Identity as a Perimeter
Reaching a service doesn't always mean you can see it. Authelia acts as the gatekeeper, providing a central portal for Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
Why Authelia?
While many services have their own login systems, managing 30+ separate usernames and passwords is a security risk. Authelia allows me to:
- Use a single, strong identity for everything.
- Enforce MFA (Duo or TOTP) for all users.
- Control access based on groups or subdomains.
Integration with Traefik
Authelia doesn't sit "in front" of individual services in the Docker sense. Instead, Traefik uses a ForwardAuth middleware to talk to Authelia.
- A user hits
pw.home.websters.at. - Traefik asks Authelia: "Is this user logged in?"
- If no, Authelia redirects the user to the login portal.
- If yes, Traefik passes the request to the internal Vaultwarden container.
The Configuration
Authelia is configured using a configuration.yml file. I've redacted the sensitive parts, but here is how the policies are structured:
access_control:
default_policy: deny
rules:
- domain: "*.home.websters.at"
policy: one_factor
networks:
- <INTERNAL_IP>/24 # Trusted local network needs only 1FA
- domain: "traefik.home.websters.at"
policy: two_factor # Sensitive apps always need 2FA
subject: "group:admins"Security & Hardware
I store the session data and user configurations in a dedicated Docker volume. For the best security, I've integrated Authelia with my local LDAP/Active Directory or a simple YAML-based user database for smaller setups.
Authelia ensures that even if a service has an exploit, the attacker still has to bypass the identity layer first.