wieerwill/self-hosted-cookbook
1
0
Fork 0
mirror of https://github.com/tborychowski/self-hosted-cookbook.git synced 2025-05-13 10:53:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

traefik & authelia

Browse Source
This commit is contained in:
Tomasz Borychowski 2020-10-31 16:45:17 +00:00
parent 3b2fe005a2
commit c00ded115d
3 changed files with 300 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -163,8 +163,10 @@ So, without further ado, here's the current list:
# Reverse proxy & SSO
- Authelia
- Traefik
- [Authelia](apps/reverse-proxy-sso/authelia.md)
- [Traefik](apps/reverse-proxy-sso/traefik.md)
- [Caddy](https://caddyserver.com/) [external] - very good web server with reverse-proxy & automatic https.
- [Nginx Proxy Manager](https://nginxproxymanager.com/) [external] - another nice solution based on the battle-tested & probably the most popular web-server - nginx. It has a pretty UI that allows to manage the services.
# RSS

111
apps/reverse-proxy-sso/authelia.md Normal file
View File

@ -0,0 +1,111 @@
# Authelia
This is a fantastic, feature rich and simple to set-up Single Sign-On solution.
The config files below, will use a file-storage for users, because it's simpler and quite sufficient for simple self-hosting server at home (as opposed to seting up full featured LDAP back-end).
<br>
- [Homepage](https://www.authelia.com/)
- [Github repo](https://github.com/authelia/authelia)
- [Docs](https://www.authelia.com/docs/)
## docker-compose.yml
```yml
version: '3.3'
networks:
net:
driver: bridge
services:
authelia:
image: authelia/authelia
container_name: authelia
restart: unless-stopped
expose:
- 9091
ports:
- "9091:9091"
networks:
- net
environment:
- TZ=Europe/Dublin
volumes:
- ./data:/var/lib/authelia
- ./config.yml:/etc/authelia/configuration.yml:ro
- ./users.yml:/etc/authelia/users.yml:ro
redis:
image: redis:alpine
container_name: redis
volumes:
- ./redis:/data
expose:
- 6379
networks:
- net
restart: unless-stopped
environment:
- TZ=Europe/Dublin
```
## config.yml
```yml
host: 0.0.0.0
port: 9091
# log_level: debug
jwt_secret: DphJJcoCO2aXK666tq3d2AgMQ8gaugukKsUjKzMciA
authentication_backend:
file:
path: /etc/authelia/users.yml
storage:
local:
path: /var/lib/authelia/db.sqlite3
notifier:
filesystem:
filename: /tmp/authelia/notification.txt
session:
name: authelia_session
secret: U8kmbel7WhP1YneQh2134DXhsiSHctE5Emtf
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
# The domain to protect.
# Note: the login portal must also be a subdomain of that domain.
domain: example.com
redis:
host: redis
port: 6379
regulation:
max_retries: 3
find_time: 120
ban_time: 300
access_control:
default_policy: one_factor
rules:
- domain: "*.example.com"
subject: "group:admins"
policy: one_factor
```
## users.yml
```yml
users:
admin:
displayname: "admin"
password: "" # password hash - see below how to generate
email: admin@example.com
groups:
- admins
```
## Tips & Tricks
Generate password hash for the `users.yml`:
```sh
docker run authelia/authelia:latest authelia hash-password <PASS>
```

