Nginx Setup with Authelia

Samuel Dowling’s Nginx Reverse Proxy Guide¹ is a very good resource on how to setup and configure nginx as a reverse proxy. Based on his recommendation, I’m using his structure as a guide how to configure nginx for this guide.

The basic layout for nginx for this guide is the following:

/etc/nginx
|-- vdomains
|   |-- authelia.<domain.com>
|   `-- <domain.com>
|-- snippets
|   |-- authelia.location.conf
|   |-- authelia.<domain.com>.cert.conf
|   |-- authelia.<domain.com>.conf
|   |-- authelia_auth.conf
|   |-- authelia_proxy.conf
|   |-- ssl-modern-params.conf
|   |-- ssl-params.conf
|   |-- <domain.com>.cert.conf
|   |-- <domain.com>.conf
|   |-- proxy-ssl.params.conf
|   `-- internal-access-rules.conf
`-- nginx.conf

At least two virtual domains need to be configured:

authelia.<domain.com>
<domain.com>

authelia.<domain.com> = the authelia registration and authentication portal

<domain.com> = the domain/web application that utilizes authelia as an authentication frontend..

Multiple domains/sites can utilize authelia for frontend authentication depending on the reverse proxy configuration.
Examples of type of locations which utilize authelia as a frontend
- Top Level Domains: domain.com, yourdomain.org, happiness.biz
- SubDomains: subdomain1.domain.com, whereis.yourdomain.org
- Folders: domain.com/admin, yourdomain.org/lost/img

Example Configuration

Please adapt to your setup, particularly if you have a pre-existing configured nginx reverse proxy.

My main /etc/nginx/nginx.conf file is very basic. All the virtual domains are included within the /etc/nginx/vdomains folder and includes are located within the /etc/nginx/includes folder.

nginx.conf

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	                    '$status $bytes_sent "$http_referer"'
                      '"$http_user_agent" "$http_x_forwarded_for"';

    types_hash_max_size 4096;

    # Redirect all HTTP traffic to HTTPS
    server {

        listen 80 default_server;
        listen [::]:80 default_server;

        return 301 https://$host$request_uri;
    }

    # Import server blocks for all subdomains
    include "vdomains/*.conf";
}

authelia.<domain.com> virtual domain file

Located at: /etc/nginx/vdomains/authelia.<domain.conf>

Example Domain which utilizes authelia as an authentication frontend - <domain.com>

The full example file is found here: authelia.domain.com.conf

Below are two types locations that authelia could provide authentication services for:

Top Level Domain
Subfolder of the Top Level Domain

...
...
# Top Level Domain Example

       location /{
          #auth_basic "Private";
          #auth_basic_user_file /etc/nginx/private/admin.scr;

           include snippets/proxy-ssl-params.conf;
           #include snippets/internal-access-rules.conf;	

           set $upstream_bw https://<domain.com>:443;
           proxy_pass $upstream_bw;
           include snippets/authelia_auth.conf;
           include snippets/authelia_proxy.conf;
           #proxy_redirect off;
       }

...
...
# Protected Subfolder Location of the Top Level Domain

       location /admin {
		       #auth_basic "Private";
		       #auth_basic_user_file /etc/nginx/private/admin.scr;
		
		       include snippets/proxy-ssl-params.conf;
           #include snippets/internal-access-rules.conf;	

		       set $upstream_bw https://<domain.com>:443;
    		   proxy_pass $upstream_bw;
		       include snippets/authelia_auth.conf;
		       include snippets/authelia_proxy.conf;
		       #proxy_redirect off;
	      }
...
...

In setup above, the protected domain/subfolder is https://<domain.com>/admin. No auth_basic, or auth_basic_user_files are needed since authelia is going to be performing the authentication for the site. proxy-ssl-params.conf - Includes parameters since this reverse proxy is going to be re-encrypting the connection to the backend. These parameters will control the re-encryption. This file is not needed if the reverse proxy is terminating the SSL encryption and passing unencrypted to the backend internal-access-rules.conf - Include if wanting to control access from the site from various IP addressess $upstream-bw - This variable sets the location of the backend encrypted domain. An http or https transport layer may be utilized depending if there are SSL certificates for the backend. With no certificates this variable would be: http://backend.<domain.com>:80 authelia_auth.conf, authelia_proxy.conf - Parameters needed by the authelia authentication portal

server {
    listen         80;
    server_name    authelia.<domain.com>;
    return         301 https://$server_name$request_uri;
}

server {
    listen [::]:443 ssl http2;
    listen      443 ssl http2;
    server_name authelia.<domain.com>;

    access_log /var/log/nginx/authelia.<domain.com>.access.log main buffer=32k;
    error_log /var/log/nginx/authelia.<domain.com>.error.log warn;

    include snippets/authelia.<domain.com>.cert.conf;
    include snippets/ssl-params.conf;

    location / {
        
        # If ngnix is run within a docker container, the following line would be
        # set $upstream_authelia http://authelia:8080.-> Please adjust port number to
        # port number which is specified for the authelia service within docker-config.yml

        set $upstream_authelia http://authelia.<domain.com>:8080; 
        proxy_pass $upstream_authelia;
        include snippets/authelia_proxy.conf;  
    }
} 

{* include nginx.conf.txt *}

Page Links

Samuel Dowling’s Nginx Reverse Proxy Guide ↩