[Support] IBRACORP - All images and files


Recommended Posts

I have gone through the guide twice and I always come up with the same error. When I paste the config in the Advanced Box for the host, NPM shows the host as offline. If I remove it, it comes right back up and works fine. Has anyone seen this error?

 

 

NEVERMIND...Got it figured out..

For CONTAINERNAME, you cannot have a container name that has a "-" in it. In my case I was using a container that I didn't care if I exposed called "wifi-card". That will NOT work. "wifi" will work or "wificard" will work but you can't have a dash in a container name. THere may be other special characters that don't work. I didn't test any others.

Edited by TX_Pilot
Link to comment

A couple of ideas to keep things a bit cleaner.

 

1) I used environment variables available through NPM rather than hardcoding the ip and port into the Advanced Config.

 

So I made the following changes to the Protected Endpoint:


    set $upstream_CONTAINERNAME http://CONTAINERIP:CONTAINERPORT;

became:

    set $upstream_CONTAINERNAME $forward_scheme://$server:$port;
 

This will allow you to make the changes to IP/Port within NPM rather than both under the Details Tab and the Advanced Tab 

 

2) I also used the actual container name as well so that I don't have to worry about IP. All of the reverse proxy guides recommend you create a network and use the internal Docker network for your reverse proxy. If you do that then you can specify the container name instead of the IP.

 

So: 

    set $upstream_authelia http://SERVERIP:9091/api/verify;

became:

    set $upstream_authelia http://Authelia:9091/api/verify;

 

In this case Authelia is the name of my Authelia container.

 

I have found it is much easier to use container name and internal port references in your NPM config so that if you container IPs change you are stuck fixing your reverse proxy. Just make sure if you do this, your are using the container port, not the translated port for your UnRaid IP address.

 

With these changes you can almost use the same Protected Endpoint for each proxy host. The only thing that would be different is the CONTAINERNAME. I am not sure if it would be a problem for that to be the same between proxy hosts. I am going to do some testing and see if it matters.

 

--Scott

Link to comment

Hi,

 

I've followed this guide and Authelia is working for my nextcloud container. The only issue I've not been able to figure out is getting the Nextcloud iOS app to work. If I'm setting up the app initially to connect to my server, I get a connection error 200: Transfer stopped message. The app has an option to revert to an older login method, after logging in through this method I get the Authelia login which works. After verification with Authelia, the app is redirected to an Error page saying Access Forbidden invalid request. I'm not able to navigate anywhere else till I restart the app which just throws a bunch of 405 Errors.

 

I don't have the same issue on my laptop or PC, so I'm kind of stumped at this point. If I pull Authelia out of my reverse proxy configuration the app works normally. Does anyone have the Nextcloud iOS app working that might be able offer some insight?

 

These are the last Authelia log messages I see when trying to connect through the iOS app:

 

time="2020-09-09T14:14:49-04:00" level=info msg="Access to https://nextcloud.example.com/ocs/v2.php/cloud/user?format=json is not authorized to user , sending 401 response" method=GET path=/api/verify remote_ip=172.18.0.173
time="2020-09-09T14:14:49-04:00" level=info msg="Access to https://nextcloud.example.com/status.php is not authorized to user , sending 401 response" method=GET path=/api/verify remote_ip=172.18.0.173

Thanks in advance for any help with this,

Link to comment
3 hours ago, jinx8503 said:

Thanks in advance for any help with this,

In the reverse proxy, have you added a bypass for the API? In the guide down the bottom you will see a section explaining this called: No/infinite native login screen on endpoint.

 

I believe it should help as the API needs to bypass the proxy check in order to work. This also goes for things like Tautull or Ombi in order to use their mobile apps. 

Link to comment
  • 2 weeks later...

I have been using authelia happily for a while now.

I have it setup with duo as well for 2fa, but I have noticed that I can NOT get it to keep me logged in.

 

in the config I set:
 

# The time in seconds before the cookie expires and session is reset.

expiration: 2w

 

# The inactivity time in seconds before the session is reset.

inactivity: 2w

 

Is there more I have to do so I am not relogging in every day

Link to comment
  • 2 weeks later...