185
apps/reverse-proxy-sso/traefik.md Normal file
View File

@ -0,0 +1,185 @@
# Traefik
This is one of the best reverse-proxy solutions for self-hosting.
Very easy to run & maintain (once you pass the setup).<br>
Traefik can detect docker services and use docker labels to automatically create routes.
However, I prefer to keep my docker-compose files clean and explicitly set routers & services myself, so this solution does that exactly.<br>
Traefik can also be set-up to automatically provide Let's Encrypt certs for your services.
However, there are some services that need cert files (AdGuard Home, Mailcow), and because I want to have a single wildcard certificate for my whole domain (and all subdomains) I prefer to generate it manually (i.e. scripts in cron) and just reference it whenever it's required - so this setup reflects that.
## General overview
Traefik has 2 types of config: static (requires restart of the container) and dynamic (refreshes live).
Dynamic config can be provided as a folder, where all `yml` files are parsed and configuration from them is applied to the running server.
You can create multiple files and split the dynamic config to your preference. I prefer to keep the 2 main layers (routers & services) separate, as it's easy for me to structure the files and it's clear to see what services are defined and the ports that they use. The down-side is that adding/removing a service requires editing 2 files.<br>
Another approach would be to use 1 yaml file per service (with route & service definition). It would be clearer from the Filesystem (ls -al) to see what services are configured, but e.g. checking all ports would require viewing all config files.<br>
For that reason it's also good to keep a note somewhere with a table of service-port mapping.
<br>
- [Homepage](https://traefik.io/)
- [Github repo](https://github.com/traefik)
- [Docs](https://doc.traefik.io/traefik/)
## docker-compose.yml
```yml
version: '3'
services:
traefik:
image: traefik:v2.3
container_name: traefik
restart: unless-stopped
security_opt: ["no-new-privileges"]
ports:
- "80:80"
- "443:443"
- "3080:8080"
volumes:
- /etc/localtime:/etc/localtime:ro
- /path/to/certs:/certs:ro
- ./config:/config:ro
- ./traefik.yml:/traefik.yml:ro
```
## Static config
### traefik.yml
```yml
global:
checkNewVersion: true
sendAnonymousUsage: false
api:
dashboard: true
insecure: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
file:
directory: /config
watch: true
```
## Dynamic config
### config/middlewares.yml
```yml
http:
middlewares:
authelia:
forwardAuth:
address: http://<SERVER IP>:9091/api/verify?rd=https://login.example.com/
trustForwardHeader: true
redirect-to-https:
redirectScheme:
scheme: https
permanent: true
security-headers:
headers:
referrerPolicy: "same-origin"
contentTypeNosniff: true
frameDeny: false
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
nextcloud-redirectregex:
redirectRegex:
permanent: true
regex: 'https://(.*)/.well-known/(card|cal)dav'
replacement: 'https://${1}/remote.php/dav/'
some-redirect:
redirectRegex:
regex: "https://subdomain1.example.com/"
replacement: "https://subdomain2.example.com?query=123"
permanent: true
```
### config/tls.yml
```yml
tls:
certificates:
- certFile: /example1-com/fullchain.cer
keyFile: /example1-com/example1.com.key
stores:
- default
- certFile: /example2-com/fullchain.cer
keyFile: /example2-com/example2.com.key
stores:
- default
stores:
default:
defaultCertificate:
certFile: /example1-com/fullchain.cer
keyFile: /example1-com/example1.com.key
```
### config/routers.yml
```yml
http:
routers:
authelia:
rule: "Host(`login.example.com`)"
service: authelia
tls: {}
middlewares:
- security-headers
nextcloud:
rule: "Host(`cloud.example.com`)"
service: nextcloud
tls: {}
middlewares:
- security-headers
- nextcloud-redirectregex
sonarr:
rule: "Host(`sonarr.example.com`)"
service: sonarr
tls: {}
middlewares:
- security-headers
- authelia
```
### config/services.yml
```yml
http:
services:
authelia:
loadBalancer:
servers:
- url: "http://<SERVER IP>:9091"
nextcloud:
loadBalancer:
servers:
- url: "http://<SERVER IP>:3100"
sonarr:
loadBalancer:
servers:
- url: "http://<SERVER IP>:8989/"
```
## Useful links
- [Traefik 2 + Docker — a Simple Step by Step Guide](https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5#37d9)
- [Traefik 2 + Docker — an Advanced Guide](https://medium.com/@containeroo/traefik-2-0-docker-an-advanced-guide-d098b9e9be96)
- [Traefik 2 & TLS 101](https://containo.us/blog/traefik-2-tls-101-23b4fbee81f1/)
- [check security headers](https://securityheaders.com)