[Support] IBRACORP - All images and files


Recommended Posts

Welcome to IBRACORP Support

 

= Support Us =

Membership

 

Help support my work by subscribing to our site and our Youtube Channel. It's free with paid options. There are no fees involved and it really helps me give back to you.

 

Become a free subscriber of our site to:

  • Receive the latest YouTube videos first, before going public on YouTube.
  • Read our articles which go with our videos and other work we do.
  • Emails directly to your inbox with the latest content. No spam, no bs.
  • More

Become a paid subscriber of our site to:

  • Get exclusive videos only for supporters.
  • Ask for direct support with helping install or provide consultancy to you.
  • Receive advanced tutorials and articles for your IT needs.
  • Help support indie creators (and a father of two) to bring you the best content possible!

 

= PayPal =

Prefer to donate via PayPal? You can donate to us right HERE.

 

We really appreciate your support in any shape or form.

 

= IBRACORP =

IBRACORP - https://ibracorp.io/
YouTube: https://youtube.com/c/IBRACORP
GitHub - https://github.com/ibracorp
Discord - https://discord.gg/VWAG7rZ

Twitter - https://twitter.com/IBRACORP_IO

 

== Contact Us ==

If you require support or have any questions you can contact us at support@ibracorp.io.

 

All questions/issues related to getting any of my images running on Unraid can be asked here.

If you think a template needs improvement, feel free to post that here too.

 

<------------------------------------------------------------------------------------------------------------------------------------------------------->

Authelia

Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy to let them know whether queries should pass through. Unauthenticated users are redirected to Authelia Sign-in portal instead.

 

IBRACORP Links:

Guide: 

 

unRAID Template: https://github.com/ibracorp/authelia.xml/blob/master/authelia.xml

unRAID Installation instructions: https://github.com/ibracorp/authelia

This documentation will help users who have NGINX Proxy Manager and want to use Authelia to secure their endpoint. i.e. radarr etc. 

 

Official Links:

Authelia: https://www.authelia.com/

Docs: https://www.authelia.com/docs

GitHub: https://github.com/authelia/authelia

Docker Hub: https://hub.docker.com/r/authelia/authelia

Edited by Sycotix
Added new links for IBRACORP
  • Like 4
Link to comment

**CHANGELOG**

 

17/04/2021

Hi all! I have now updated the configuration.yml file for Authelia on Git.

The new file is a replica of the latest official one with a lot of new changes and also customized ready for use with FreeIPA.

 

Enjoy :)

 

02/03/2021

- Added Cachet template to CA store. As well as the URL plugin. Video will be coming out soon on our site first so check it out. 

 

26/01/2021

- Created template for Serviio as requested. Should be up in next two hours. 

 

14/01/2021

- Modified Protected Endpoint Conf file to hardcode https redirection

 

10/01/2021

- Added to link our YouTube: https://bit.ly/3q39SJO

 

29/11/2020

- Updated Git page for IBRACORP/Authelia with new and updated information as provided by the community.

- Formatting and clean-up to make it easier to follow.

- Added LDAP instructions and DUO 2FA tips

A big thank you to all those who have helped develop the documentation!

 

16/11/2020

- Submitted XML template for Jira Service Desk for review to Community Applications.

 

04/07/2020

- Updated documentation to reflect the CONTAINERIP instead of SERVERIP where appropriate. Also updated the Protected Endpoint.conf to suit. (thanks to @Korshakov)

 

02/07/2020

- Under NPM config, added the YOURDOMAIN placeholder to Protected Endpoint.conf to be updated by the user.

 

30/06/2020

- Updated documentation with some advice for Let'sEncrypt (thanks to @kaiguy).
- Fixed missing semicolon on database instructions.

 

29/06/2020 

- Updated documentation to assist with issue: No/infinite native login screen on endpoint

 

28/06/2020

- Updated documentation for Authelia to reflect that the XML is now published in Community Apps and no longer requires manual pull.

- Updated logo in XML for Authelia to show in CA.

- Updated Categories in XML for Authelia to be Security.

- Updated support thread with official Authelia links.

- Updated documentation for Authelia with instructions on bypassing authentication for API's (i.e. Sonarr/Ombi)

Edited by Sycotix
  • Thanks 1
Link to comment
44 minutes ago, Squid said:

Template issues resulted in that

Very sorry everyone, got a little too finicky with it. Issue was caused by changing the <overview> tags to null. 

I have replaced it again and waiting to see if that fixes it.

Edited by Sycotix
Link to comment
  • Sycotix changed the title to [Support] IBRACORP - All images and files

Hi Sycotix! 

Really cool container thank you for building it.  This is my first forum post.

