{"id":8761,"date":"2024-05-18T09:56:49","date_gmt":"2024-05-18T07:56:49","guid":{"rendered":"http:\/\/192.168.10.202\/?p=8761"},"modified":"2024-11-13T15:04:12","modified_gmt":"2024-11-13T14:04:12","slug":"how-i-use-authelia","status":"publish","type":"post","link":"https:\/\/www.cloudonfire.nl\/?p=8761","title":{"rendered":"How I use Authelia"},"content":{"rendered":"<h3 id=\"how-i-use-authelia\">How I use Authelia<\/h3>\n<p>I use Authelia as an Identity Provide in my network. That means that everyone who wants to use resources (such as Jellyfin or Gitea or Nextcloud) or who wants to \u201ctraverse\u201d VLANs (e.g. to manage an OpenWrt router or switch or my Proxmox VE) has to login first. Authelia was my product of choice because<\/p>\n<ul>\n<li>It is free and Open Source Software (FOSS)<\/li>\n<li>It can act as an OpenID Connect (OIC) Identity provider<\/li>\n<li>It can be integratet into an NGINX reverse proxy<\/li>\n<li>It supports Two Factor Authentication (2FA) with Time based One Time Passwords (TOTP) or Fido2 compatible Keys such as the Yubikey.<\/li>\n<\/ul>\n<h3 id=\"installing-authelia-on-proxmox\">Installing Authelia on Proxmox<\/h3>\n<p>I set up a small LXC container running Debian Bullseye (Debian 11) on Proxmox. It needs to be privileged because it needs to have access to <code>\/dev\/urandom<\/code> or <code>\/dev\/random<\/code> for the generation of random numbers.<br \/>\nThen we need to install some software, add the authelia repos and finally install authelia:<\/p>\n<pre class=\"highlight\"><span class=\"c\"><code># run as root<\/code><\/span>\u2029<code>apt update\u2029apt <span class=\"nb\">install<\/span> <span class=\"nt\">-y<\/span> curl gnupg apt-transport-https <span class=\"nb\">sudo<\/span>\u2029curl <span class=\"nt\">-s<\/span> https:\/\/apt.authelia.com\/organization\/signing.asc | <span class=\"nb\">sudo <\/span>apt-key add -\u2029<span class=\"nb\">echo<\/span> <span class=\"s2\">\"deb https:\/\/apt.authelia.com\/stable\/debian\/debian\/ all main\"<\/span> <span class=\"o\">&gt;&gt;<\/span>\/etc\/apt\/sources.list.d\/authelia.list\u2029apt-key <span class=\"nb\">export <\/span>C8E4D80D | <span class=\"nb\">sudo <\/span>gpg <span class=\"nt\">--dearmour<\/span> <span class=\"nt\">-o<\/span> \/usr\/share\/keyrings\/authelia.gpg\u2029apt update\u2029apt <span class=\"nb\">install<\/span> <span class=\"nt\">-y<\/span> authelia<\/code><\/pre>\n<h4 id=\"configuration-of-authelia\">Configuration of Authelia<\/h4>\n<p>I mostly followed <a href=\"https:\/\/florianmuller.com\/setup-authelia-bare-metal-with-openid-and-cloudflare-tunnel-on-a-hardened-proxmox-lxc-ubuntu-22-04-lts-container#configureauthelia\">this guide here by Florian Mueller<\/a><\/p>\n<p>for the configuration. Basically we create sub-directories for all secrets and auto-generate them, create keys and add the secrets to the environment of authelia (the below is a shortened version of Florian\u2019s scripts)<\/p>\n<p><strong>important note<\/strong> The scripts below use a single SQLITE file rather than mysql! Also, no OIDC provider is configured &#8211; just a dummy entry. Please see the implications of this <a href=\"https:\/\/www.authelia.com\/configuration\/storage\/sqlite\/\">here<\/a><\/p>\n<p>&nbsp;<\/p>\n<pre class=\"highlight\"><code><span class=\"k\">for <\/span>i <span class=\"k\">in<\/span> .secrets .users .assets .db <span class=\"p\">;<\/span> <span class=\"k\">do <\/span><span