I'm stuck on the first setup - mainly logging in via local network to setup 2FA. I can get to the authelia login page locally, but then when I try to login nothing happens. The docker log says "validation attempt made, credentials OK" but then nothing else.

 

Anyone seen this issue before?

 

Edit: all good, changed config to one factor, and it redirects properly after auth. now to work out how to get two factor to work...

Edited by mishmash-
problem solvered
Link to comment
  • 2 weeks later...

I have Authelia setup and working..or seems to be for a few apps.. I'm seeing in the logs though a lot of "user not authorized" with the same IP (From work) after I've already logged in. also in the docker logs I'm getting an error with "Bad connection" multiple a day... just wondering if that's something I should be concerned about, using Redis. 

Screen Shot 2020-10-14 at 8.31.30 AM.png

Link to comment

So everything works well with Authelia and password based redirection.

 

Only issue is when I try to login via webgui it just redirects me to my domain. I don't have the chance at all to setup other methods as per the tutorial. I have totp enabled in the config file and still nothing...I'm pulling my hair out trying to get totp to work! Any suggestions?

Link to comment
  • 4 weeks later...
On 9/21/2020 at 5:14 PM, Shalmi said:

I have been using authelia happily for a while now.

I have it setup with duo as well for 2fa, but I have noticed that I can NOT get it to keep me logged in.

 

in the config I set:
 

# The time in seconds before the cookie expires and session is reset.

expiration: 2w

 

# The inactivity time in seconds before the session is reset.

inactivity: 2w

 

Is there more I have to do so I am not relogging in every day

Has anyone else figured out how to get "remember me" to work?

Link to comment

Anyone have any insight on this - I feel like I'm missing something stupid, or I've got the configuration all wrong - here is the output when I 'successfully' authenticate to the portal. 

image.png.6bbe06b879c6fcb01b5bd1643edd4c60.png

 

After this nothing happens when the config is set as shown below:

image.png.55b78b8ac1ff0f15c61ff08c1f0c9400.png

 

If I set the policy to bypass I pass right through to the redirected site, but as soon as I set the policy to two_factor it just reloads the page and the log shows Credential validation is okay. The page is waiting for something but just reloads. I can not seem to get it to pass over to Duo for MFA.

image.png.2a1f5a6c9ea8c3823b1e4ddbcca88f61.png

I'm pretty familiar with Duo so I don't believe its a misconfig there its as if I am missing some redirect to a 'special MFA page.'

image.png.1b22606c59f8fc4500d8ed7984af2f54.png

 

There is no interaction with NGINX or proxy configs yet, I'm strictly trying internally, the default_redirection_url is simple google.com I just want to see how the MFA functions and get the push to allow me onto my next destination. I may be looking at this entirely wrong but the guide seemed sound just feel like I missed something.

I can hit the portal but can't setup 2FA etc.

image.png.e3d038307c55c918d7891a796642e687.png

 

Thanks for any help

Link to comment
On 11/11/2020 at 8:11 PM, TangTrapper said:

Anyone have any insight on this - I feel like I'm missing something stupid, or I've got the configuration all wrong - here is the output when I 'successfully' authenticate to the portal. 

image.png.6bbe06b879c6fcb01b5bd1643edd4c60.png

 

After this nothing happens when the config is set as shown below:

image.png.55b78b8ac1ff0f15c61ff08c1f0c9400.png

 

If I set the policy to bypass I pass right through to the redirected site, but as soon as I set the policy to two_factor it just reloads the page and the log shows Credential validation is okay. The page is waiting for something but just reloads. I can not seem to get it to pass over to Duo for MFA.

image.png.2a1f5a6c9ea8c3823b1e4ddbcca88f61.png

I'm pretty familiar with Duo so I don't believe its a misconfig there its as if I am missing some redirect to a 'special MFA page.'

image.png.1b22606c59f8fc4500d8ed7984af2f54.png

 

There is no interaction with NGINX or proxy configs yet, I'm strictly trying internally, the default_redirection_url is simple google.com I just want to see how the MFA functions and get the push to allow me onto my next destination. I may be looking at this entirely wrong but the guide seemed sound just feel like I missed something.