 

I pulled down the container from CA and configured it following the directions best I could.  I have proper DNS resolution on the container, https://auth.mydomain.com resolves and I am able to get the google authenicator to function.  On my mobile I receive the google auth code, input the code and container accepts the key and completes the request forwarding me to the default_redirection_url: https://mydomain.com/.  I am on a lets encrypt container not NPM, and I have been struggling to enable Authelia to work with my forward facing subdomain https://sonarr.mydomain.com.

 

In the configuration.yml file on the Access Control List this is what I have.

  rules:
    # Rules applied to 'admins' group
    - domain: "*.mydomain.com"
      subject:
        - "group:admins"
      policy: two_factor

In the letsencrypt container there are 3 files I believe I need.

/config/nginx/authelia-location.conf

/config/nginx/authelia-server.conf

/config/nginx/authelia.subdomain.conf (this is currently working as i have defined "auth" as the subdomain)

 

I am sure there is something important that I am missing, it feels like i'm so close!

 

 

 

Link to comment
36 minutes ago, nojutsu42 said:

Hi Sycotix! 

Really cool container thank you for building it.  This is my first forum post.

 

I pulled down the container from CA and configured it following the directions best I could.  I have proper DNS resolution on the container, https://auth.mydomain.com resolves and I am able to get the google authenicator to function.  On my mobile I receive the google auth code, input the code and container accepts the key and completes the request forwarding me to the default_redirection_url: https://mydomain.com/.  I am on a lets encrypt container not NPM, and I have been struggling to enable Authelia to work with my forward facing subdomain https://sonarr.mydomain.com.

 

In the configuration.yml file on the Access Control List this is what I have.


  rules:
    # Rules applied to 'admins' group
    - domain: "*.mydomain.com"
      subject:
        - "group:admins"
      policy: two_factor

In the letsencrypt container there are 3 files I believe I need.

/config/nginx/authelia-location.conf

/config/nginx/authelia-server.conf

/config/nginx/authelia.subdomain.conf (this is currently working as i have defined "auth" as the subdomain)

 

I am sure there is something important that I am missing, it feels like i'm so close!

 

 

 

Hi nojutsu42,

 

Thanks for kind words. The container is the official one from Authelia, I just helped collect it all and get up for everyone to use after weeks of trying to get it going. 

With regards to your issue can you confirm:

- After authenticating, are you able to hit (either manually or with the redirect): sonarr.domain.com?

 

Your rules look good. Going forward you will want to set specific subdomain rules but here's mine atm while I'm testing each subdomain:

access_control:
  # Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
  # It is the policy applied to any resource if there is no policy to be applied
  # to the user.
  default_policy: deny

  rules:
    # Rules applied to 'admins' group
    - domain: "*.domain.com"
      subject:
        - "group:admins"
      policy: one_factor

 

The instructions I wrote for NPM utilize snippets from those letsencrypt files to get it to work. So in theory, you should not really need to change much for Let'sEncrypt

In the letsencrypt\nginx\proxy-confs you can find the sample conf for Sonarr with the lines referencing Authelia. Do you have those?

And do you also have: authelia-location.conf, authelia-server.conf

Located here: \appdata\letsencrypt\nginx

Link to comment

Thanks for the reply and your suggestions.

 

With regards to your issue can you confirm:

- After authenticating, are you able to hit (either manually or with the redirect): sonarr.domain.com?

Currently - before making any conf adjustments.

 

From outside of my LAN I am able to resolve 'auth.mydomain.com' when I complete the TOTP it forwards me to a wordpress I have setup as the mydomain.com. That is the expected route as 'mydomain.com' is set as default_redirection_url: in my configuration.conf.  When I resolve https://sonarr.mydomain.com it only prompts me with the sonarr browser popup login window.  

 

On some further research the current Letsencrypt 'authelia-server.conf' and has the location set for a subfolder. 

location ^~ /authelia {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_authelia authelia;
    proxy_pass http://$upstream_authelia:9091;

 

On another note - did DUO recently change  from "free" to "free trial" for less than X amount of licenses? I have not been able to successfully register for the '"Free Trial" - Do you have that authentication method working?

Link to comment
7 minutes ago, nojutsu42 said:

 

On some further research the current Letsencrypt 'authelia-server.conf' and has the location set for a subfolder. 

Oh good pickup. So if you modify it similar to the ones in my doco does it work now?

 

As for duo I'm not sure actually. I haven't configured that section as of yet.

Link to comment

Thanks, Sycotix, for setting up this template and providing your writeup. This was super helpful to get me up and running behind the LSIO Letsencrypt container.

 

Just FYI, the section where you provide the maridadb command to add a user requires a semi colon at the end. It should be:

CREATE USER 'authelia' IDENTIFIED by 'YOURPASSWORD';

After a bunch of issues likely related to my own misconfig, I took the configuration.yml down to its basics then added in the items I knew I'd need from the Authelia docs. That seemed to help get me going. DUO integration is working great, with totp as a backup.

