init

.gitignore

@@ -0,0 +1,8 @@
+.env
+data/logs/*
+data/redis/*
+data/traefik/acme.json
+
+data/authelia/db.sqlite3
+data/authelia/users_database.yml
+data/authelia/secrets/smtp-pass.key

README.md

@@ -0,0 +1,31 @@
+# Authelia + Traefik Demo
+
+## Старт
+
+1. ./init.sh
+2. заполняем .env
+3. заполняем
+	* data/authelia/users_database.yml
+	* data/authelia/secrets/smtp-pass.key
+4. заполняем конфиг data/authelia/configuratuon.yml
+5. прописываем правила доменов в data/authelia/access_control.aml
+6. если не нужна почта и достаточно записи в файлике, правим конфиг в конце, где smtp
+
+## Генерация юзеров
+
+Для генерации пароля воспользуемся командой:
+
+```bash
+docker run --rm authelia/authelia:4.38.8 authelia crypto hash generate argon2 --random --random.length 12
+```
+
+## Видео к курсу
+[видео]()
+
+## Автор
+
+Vassiliy Yegorov
+
+- [школа](https://realmanual.ru)
+- [youtube](https://youtube.com/realmanual)
+- [телега](https://t.me/realmanual_group)

data/authelia/access_control.yml

@@ -0,0 +1,22 @@
+access_control:
+  default_policy: one_factor
+  # networks:
+  # - name: 'internal'
+  #   networks:
+  #   - '10.0.0.0/8'
+  #   - '172.16.0.0/12'
+  #   - '192.168.0.0/18'
+  rules:
+    - domain: traefik.lab.bildme.ru # TODO CHANGE ME!
+      policy: one_factor
+      subject:
+      - ['group:admins']
+    - domain: test1.lab.bildme.ru # TODO CHANGE ME!
+      policy: two_factor
+      subject:
+      - ['group:admins']
+      # networks:
+      # - 'internal'
+      # methods:
+      # - 'GET'
+      # - 'HEAD'

data/authelia/configuration.yml

@@ -0,0 +1,105 @@
+###############################################################################
+#                           Authelia Configuration                            #
+###############################################################################
+
+theme: dark
+
+identity_validation:
+  reset_password:
+    jwt_secret: LCnTJ5AxoB4tGvClpfhOSiLCnTJ5AxoB4tGvClpfhOSi # TODO CHANGE ME!
+
+default_2fa_method: "totp"
+
+## Server Configuration
+server:
+  address: tcp://0.0.0.0:9091/
+  endpoints:
+    enable_pprof: false
+    enable_expvars: false
+
+## Log Configuration
+log:
+  level: debug
+
+## TOTP Configuration
+totp:
+  issuer: auth.lab.bildme.ru # TODO CHANGE ME!
+
+## WebAuthn Configuration
+webauthn:
+  disable: false
+  timeout: 60s
+  display_name: Authelia
+  attestation_conveyance_preference: indirect
+  user_verification: preferred
+
+## NTP Configuration
+ntp:
+  address: "time.cloudflare.com:123"
+  version: 4
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
+
+## Authentication Backend Provider Configuration
+authentication_backend:
+  ## File (Authentication Provider)
+  file:
+    path: /config/users_database.yml
+    watch: true
+    search:
+      email: false
+      case_insensitive: false
+    password:
+      algorithm: argon2
+      argon2:
+        variant: 'argon2id'
+        iterations: 3
+        memory: 65536
+        parallelism: 4
+        key_length: 32
+        salt_length: 16
+
+## Session Provider Configuration
+session:
+  secret: Y8W4HvSen0R4Y8W4HvSen0R4Y8W4HvSen0R4 # TODO CHANGE ME!
+  expiration: 8h
+  inactivity: 4h
+  cookies:
+    - name: 'Authelia Demo cookies'
+      domain: lab.bildme.ru # TODO CHANGE ME!
+      authelia_url: https://auth.lab.bildme.ru/ # TODO CHANGE ME!
+      expiration: '1 hour'
+      inactivity: '5 minutes'
+
+  ## Redis Provider
+  redis:
+    host: redis
+    port: 6379
+    database_index: 0
+    maximum_active_connections: 20
+    minimum_idle_connections: 0
+
+## Regulation Configuration
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 30m
+
+## Storage Provider Configuration
+storage:
+  encryption_key: 9JM1ZMf980gQ3enewZEoTq9JM1ZMf980gQ3enewZEoTq # TODO CHANGE ME!
+  local:
+    path: /config/db.sqlite3
+
+## Notification Provider
+notifier:
+  disable_startup_check: true
+  ## File System (Notification Provider)
+  # filesystem:
+  #   filename: /config/notification.txt
+  smtp: # TODO CHANGE ME!
+    subject: "[Authelia] {title}"
+    username: 'authelia@mg.bildme.ru'
+    sender: 'auth@mg.bildme.ru'
+    address: 'smtp://smtp.eu.mailgun.org:587'

