樹莓派筆記- Authelia:基礎設定

--- title: description: date: 2023-04-17 lang: zh-tw tags: - 樹莓派 - Linux - docker --- # 樹莓派筆記- Authelia:基礎設定試過caddy security, Keycloak, authentik 還是覺得 Authelia 容易實現又占用系統資源又少 ![image](https://camo.githubusercontent.com/6dcb546c18d2ff34f4f23e9b5bd60ee1e75e2c899bb46fb716c432a1f6d2db19/68747470733a2f2f7777772e61757468656c69612e636f6d2f696d616765732f61757468656c69612d7469746c652e706e67) ## docker-compose `docker-compose.yml` ```yml= version: '3.3' networks: default: name: ${DOCKER_MY_NETWORK} external: true services: authelia: container_name: authelia image: authelia/authelia:latest restart: unless-stopped expose: - 9091 volumes: - ${HOME_PATH}/authelia/config:/config - ${HOME_PATH}/logs/authelia:/var/log/authelia env_file: - stack.env whoami: image: traefik/whoami:latest container_name: whoami restart: unless-stopped expose: - "80" ``` ## 創建 Authelia 配置文件到掛載的資料夾`./authelia/config`找`configuration.yml` `configuration.yml` ```yml= ############################################################### # Authelia configuration # ############################################################### server: host: 0.0.0.0 port: 9091 log: level: debug file_path: /var/log/authelia/authelia.log keep_stdout: true #Ref: https://www.authelia.com/configuration/miscellaneous/introduction/#jwt_secret #used this site to generate the secret: https://www.grc.com/passwords.htm jwt_secret: <YOUR_KEY_1> #Ref: https://www.authelia.com/configuration/miscellaneous/introduction/#theme theme: auto #默認重新導向網址 default_redirection_url: https://auth.example.com #將用戶資訊(帳號,密碼)存在本地YAML文件中 #Ref: https://www.authelia.com/configuration/first-factor/file/ authentication_backend: file: watch: true path: /config/users_database.yml password: algorithm: argon2id iterations: 1 salt_length: 16 parallelism: 8 memory: 1024 # blocks this much of the RAM. Tune this. #網域登入認證設定 #Ref: https://www.authelia.com/configuration/security/access-control/ access_control: default_policy: deny rules: - domain: "*.example.com" policy: one_factor #Cookie 設置 #Ref: https://www.authelia.com/configuration/session/introduction/ session: name: authelia_session #used this site to generate the secret: https://www.grc.com/passwords.htm secret: <YOUR_KEY_2> domain: example.com #暫時禁止登入密碼錯誤且嘗試過多的帳號 #Ref: https://www.authelia.com/configuration/security/regulation/ regulation: max_retries: 3 find_time: 120 ban_time: 300 #本地資料庫 #Ref: https://www.authelia.com/configuration/storage/sqlite/ storage: #used this site to generate the secret: https://www.grc.com/passwords.htm encryption_key: <YOUR_KEY_3> local: path: /config/db.sqlite3 #Ref: https://www.authelia.com/configuration/notifications/introduction/ notifier: # smtp: # username: SMTP_USERNAME # # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE # # password: # use docker secret file instead AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE # host: SMTP_HOST # port: 587 #465 # sender: batman@example.com # customize for your setup # For testing purpose, notifications can be sent in a file. Be sure map the volume in docker-compose. filesystem: filename: /config/notification.txt ``` ## 創建 Authelia 用戶帳號到掛載的資料夾`./authelia/config`找`users_database.yml` 密碼是` hashed password` 使用以下命令產生 `docker run authelia/authelia:latest authelia hash-password YOUR_PASSWORD` `users_database.yml` ```yml= ############################################################### # Users Database # ############################################################### # This file can be used if you do not have an LDAP set up. # `docker run authelia/authelia:latest authelia hash-password YOUR_PASSWORD`` # List of users users: <YOUR_USERNAME>: #新用戶帳號 disabled: false displayname: <YOUR_DISPLAYNAME> password: <YOUR_PASSWORD> email: <YOUR_E_Mail> groups: - admins - dev ``` ## 更新 .env `stack.env` ```env= # common.env: Set development environment DOCKER_MY_NETWORK=caddy_net MY_DOMAIN=example.com CLOUDFLARE_API_TOKEN=<cloudflare api token goes here> ``` ## 更新 Caddyfile `Caddyfile` ```Caddyfile= { acme_dns cloudflare {$CLOUDFLARE_API_TOKEN} } (trusted_proxy_list) { ## Uncomment & adjust the following line to configure specific ranges which should be considered as trustworthy. # trusted_proxies 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 fc00::/7 } # Authelia Portal. auth.{$MY_DOMAIN} { log { output file /var/log/caddy/access.log } reverse_proxy authelia:9091 { ## This import needs to be included if you're relying on a trusted proxies configuration. import trusted_proxy_list } } # Protected Endpoint. whoami.{$MY_DOMAIN} { log { output file /var/log/caddy/access.log } forward_auth authelia:9091 { uri /api/verify?rd=https://auth.{$MY_DOMAIN}/ copy_headers Remote-User Remote-Groups Remote-Name Remote-Email ## This import needs to be included if you're relying on a trusted proxies configuration. import trusted_proxy_list } reverse_proxy whoami:80 { ## This import needs to be included if you're relying on a trusted proxies configuration. import trusted_proxy_list } } portainer.{$MY_DOMAIN} { log { output file /var/log/caddy/access.log } reverse_proxy portainer:9000 } ``` ## 使用假設進入`whoami.{$MY_DOMAIN}`時，有出現 ![image](https://camo.githubusercontent.com/b63202218c30092623547cb6934f60d8a7cdfe9a8dca89c32e263f002d780781/68747470733a2f2f7777772e61757468656c69612e636f6d2f696d616765732f3146412e706e67) 就代表設置成功了輸入密碼後，就是一般的 `whoami` 網頁 ## Ref * https://github.com/authelia/authelia * https://hub.docker.com/r/authelia/authelia * https://www.authelia.com/integration/proxies/caddy/ * https://geek-cookbook.funkypenguin.co.nz/docker-swarm/authelia/