I can hit the portal but can't setup 2FA etc.

image.png.e3d038307c55c918d7891a796642e687.png

 

Thanks for any help

I'm having the same issue running through the instructions, I can authenicate, but then it just sits there at the user/pass screen.

Link to comment
  • 2 weeks later...

 

 

Here's a few gotchas that I ran into that may help others.  Caveat emptor, I'm using a hybrid of Sycotix and the LSIO instructions (I'm using swag for ssl/nginx) so your mileage may vary, etc, etc.

 

>On Duo, you actually need TWO logins.  The first is your admin account that sets-up your hostname/integration_key/secret_key via Partner Auth API.  Now with with you need to go into the config for the Application->PartnerAuthAPI and add a user that is THE SAME NAME as the user you have in file/ldap and then EMAIL THEM which will give you the ability to enroll the phone app to that user.  Then you can enroll that in authelia when you get to that point.  This page sort of says this but it's a bit cryptic and doesn't fill in all the blanks.

 

>I wasn't able to get to the second page of the 2FA enrollment when following Sycotix instructions as described.

On 11/19/2020 at 5:09 PM, Randy42 said:

I'm having the same issue running through the instructions, I can authenicate, but then it just sits there at the user/pass screen.

I was in the same position, but managed to get 2FA enrollment going by going one step further in the setup and setting up a quick hiemdall instance and going to heimdall.YOURDOMAIN.etc and trying to 'login properly' and get pointed back to the target page, and at that point I was able to get to the second factor page and setup OTP and Push.

Link to comment

I am fairly new to Unraid and want to put Authelia in front of my nextcloud / heimdall. What I understood so far is that the template https://github.com/ibracorp/authelia.xml/blob/master/authelia.xml is meant as a docker template. Please correct me if thats not the case.

 

My question is, how do I get a authelia container set up, which is based on this template? In the CA "Apps" I see only the official authelia container for download. 

 

Thanks for any advise :)

Link to comment
39 minutes ago, doesntaffect said:

I am fairly new to Unraid and want to put Authelia in front of my nextcloud / heimdall. What I understood so far is that the template https://github.com/ibracorp/authelia.xml/blob/master/authelia.xml is meant as a docker template. Please correct me if thats not the case.

 

My question is, how do I get a authelia container set up, which is based on this template? In the CA "Apps" I see only the official authelia container for download. 

 

Thanks for any advise :)

Hi there and welcome to the unraid community! 

So in the App Store you will see the Authelia container showing as official because I link the XML to the official repository and docker hub page. What I have done is simply provide the XML so that it shows up on the app store for everyone. 

 

In other words, I basically created the link. So the Authelia container you see is the same one referenced here. You can then follow the instructions provided in the link on page 1 here (https://github.com/ibracorp/authelia) plus everyone else's comments. 

 

To everyone else who has taken the time to provide valuable feedback I would like to thank you very much. I've been really busy lately and so it's been hard to make updates but I implore anyone who comes into this thread read everything that's been posted as a lot of information here helps a lot!

 

I'm currently working on an LDAP implementation via FreeIPA and using Authelia as protection. It's nearly ready and is working so I'll post my Authelia config, with any changes recommended by the user's here, to my GitHub link on page 1 (https://github.com/ibracorp/authelia).

 

EDIT: I should also add that Authelia does have official documentation, as written on page 1. Please use it to help you if stuck. My instructions were meant to help those using it on unraid as well Nginx Proxy Manager. https://www.authelia.com/docs/

Edited by Sycotix
Link to comment
8 hours ago, ThreeFN said:

 

 

Here's a few gotchas that I ran into that may help others.  Caveat emptor, I'm using a hybrid of Sycotix and the LSIO instructions (I'm using swag for ssl/nginx) so your mileage may vary, etc, etc.