data/authelia/secrets/smtp-pass.key-example

@@ -0,0 +1 @@
+smtp-pass

data/authelia/users_database.yml.example

@@ -0,0 +1,14 @@
+---
+###############################################################
+#                         DEMO Users Database                 #
+###############################################################
+
+users:
+  admin:
+    disabled: false
+    displayname: "Demo User"
+    password: ""
+    email: admin@gmail.com
+    groups:
+      - admins
+...

data/traefik/traefik.yaml

@@ -0,0 +1,45 @@
+global:
+  checkNewVersion: true
+
+log:
+  level: debug
+  filePath: /data/stdout.log
+  format: common
+
+accessLog:
+  filePath: "/data/access.log"
+  filters:
+    statusCodes:
+      - "500-505"
+    retryAttempts: true
+    minDuration: "10ms"
+
+serversTransport:
+  insecureSkipVerify: true
+
+api:
+  dashboard: true
+
+entryPoints:
+  http:
+    address: ":80"
+    forwardedHeaders:
+      insecure: true
+  https:
+    address: ":443"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  # file:
+  #   directory: /custom
+  #   watch: true
+
+certificatesResolvers:
+  letsEncrypt:
+    acme:
+      email: admin@gmail.com
+      storage: acme.json
+      httpChallenge:
+        entryPoint: http

docker-compose.yml

@@ -0,0 +1,99 @@
+services:
+  traefik:
+    image: traefik:v3.0.2
+    container_name: traefik
+    restart: unless-stopped
+    cap_add:
+      - NET_BIND_SERVICE
+    security_opt:
+      - no-new-privileges:true
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.routers.traefik.tls=true"
+      - "traefik.http.routers.traefik.tls.options=default"
+      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=authelia@docker"
+      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=http"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./data/traefik/traefik.yaml:/traefik.yml:ro
+      - ./data/traefik/acme.json:/acme.json
+      - ./data/logs/stdout.log:/data/stdout.log:rw
+      - ./data/logs/access.log:/data/access.log:rw
+    ports:
+      - 80:80
+      - 443:443
+    networks:
+      - webproxy
+      - authelia
+
+  authelia:
+    container_name: authelia
+    image: authelia/authelia:4.38.8
+    restart: unless-stopped
+    healthcheck:
+      disable: true
+    command:
+      - 'authelia'
+      - '--config=/config/configuration.yml'
+      - '--config=/config/access_control.yml'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=webproxy"
+      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
+      - "traefik.http.routers.authelia.entrypoints=https"
+      - "traefik.http.routers.authelia.tls=true"
+      - "traefik.http.routers.authelia.tls.certresolver=letsEncrypt"
+      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.${DOMAIN}%2F'
+      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email"
+      - "traefik.http.routers.authelia.middlewares=redirect-to-https"
+    environment:
+      TZ: "Asia/Novosibirsk"
+      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /secrets/smtp-pass.key
+    volumes:
+      - ./data/authelia:/config
+      - ./data/authelia/secrets:/secrets
+    networks:
+      - webproxy
+      - authelia
+
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    container_name: redis
+    volumes:
+      - ./data/redis:/data
+    networks:
+      - authelia
+
+  nginx1:
+    image: nginx
+    restart: unless-stopped
+    container_name: nginx1
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=webproxy"
+      - "traefik.http.routers.nginx.rule=Host(`test1.${DOMAIN}`)"
+      - "traefik.http.routers.nginx.entrypoints=https"
+      - "traefik.http.routers.nginx.tls=true"
+      - "traefik.http.routers.nginx.tls.certresolver=letsEncrypt"
+      - "traefik.http.routers.nginx.middlewares=authelia@docker"
+    networks:
+      - authelia
+      - webproxy
+
+networks:
+  authelia:
+    name: authelia-net
+  webproxy:
+    name: webproxy

init.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+#!/bin/bash
+
+touch data/traefik/acme.json
+chmod 600 data/traefik/acme.json
+
+touch data/logs/stdout.log
+touch data/logs/access.log
+
+[[ ! -f .env ]] && cp .env.example .env
+[[ ! -f data/authelia/secrets/smtp-pass.key ]] && cp data/authelia/secrets/smtp-pass.key-example data/authelia/secrets/smtp-pass.key