Using Authelia as an authentication provider with Traefik 2 and docker-compose

Using Authelia as an authentication provider with Traefik 2 and docker-compose

Requirement

Provide authentication via LDAP to various services running behind Traefik 2 as a reverse proxy using docker-compose to run service containers.

Implementation

Setting up and running the service is straight forward like running any other docker-compose service. If you are comfortable with tackling the LDAP configuration for Authelia then this should be very straight forward for you.

Concept

The way this works with Trafik is that you setup a service with Authelia and in addition to the regular traefik labels you will provide for a service to be available at an endpoint, you add another label as follows to configure it as a middleware for traefik.

traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://auth.domain.net/

auth.domain.net is whatever endpoint you have configured traefik to run authelia.

For any service (herewith referred to as "protected container") that you wish to use implement authentication for you will:

  1. Add traefik.http.routers.sap.middlewares=authelia label to that container's configuration
  2. Ensure that authelia middleware is running otherwise that endpoint will provide a 404 error.
  3. Configure the authelia container to be on the same docker network as the protected container, usually the same docker network as traefik.
  4. Ensure that authelia's config.yml file has access control rules configured as required for the domain/endpoint the protected container is served at.

These are some rough notes to get things started. I intend to update this post with more specific details when I get a chance. If you need help, let me know in the comments below and that will be a prompt for me to revisit this and provide more specific details. This is how I assess demand for content that I will expand on further.

Show Comments