 

>On Duo, you actually need TWO logins.  The first is your admin account that sets-up your hostname/integration_key/secret_key via Partner Auth API.  Now with with you need to go into the config for the Application->PartnerAuthAPI and add a user that is THE SAME NAME as the user you have in file/ldap and then EMAIL THEM which will give you the ability to enroll the phone app to that user.  Then you can enroll that in authelia when you get to that point.  This page sort of says this but it's a bit cryptic and doesn't fill in all the blanks.

 

>I wasn't able to get to the second page of the 2FA enrollment when following Sycotix instructions as described.

I was in the same position, but managed to get 2FA enrollment going by going one step further in the setup and setting up a quick hiemdall instance and going to heimdall.YOURDOMAIN.etc and trying to 'login properly' and get pointed back to the target page, and at that point I was able to get to the second factor page and setup OTP and Push.

Have you tried going to directly to the sub domain you setup for Authelia? i.e. auth.example.com? After logging in and having a valid session this should work. In any case, I have added your instructions to the Git page (crediting you of course). Thank you for coming back with a solution!

Link to comment
On 9/6/2020 at 12:33 PM, TX_Pilot said:

A couple of ideas to keep things a bit cleaner.

 

1) I used environment variables available through NPM rather than hardcoding the ip and port into the Advanced Config.

 

So I made the following changes to the Protected Endpoint:


    set $upstream_CONTAINERNAME http://CONTAINERIP:CONTAINERPORT;

became:

    set $upstream_CONTAINERNAME $forward_scheme://$server:$port;
 

This will allow you to make the changes to IP/Port within NPM rather than both under the Details Tab and the Advanced Tab 

 

2) I also used the actual container name as well so that I don't have to worry about IP. All of the reverse proxy guides recommend you create a network and use the internal Docker network for your reverse proxy. If you do that then you can specify the container name instead of the IP.

 

So: 

    set $upstream_authelia http://SERVERIP:9091/api/verify;

became:

    set $upstream_authelia http://Authelia:9091/api/verify;

 

In this case Authelia is the name of my Authelia container.

 

I have found it is much easier to use container name and internal port references in your NPM config so that if you container IPs change you are stuck fixing your reverse proxy. Just make sure if you do this, your are using the container port, not the translated port for your UnRaid IP address.

 

With these changes you can almost use the same Protected Endpoint for each proxy host. The only thing that would be different is the CONTAINERNAME. I am not sure if it would be a problem for that to be the same between proxy hosts. I am going to do some testing and see if it matters.

 

--Scott

I know I;m a little late but just wanted to say thank you for sharing this. Certainly makes sense to use the variables and I did not realise at the time. I have updated the Protected Endpoint conf to match now.

 

As for the using the container name, I haven't been able to test it yet so I will keep it as is but your comment will help those who want to change it. 

 

Thanks again

Link to comment
On 9/4/2020 at 10:29 PM, Nano said:

Hey, I actually got Authelia working with a much simplier guide, it did not require any other dockers, If you turn on SQ lite in authelia it can all be done within the docker itself. Much much easier for people to follow.

 

storage
  local
    path configdb.sqlite3

 

I'm sure your much smarter than me and can tell me why this is not as good as your guide but who knows.

I agree with you it is 'easier'. However the reason it's not wise is because it's not as reliable as having a dedicated database to store the information.

While I understand most small deployments would be fine using the built-in SQL, I would not recommend it (and Authelia also doesn't recommend it) outside of a test environment.

 

When you're happy with it, I suggest launching a mariadb or MySQL database and following our instructions, it's really easy.

Link to comment
On 11/28/2020 at 7:11 PM, Sycotix said:

Have you tried going to directly to the sub domain you setup for Authelia? i.e. auth.example.com? After logging in and having a valid session this should work. In any case, I have added your instructions to the Git page (crediting you of course). Thank you for coming back with a solution!