class=\"nb\">mkdir<\/span> \/etc\/authelia\/<span class=\"nv\">$i<\/span> <span class=\"p\">;<\/span> <span class=\"k\">done<\/span>\u2029<span class=\"k\">for <\/span>i <span class=\"k\">in <\/span>jwtsecret session storage smtp oidcsecret redis <span class=\"p\">;<\/span> <span class=\"k\">do <\/span><span class=\"nb\">tr<\/span> <span class=\"nt\">-cd<\/span> <span class=\"s1\">'[:alnum:]'<\/span> &lt; \/dev\/urandom | <span class=\"nb\">fold<\/span> <span class=\"nt\">-w<\/span> <span class=\"s2\">\"64\"<\/span> | <span class=\"nb\">head<\/span> <span class=\"nt\">-n<\/span> 1 | <span class=\"nb\">tr<\/span> <span class=\"nt\">-d<\/span> <span class=\"s1\">'\\n'<\/span> <span class=\"o\">&gt;<\/span> \/etc\/authelia\/.secrets\/<span class=\"nv\">$i<\/span> <span class=\"p\">;<\/span> <span class=\"k\">done<\/span>\u2029openssl genrsa <span class=\"nt\">-out<\/span> \/etc\/authelia\/.secrets\/oicd.pem 4096\u2029openssl rsa <span class=\"nt\">-in<\/span> \/etc\/authelia\/.secrets\/oicd.pem <span class=\"nt\">-outform<\/span> PEM <span class=\"nt\">-pubout<\/span> <span class=\"nt\">-out<\/span> \/etc\/authelia\/.secrets\/oicd.pub.pem\u2029<span class=\"o\">(<\/span><span class=\"nb\">cat<\/span> <span class=\"o\">&gt;<\/span>\/etc\/authelia\/secrets<span class=\"o\">)<\/span> <span class=\"o\">&lt;&lt;<\/span><span class=\"no\">EOF<\/span><\/code>\u2029<span class=\"sh\"><code>AUTHELIA_JWT_SECRET_FILE=\/etc\/authelia\/.secrets\/jwtsecret<\/code><\/span>\u2029<span class=\"sh\"><code>AUTHELIA_SESSION_SECRET_FILE=\/etc\/authelia\/.secrets\/session<\/code><\/span>\u2029<span class=\"sh\"><code>AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=\/etc\/authelia\/.secrets\/storage<\/code><\/span>\u2029<span class=\"sh\"><code>AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=\/etc\/authelia\/.secrets\/smtp<\/code><\/span>\u2029<span class=\"sh\"><code>AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=\/etc\/authelia\/.secrets\/oidcsecret<\/code><\/span>\u2029<span class=\"sh\"><code>AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=\/etc\/authelia\/.secrets\/oicd.pem<\/code><\/span>\u2029<span class=\"no\"><code>EOF<\/code><\/span>\u2029<code><span class=\"nb\">chmod <\/span>600 <span class=\"nt\">-R<\/span> \/etc\/authelia\/.secrets\/\u2029<span class=\"nb\">chmod <\/span>600 \/etc\/authelia\/secrets\u2029<span class=\"o\">(<\/span><span class=\"nb\">cat<\/span> <span class=\"o\">&gt;<\/span>\/etc\/systemd\/system\/authelia.service<span class=\"o\">)<\/span> <span class=\"o\">&lt;&lt;<\/span><span class=\"no\">EOF<\/span><\/code>\u2029<span class=\"sh\"><code>[Unit]<\/code><\/span>\u2029<span class=\"sh\"><code>Description=Authelia authentication and authorization server<\/code><\/span>\u2029<span class=\"sh\"><code>After=multi-user.target<\/code><\/span>\u2029\u2029<span class=\"sh\"><code>[Service]<\/code><\/span>\u2029<span class=\"sh\"><code>Environment=AUTHELIA_SERVER_DISABLE_HEALTHCHECK=true<\/code><\/span>\u2029<span class=\"sh\"><code>EnvironmentFile=\/etc\/authelia\/secrets<\/code><\/span>\u2029<span class=\"sh\"><code>ExecStart=\/usr\/bin\/authelia --config \/etc\/authelia\/configuration.yml<\/code><\/span>\u2029<span class=\"sh\"><code>SyslogIdentifier=authelia<\/code><\/span>\u2029\u2029<span class=\"sh\"><code>[Install]<\/code><\/span>\u2029<span class=\"sh\"><code>WantedBy=multi-user.target<\/code><\/span>\u2029<span class=\"no\"><code>EOF<\/code><\/span>\u2029<code>systemctl