid, I feel like it complicates things a lot…
I would like to have a 2FA like the one I have in Home assistant in all services… Exposing HA with cloudflare is so easy and safe!
7:00 For SMTP I run local mailpit. It's pretty good.
Hello apalrds would you Zitadel SSO server?
Frigate has been on my list to mess around with. TIL that it didn't have auth yet. (but seeing in another comment saying it does now in beta)
Currently i do not host any service that does not have it's own authentication but authelia looks pretty good, do you know if authelia could in theory authenticate the user on the backend service, like some kind of sso? Without using ldap? That would help me get rid of one reverse proxy and really simplify my setup but i would prefer to keep it simple instead of adding a behemoth like ldap
круто, но слишком замороченная настройка
Authentik is great and works with duo push.
I intend to setup authentik at some point. It's probably way too much for my needs. That said, I know there's documentation for the one application I actually host.
Heh.
I'm running Windows AD on my homelab and Keycloak for handling the SSO to OIDC apps (Portainer, Paperless-NGX, PGAdmin, XO-CE and Proxmox [as I'm experimenting with different hypervisors at the moment]). Nothing exposed publicly, remote access is all over Wireguard.
I use pfsense/haproxy as entrypoint. Sensitive services require a client certificate to connect, and are otherwise routed to dummy servers. Haproxy can also be set with multiple CA for differentiating admin/viewer user classes.
Cool thing is that client certificates reside in the phone, so any app that uses chrome internally works transparently.
I thought I'm a homelab guy, but then I found myself not know what frigate is. Taking my hat, eating it, and taking my leave
I've been able to get Authentik working for a simple setup and plan to expand. It can act as an LDAP (and other) user stores for wide compatibility.
I like how this proxy setup is able to support differing policies for different URIs. Once you have authenticated without 2FA for a non-config URI, your config is still protected. This sort of behaviour from built in authentication would require much more work for the developers and consequently introduce risk. Very slick. Once again, thank you for sharing your experience!
I use a different approach, none of my services are exposed to the internet except for v2ray.
I used v2ray when I lived in a country with censored internet and I keep using it to connect to my services securely. Because it can be set up to work over standard https, it works everywhere, even in places were wireguad and OpenVPN are blocked (which is very common nowadays).
Because nothing is exposed, I use the DNS method of renewing the letsencrypt certificate instead of the https.
Thank you for the video!
As for my current setup I don't run any authentication server however I'm using client TLS certificates and Wireguard for remote access.
I think that's secure enough.
Great stuff as always. I've been thinking about authentication for a while.
Can I beg a keycloak video?
Pretty cool, definitely something I'll take a look at the next time I rework my home network :^)
Great Video, are there any GUI available for managing Authelia? If so, could you create a video?
Check out Keycloak and OpenLDAP
Someday I would like to get far enough with my learning where I feel comfortable trying to implement a single sign on solution.
I'd like to run a single sign on thing, but covering web apps; user accounts on lxcs, smb shares, real hosts, and windows computers; and managing ssh keys is just too much. None of my services (except wireguard) are publicly accessible, so i basically have 0 authentication on services.
I work for a network security company that provides, among other things, a large enterprise grade authentication platform, and I get it for free for "testing" purposes, so I run that in my lab. Way overkill, but it does RADIUS, LDAP, SAML, etc. so I can make it work with just about anything I want to run. Definitely don't recommend it for home labbers though, since even the smallest VM license is 4 figures.
Blog link -> 404 — Page not found…
About Frigate not having authentication – the current beta (0.14) has authentication exposed on port 8080, with 5000 being now considered an "internal endpoint", that should isolated from "normal" network.
First 😅