I'll need to go back and check.  Random tangent, if you change the WEBUI link in app/docker->ADVANCED, does that not work?  Once you have RevProx/Authelia up and running, there isn't need/you don't really want webui to go to the IP anymore (eg have to sign in separately).  Am I crazy that if I change the webui line in the docker/app, it still goes to the IP:port instead? Can you not update the template that way?

On 11/28/2020 at 8:14 PM, Sycotix said:

I agree with you it is 'easier'. However the reason it's not wise is because it's not as reliable as having a dedicated database to store the information.

While I understand most small deployments would be fine using the built-in SQL, I would not recommend it (and Authelia also doesn't recommend it) outside of a test environment.

 

When you're happy with it, I suggest launching a mariadb or MySQL database and following our instructions, it's really easy.

You can also leave the Redis out of the config and it will work as well, but is probably also in the 'not recommended for deployment' category.

 

Am I understanding Redis (and it's use by Authelia) correctly that it's 'transactional database storage', which to me seems like SQL for 'more raw level data'?  So Authelia uses SQL/MariaDB for the familiarity and 'easy stuff' (users, etc) databases and Redis for the 'fast stuff' (tokens, in-flight, etc) databases?

 

Another Doc recommendation may be details on docker 'start order' and waits with Authelia being last (well, SWAG/LE truly last) after Redis and MariaDB.

 

Look forward to LDAP, I probably don't need it but do any of us really need anything we implement on the sever?

 

I need to deploy a few more things and I might have a few more lessons learned, been knee deep in Zoneminder setup/optimizations/issues since getting baseline Authelia stuff working.

Link to comment
2 hours ago, ThreeFN said:

I probably don't need it but do any of us really need anything we implement on the sever?

Probably the funniest and most accurate thing I've read hahah

 

And yes great recommendation, the startup order is critical and I've got almost 15-30 secs delay between each container depending what it is.

Link to comment

Can anyone shed some light on this? Otherwise I think ill have to start again from scratch.

Heres what ive done/noticed so far:

 

1. Copied your config and pasted over the one created and continued to follow the instructions.

2. At this part I wasn't sure if I had to literally type in 'YOURPASSWORD' or replace it with one of the 128bit keys or a normal txt password, So i used a 128b key.

212937755_dbpasswords.PNG.c942e21aadae965b36050a6a6d80c782.PNG

3. When trying to start up I keep getting these errors which seem to relate to smtp which I do not have setup yet?:

Errors.PNG.b3d43766d28998556b879a60442c08a2.PNG

4. Commented out smtp part of the config and set up txt file for notifications, tried true and false for notification check made no difference.

5. Line 324 in my config doesn't reference a key so not sure what's going on?

450542211_line324.PNG.3d3c00b01b9b992ea2ca5be192216703.PNG

 

I'm sure its just something stupid I've done, but any help is appreciated otherwise I will delete it all and start over.

Link to comment
6 hours ago, DioxideC said:

Can anyone shed some light on this? Otherwise I think ill have to start again from scratch.

Heres what ive done/noticed so far:

 

1. Copied your config and pasted over the one created and continued to follow the instructions.

2. At this part I wasn't sure if I had to literally type in 'YOURPASSWORD' or replace it with one of the 128bit keys or a normal txt password, So i used a 128b key.

212937755_dbpasswords.PNG.c942e21aadae965b36050a6a6d80c782.PNG

3. When trying to start up I keep getting these errors which seem to relate to smtp which I do not have setup yet?:

Errors.PNG.b3d43766d28998556b879a60442c08a2.PNG

4. Commented out smtp part of the config and set up txt file for notifications, tried true and false for notification check made no difference.

5. Line 324 in my config doesn't reference a key so not sure what's going on?

450542211_line324.PNG.3d3c00b01b9b992ea2ca5be192216703.PNG

 

I'm sure its just something stupid I've done, but any help is appreciated otherwise I will delete it all and start over.

2. YOURPASSWORD is whatever you like. Obviously the more secure, the better. Just make sure it's the same in your Authelia config.

