Authelia: Self-Hosted Two-Factor Authentication Proxy for Web Apps

Why Authelia?

Adding login pages and 2FA to every self-hosted app is tedious. Authelia centralizes it:

Single login portal for all your apps behind a reverse proxy.
TOTP, WebAuthn, and Duo Push 2FA methods.
Per-app policies — bypass, one-factor, or two-factor per domain/path.
Lightweight — ~30 MB Docker image, minimal RAM usage.

Prerequisites

Docker and docker-compose.
A reverse proxy (Nginx, Traefik, Caddy, or HAProxy).
A domain with wildcard DNS (e.g., *.home.example.com).
SMTP credentials for email-based password resets.

Step 1: Docker Compose Setup

# docker-compose.yml
version: "3"
services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    volumes:
      - ./authelia:/config
    ports:
      - "9091:9091"
    environment:
      TZ: America/Mexico_City
    restart: always

Step 2: Configuration (configuration.yml)

# authelia/configuration.yml
server:
  address: "tcp://0.0.0.0:9091"

session:
  name: authelia_session
  secret: a-very-long-random-secret
  cookies:
    - domain: home.example.com
      authelia_url: https://auth.home.example.com

storage:
  local:
    path: /config/db.sqlite3

notifier:
  smtp:
    host: smtp.gmail.com
    port: 587
    username: your@gmail.com
    password: app-password

authentication_backend:
  file:
    path: /config/users_database.yml

access_control:
  default_policy: deny
  rules:
    # Public services — no auth needed
    - domain: public.home.example.com
      policy: bypass

    # Internal tools — password only
    - domain: "*.home.example.com"
      policy: one_factor

    # Sensitive services — require 2FA
    - domain:
        - vault.home.example.com
        - admin.home.example.com
      policy: two_factor

Step 3: Nginx Integration

server {
    server_name app.home.example.com;

    location /authelia {
        internal;
        proxy_pass http://authelia:9091/api/authz/auth-request;
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    }

    location / {
        auth_request /authelia;
        auth_request_set $user $upstream_http_remote_user;
        proxy_set_header Remote-User $user;
        proxy_pass http://your-app:8080;
    }
}

Step 4: User Database

# authelia/users_database.yml
users:
  admin:
    displayname: "Admin User"
    password: "$argon2id$v=19$m=65536,t=3,p=4$..."  # Use authelia hash-password
    email: admin@example.com
    groups:
      - admins

Generate password hashes: docker run authelia/authelia:latest authelia crypto hash generate argon2

Access Control Policy Reference

Policy	Description
`bypass`	No authentication needed (public)
`one_factor`	Username + password only
`two_factor`	Username + password + TOTP/WebAuthn/Duo
`deny`	Block access entirely

Troubleshooting

Problem	Solution
Redirect loop after login	Verify the `authelia_url` in session cookies matches your Authelia domain exactly
2FA setup page not loading	Ensure SMTP notifier is configured — Authelia sends a registration link via email
”401 Unauthorized” on bypass rules	Check rule order — rules are evaluated top to bottom, first match wins
Session lost between subdomains	Set the cookie `domain` to the parent domain (e.g., `home.example.com`, not `app.home.example.com`)
Password hash rejected	Use `authelia crypto hash generate argon2` to create compatible hashes

Summary

Authelia provides centralized SSO + 2FA for all reverse-proxied apps.
Access control rules let you customize security per domain (bypass, 1FA, 2FA).
Integrates with Nginx, Traefik, Caddy, and HAProxy via auth subrequests.
Store users in a local file or connect to LDAP/Active Directory.

Frequently Asked Questions

What is Authelia and why use it?

Authelia is an open-source authentication server that adds Single Sign-On (SSO) and Two-Factor Authentication (2FA) to any web application sitting behind a reverse proxy like Nginx or Traefik. Instead of each app managing its own login, Authelia acts as a centralized gatekeeper — users authenticate once and gain access to all protected services.

How does Authelia work with a reverse proxy?

Your reverse proxy (Nginx/Traefik) sends an authentication subrequest to Authelia for every incoming request. If the user is already authenticated and authorized, Authelia returns 200 and the proxy forwards the request to the app. If not, Authelia returns 401 and redirects the user to its login portal for credentials and 2FA.

What 2FA methods does Authelia support?

Authelia supports TOTP (Time-Based One-Time Passwords, compatible with Google Authenticator, Authy, etc.), WebAuthn/FIDO2 (hardware security keys like YubiKey), and Duo Push (mobile push notifications via Duo Security).

Can I set different authentication levels for different apps?

Yes. Authelia's access control rules let you require one_factor (password only) for low-risk apps, two_factor for sensitive apps, and bypass for public services. Rules are defined per domain, subdomain, or path pattern.