Authelia
Information
Section titled “Information”Have you ever wondered how to secure your web applications with a simple, secure, and elegant solution? Do you want to offer your users a seamless login experience across multiple domains and services? If so, you might be interested in Authelia, an open-source authentication and authorization server that provides two-factor authentication (2FA) and single sign-on (SSO) for your applications via a web portal. In this document, KBVE introduces you and your dev team to the features and benefits of Authelia, and shows you how to set it up with common reverse proxies like Nginx, Traefik, or HAProxy. By the end of this reference, you will be able to protect your web applications with Authelia and enjoy a secure, hassle-free authentication process.
How It Works
Section titled “How It Works”Authelia does not modify your applications. Instead, it plugs into your reverse proxy using a pattern called forward auth (also called external auth or auth_request):
- A user requests a protected service, e.g.
https://app.kbve.com. - The reverse proxy pauses and asks Authelia: is this session authenticated and authorized?
- If yes, the proxy forwards the request to the backend as normal.
- If no, the user is redirected to Authelia’s login portal, completes 2FA, and is sent back — now with a valid session cookie.
Because the session cookie is scoped to your root domain, one login unlocks every protected subdomain — that is the single sign-on (SSO) experience.
| Concept | Meaning |
|---|---|
| Authentication | Proving who the user is (password + 2FA) |
| Authorization | Deciding what the user may access (access control rules) |
| Forward auth | Reverse proxy delegates the auth decision to Authelia |
| SSO | One authenticated session grants access across services |
Install
Section titled “Install”There are a couple of ways to install Authelia. Here are the official deployment notes for each:
Prerequisites
Section titled “Prerequisites”A decent understanding of your operating system, networking, and containerization will be extremely helpful.
One fundamental requirement: Authelia has to operate under SSL/TLS.
The default port that Authelia runs on is 9091, but this can be changed.
Finally, if you have Cloudflare sitting in front of your domain, double-check your forwarded headers — Authelia provides a guide on that here.
Docker
Section titled “Docker”This section covers deploying Authelia via Docker.
We use the DockerHub image authelia/authelia, but you can opt for their GitHub image as well.
Since our ecosystem uses Traefik, we recommend following the documentation for its integration.
A minimal docker-compose.yml service:
services: authelia: image: authelia/authelia container_name: authelia volumes: - ./authelia:/config ports: - "9091:9091" environment: - TZ=America/New_York restart: unless-stoppedTraefik forwardAuth
Section titled “Traefik forwardAuth”Wire Authelia into Traefik with a forwardAuth middleware, then attach it to any protected router:
labels: - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.kbve.com" - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"What is Authelia? Authelia is an open-source authentication and authorization server that provides 2FA and SSO for your web applications. It sits behind a reverse proxy like Nginx or Traefik and validates every request before it reaches the protected service — like an application-layer firewall.
How does Authelia integrate with a reverse proxy?
It uses forward auth. The reverse proxy intercepts each request and asks Authelia whether the user is authenticated and authorized. If yes, the request passes through; if not, the user is redirected to the login portal. Nginx uses auth_request; Traefik uses a forwardAuth middleware.
What port does Authelia run on?
Authelia listens on port 9091 by default, but it is configurable. It must operate under SSL/TLS, so you terminate HTTPS at your reverse proxy and forward authenticated traffic to Authelia and your backend services.
Does Authelia support single sign-on across multiple domains? Yes. Once a user authenticates, a session cookie scoped to your root domain grants access to every protected subdomain and service without logging in again.
What do I need before deploying Authelia? A working reverse proxy (Nginx, Traefik, or HAProxy), a domain with valid SSL certificates, and a session/storage backend. If Cloudflare sits in front of your domain, verify your forwarded headers configuration.