3-5. If you don't want Authelia to test for SMTP, you need to set "disable_startup_check: true". Source: https://www.authelia.com/docs/configuration/notifier/

 

I would recommend you actually just use SMTP such as Gmail (or your own). Because if you like it, you will need to set it up anyway.

Edited by Sycotix
Link to comment
On 12/9/2020 at 8:20 PM, Sycotix said:

2. YOURPASSWORD is whatever you like. Obviously the more secure, the better. Just make sure it's the same in your Authelia config.

3-5. If you don't want Authelia to test for SMTP, you need to set "disable_startup_check: true". Source: https://www.authelia.com/docs/configuration/notifier/

 

I would recommend you actually just use SMTP such as Gmail (or your own). Because if you like it, you will need to set it up anyway.

Thanks for the reply :)

Ive tried "disable_startup_check: true" but seems to come up with the same errors. Ill try a few more things then ill re do it all over from the start.

 

I have 1 more question.

How else are people editing their config files?, because of the permissions I cant edit it within app data, All I can do is edit a file on my machine then copy over the file using the config edit app plugin. Which is also most annoying.

 

Edit: 10/12/20 - 02:00am:

Mananged to get it working by starting the config conf file from scratch, might of been a space somewhere it should of been but not 100% either way started up the container got to the UI, tried to log in using the display name and password I set in the users_database.yml and It states incorrect username and password with this error in the log:

359209565_usernotfound.PNG.a27862f0bab472163e3c7abc1a2b09a0.PNG

 

Getting closer to having it working but im getting blocked at every turn lol. Any ideas?

 

examples of my config and users database file for ref:

1323724000_userslocation.PNG.e28f56d2c2063987382cfd15038b5c6e.PNG

 

1920199828_userdatabase.PNG.62e796e8df7af4dd674a0939c66b25d5.PNG

 

Edit:10/12/20 10:16am

ok so after doing some more fine checking, changed the users yml to this:

1982068431_userdbupdated.PNG.1e4cee6e3bab0a3c84bbb7b2079750af.PNG

 

also made sure that database_index: 0 was included.

 redis.PNG.7c6efc22cd654f0217fca37c4b2eb3e8.PNG

 

Now when I try and log in it doesnt seem to throw any errors but doesn't redirect away from the login screen. I think I read others were having that issue in this thread so will go back and read up.

After doing some reading I went ahead to the next step with NPM, got my ssl for the domain with lets encrypt fine, added in the info but when going to the domain i get an error to many redirects?

redirects.PNG.5472b7375c91740bae93bab0d55a50cc.PNG

Firefox gives me this:

redirectfirefox.PNG.03fa019fc5de0a6b13606917f3b0cec1.PNG

any ideas?

 

 

Update: 12:41pm

after much hair pulling, googling, reading, shooting scrubs on Arma 3. I found out that the ssl/tls settings on cloudflare were the cause of indefinite redirect issues. I can now also log in but am unable to set up the second factor part, I now get this error:

1287064823_2ndfactorerror.PNG.5a3e3d5254de4b438bb962f5f8646ee7.PNG

To Overcome this error I continued on as mentioned in an earlier post. I also had to make sure that my container name was changed from binhex-jellyfin to just jellyfin in the protected endpoint config.

now to set up smtp as it trys to send the 2fa setup process via email.

 

Finally we are getting there xD

 

Edit: 11/12/20 13:07:

Ok so all seems to be working well locally.

Now getting a 403 forbidden error when an external ip tries to access example.domain.co.uk.

the address bar changes to > https://example.domain.co.uk/?rd=http://example.domain.co.uk/ and gives the 403 error.

if you manually put an s in making it now > https://example.domain.co.uk/?rd=https://example.domain.co.uk/

it works after that. I read a user a few posts back had this issue couldnt find any fixes for this yet tho?

 

My settings for NPM are http for my endpoint, and even changing to https doesnt make a difference it still comes up as > https://example.domain.co.uk/?rd=http://example.domain.co.uk/ and gives the 403 error. That ?rd= needs to convert to https but not sure how or where it does that part yet. any ideas?

Edited by DioxideC
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.