 

Since LSIO doesn't have much instruction on how to configure, it did take a while to figure out I needed to add this under the server block for its out-of-the-box Authelia support to work:

server:
  path: authelia

If others are going with the LSIO LE container, there's no need to utilize Authelia as its own subdomain reverse proxy.

  • Like 2
Link to comment
2 hours ago, Sycotix said:

This was super helpful.  I have it functioning now!  I had to edit the letsencrypt /config/nginx/autheila-server.conf and the autheila-location.conf to recognize the subdomain and not the folder.


I setup DUO as well - on the "Free Trial" account, was able to get setup on the DUO dashboard, and send the 2fA.  (No idea what occurs when the 30 days are up on the trial)

 

 

 

  • Like 1
Link to comment

@nojutsu42 great to hear you got it working! And super happy to hear my doco helped. Thanks for sharing the outcome. 

 

It can be tricky getting to match your own setup but once you have it down pat it's worth it for the extra protection. 

 

I will check out this DUO right now and see what the go is. 

Link to comment
2 hours ago, nojutsu42 said:

I setup DUO as well - on the "Free Trial" account, was able to get setup on the DUO dashboard, and send the 2fA.  (No idea what occurs when the 30 days are up on the trial)

Their wording of the free trial is odd since they have DUO Free (see their pricing comparison). I have been on DUO Free for Bitwarden for over a year now. Works great.

Link to comment

Hi all.

 

A user has raised a question via PM regarding rules. If you are getting a 401 on a particular subdomain, it's important you don't simply change the default rule behaviour to 'allow'. 

Why? Well we're all about security right? The heirachy should be as follows:

Default = Deny. If there is no rule set to explicitly allow a subdomain, or group, or both etc. then deny.

Then, create a rule to allow access to that particular subdomain(s).

 

Even if it is a public page, you can still protect it with Authelia by setting the rule to 'bypass', for example.

 

For the official docs see here: https://www.authelia.com/docs/configuration/access-control.html

 

Thanks 

Edited by Sycotix
Link to comment

Hello and thank you for your fantastic work.

 

everything is working as it should but as soon as i try to apply default access control to deny and set custom rules iam getting 401 error. Here is the rule:

 

  default_policy: deny

  rules:
    # Rules applied to 'admins' group
    - domain: "office.lssolutions.ie"
      subject: "group:admins"
      policy: one_factor

 

i've looked at the documentation and i cant really see diffrence with this rule below:

 

- domain: "*.example.com"

subject:

- "group:admins"

policy: two_factor

Link to comment

Hi @Korshakov thanks for getting in touch. 

 

The rule looks good. To help troubleshoot, I would set the rule to :

access_control:
  default_policy: deny
  rules:
    - domain: "*.lssolutions.ie"
      policy: one_factor

Then test again. This will make sure the subdomain and group requirement is removed temporarily. 

How about your user config? Can you check the group is set correctly? 

 

Be mindful of the formatting in the conf files because it is VERY tempremental. One wrong space could throw it off but it should tell you in the logs if this happens anyway.

 

Update me.

 

EDIT: I just noticed in the official docs that anywhere there is a full URL in the rule, there isn't any quotation marks. (i.e. office.lssolutions.ie). But where there is a wildcard there is (i.e. "*.lssolutions.ie"). I'm at work and can't test right now, can you see if this makes a difference?

Edited by Sycotix
Link to comment
1 minute ago, Sycotix said:

Have you tried following my setup guide?

Yes, but I'm a beginner, and I don’t understand much there.
__

For example, I did not find in the configuration file, the lines that need to be replaced, this:
CONTAINERPORT 
CONTAINERNAME

Link to comment

@muwahhid those lines can be found in the Protected Endpoint and Authelia conf files in the repository for you to download and customise. 

Please read the document one step at a time and it will make sense. 

 

The references section is just a list of stuff to look out for later.

Link to comment

i think iam havin issue somewhere else too. When i try to just simply bypass all rules i get 502 error on subdomain office, but when i try to set a rule i gets redirected to auth.domain but in logs it says erorr 401 user **** no authorised when i try to add user to the policy i ger 502 error.

My conclusion is what i beleive to be truth: that office domain sends to auth domain but auth domain sends back incorectly. I will send you my files in PM.

Link to comment

@Korshakov I read your file data and found this:

 error_page 401 =302 https://auth.YOURDOMAIN.com/?rd=$target_url;

You need to update YOURDOMAIN. If you haven't yet, then yes, this would confirm your theory of a redirection issue.

I will add this in the documentation which seems I missed. 

Edited by Sycotix
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.