this post was submitted on 29 Jul 2023
17 points (94.7% liked)

Selfhosted

40329 readers
446 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey guys, I'm running a simple docker compose server on an old laptop, hosting calibre(web), nextcloud and navidrome exposed on a cloudflare domain. Nextcloud allows 2fa, however navidrome and calibre web don't, so I thought I'd better get onto setting up Authelia..

Been having issues setting it up, and now I'm starting to wonder if its worth the trouble after all. I'm sure NC is fine sercrity wise but will I be fine leaving the other two exposed to the internet? I know having Authelia is definitely better.. but is it really worth it if I haven't pissed off any hackers, and am just a normal dude?

Thanks!

top 16 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 1 year ago

I'll be the dissenting voice to say, no you don't need it. If you keep things updated and follow best practices you should be fine. Unless you piss off a state actor.

That being said, it would be wise to have 2fa on everything if you can.

[–] [email protected] 6 points 1 year ago (2 children)

As am alternative for Authelia you can take a look at Authentik. I didn't use it by myself, but read a lot of it. Configuration is done via GUI and not text based like Authelia.

IMHO a much more straight and easier approach would be to use a reverse proxy (like Nginx Proxy Manager and use basic auth.

[–] beppi 2 points 1 year ago (1 children)

Ah yeah forgot to say I'm using nginx proxy manager already, screw chucking all that stuff on the internet without a reverse proxy

Will look into authentik though!!

[–] [email protected] 4 points 1 year ago

Can vouch for Authentik. Easily to setup and Maintain. I switched from Authelia to Authentik

[–] beppi 1 points 1 year ago

Trying out Authentik now, and having some more issues... Following various guides I can get to a stage where I access the Authentik UI locally, but when I go into NPM Advanced tab and add the stuff to forward auth requests to Authentic (proxy pass and whatnot), this causes NPM to have that proxy host set to Offline...

I think I might just take a break and get onto this stuff later. I don't know if I'm smart enough for this yet (I'm a data scientist not a computer scientist!!) Still got a lot to learn

[–] karlthemailman 4 points 1 year ago (2 children)

Do you need to expose the services to the entire Internet or can you use something like tailscale or zerotier (these require installing an app on each remote device, but don't open up ports to the internet).

[–] beppi 3 points 1 year ago

I could, I do find it very convenient having my services exposed though. Makes it easy to connect to the calibre opds from my e-reader, don't have to have wireguard fight with mullvad etc...

But maybe I will just switch to vpn rather than exposed, the security would take a load off my shoulders

[–] [email protected] -3 points 1 year ago

That''s a good recommendation!

[–] [email protected] 2 points 1 year ago

I started up setting up authelia this week so I could have 2fa on immich, then stopped when I learned it doesn't have built in ldap. So I set up authentik and it's been solid enough so far

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Since you're already using cloudflare, you might want to consider using Cloudflare Zero Trust, which is free for the first 50 users.

Here is an example on how to gate a gitlab instance behind Cloudflare Zero Trust login wall. You should be able to substitute it with any web applications easily enough. https://developers.cloudflare.com/cloudflare-one/tutorials/gitlab/

Personally I'm using Keycloak and OAuth2-Proxy though, but they can be quite an ordeal to setup.

[–] [email protected] 1 points 1 year ago (1 children)

I used to think Authelia will allow you to consume external SSO… turns out I was wrong, maybe? So now I think I’m the odd ball here and think it might not be a good idea to deploy Authelia.

Here’s my thought process:

I have some apps I want to secure — they may or may not have already got a bake in authentication where they’ve got my password (ideally, just for that one app managed via password manager, but I’ll be the first to admit that’s not always the case). Passwords are icky, and even though they’re hashed, ideally hundreds of thousands of times, a leak / compromise is not unheard of.

Now, in order to secure these apps, the last thing I want is now to also worry about another app storing the password becoming the single point of failure.

In my mind, if it is literally just for me, I’d look at getting my reverse proxy to handle forward auth via OAuth to some much larger and trusted provider with MFA — Google, Microsoft, GitHub, etc. — and trust that their entire department responsible for auth will be smarter than some open source deployment I try to maintain/keep up.

In my mind, if it is more than just me, I’d look at getting something to consume multiple external providers, such that allows for the users to choose their desired provider, as well as allow me to slap an unified branding. So in this case I’d be looking at something like Authentik, Keycloak, or FusionAuth.

I just really don’t want to deal with handling/storing passwords.

But hey what kind of issues are you running into with Authelia? Is it just deploying/setting up? Or is it integrating with their supported identity provider (ie ldap)? Or something else all together?

[–] beppi 2 points 1 year ago (1 children)

Thanks for the advice! I'd personally like to stay away from big companies, I made the server in the first place to escape from them, so it'd be weird for me to still use them. Maybe if I had a password manager or something sensetive I'd go with external so though

Problems I was having were just with the setup, problems with redis and mariadb, and getting them all linked together. I can attach some relevant logs if you're willing to help, thanks!!!

[–] [email protected] 1 points 1 year ago

I haven’t deployed Authelia specifically before so I probably won’t be the best when it comes to debugging. But i’d be happy to take a look if you think an extra fresh pair of eyes might help :)

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I did it for remote access to my ARR services. I then found another use where you can set it for matrix server authentication. I also plan to integrate it with forgejo when I get the chance. I keep finding more uses as time goes.

[–] [email protected] 0 points 1 year ago

Why does it sound like Mike Tyson answering the question “what is the smallest continent?”

[–] [email protected] -1 points 1 year ago

It is worth but think about:

Must you open ports for the complete internet? Maybe one ip (your company) is enough? Also ..

I use with Authelia a tls cert in caddy so only browser (mobiles also) with this cert can reach my site.. and my services behind Authelia ..

load more comments
view more: next ›