daemon-reload<\/code><\/pre>\n<h4 id=\"create-the-user-file\">create the user file<\/h4>\n<p>Next, we create a rudimentary User database yaml file with randomly generated passwords (the users can reset them with the \u201cforgot password\u201d link):<\/p>\n<pre class=\"highlight\"><code><span class=\"nb\">echo<\/span> <span class=\"s2\">\"users:\"<\/span> <span class=\"o\">&gt;<\/span> \/etc\/authelia\/.users\/users_database.yml\u2029<span class=\"k\">for <\/span>user <span class=\"k\">in <\/span>bob alice dave frank <span class=\"p\">;<\/span> <span class=\"k\">do<\/span>\u2029<span class=\"k\">  <\/span><span class=\"nv\">randompassword<\/span><span class=\"o\">=<\/span><span class=\"si\">$(<\/span><span class=\"nb\">tr<\/span> <span class=\"nt\">-cd<\/span> <span class=\"s1\">'[:alnum:]'<\/span> &lt; \/dev\/urandom | <span class=\"nb\">fold<\/span> <span class=\"nt\">-w<\/span> <span class=\"s2\">\"64\"<\/span> | <span class=\"nb\">head<\/span> <span class=\"nt\">-n<\/span> 1 | <span class=\"nb\">tr<\/span> <span class=\"nt\">-d<\/span> <span class=\"s1\">'\\n'<\/span><span class=\"si\">)<\/span>\u2029  <span class=\"nv\">encryptedpwd<\/span><span class=\"o\">=<\/span><span class=\"si\">$(<\/span>authelia hash-password <span class=\"nt\">--no-confirm<\/span>   <span class=\"nt\">--<\/span> <span class=\"nv\">$randompassword<\/span>  | <span class=\"nb\">cut<\/span> <span class=\"nt\">-d<\/span> <span class=\"s2\">\" \"<\/span> <span class=\"nt\">-f<\/span> 2<span class=\"si\">)<\/span>\u2029  <span class=\"o\">(<\/span> \u2029    <span class=\"nb\">echo<\/span> <span class=\"s2\">\"  <\/span><span class=\"k\">${<\/span><span class=\"nv\">user<\/span><span class=\"k\">}<\/span><span class=\"s2\">:\"<\/span> \u2029    <span class=\"nb\">echo<\/span> <span class=\"s1\">'    displayname: \"First Last\"'<\/span>\u2029    <span class=\"nb\">echo<\/span> <span class=\"s2\">\"    password: <\/span><span class=\"nv\">$encryptedpwd<\/span><span class=\"s2\">\"<\/span>\u2029    <span class=\"nb\">echo<\/span> <span class=\"s2\">\"    email: <\/span><span class=\"k\">${<\/span><span class=\"nv\">user<\/span><span class=\"k\">}<\/span><span class=\"s2\">@yourdomain.com\"<\/span>\u2029  <span class=\"o\">)<\/span> <span class=\"o\">&gt;&gt;<\/span> \/etc\/authelia\/.users\/users_database.yml<\/code>\u2029<span class=\"k\"><code>done<\/code><\/span>\u2029<code><span class=\"nb\">chmod <\/span>600 <span class=\"nt\">-R<\/span> \/etc\/authelia\/.users\/<\/code><\/pre>\n<h3 id=\"create-the-configurationyml\">create the configuration.yml<\/h3>\n<p>Now we need to create a configuration file for authelia in <code>\/etc\/authelia\/configuration.yml<\/code><\/p>\n<pre class=\"highlight\"><code><span class=\"nb\">cd<\/span> \/etc\/authelia<\/code>\u2029<span class=\"c\"><code># save the old version of the file<\/code><\/span>\u2029<code><span class=\"k\">if<\/span> <span class=\"o\">[<\/span> <span class=\"nt\">-e<\/span> configuration.yml <span class=\"o\">]<\/span> <span class=\"p\">;<\/span> <span class=\"k\">then<\/span>\u2029<span class=\"k\">  <\/span><span class=\"nb\">mv <\/span>configuration.yml configuration.yml.old<\/code>\u2029<span class=\"k\"><code>fi<\/code><\/span>\u2029<span class=\"c\"><code># Now let's use Marc's version of Florian's Template File for the new config:<\/code><\/span>\u2029<code>wget https:\/\/raw.githubusercontent.com\/onemarcfifty\/cheat-sheets\/main\/templates\/authelia\/configuration.yml\u2029<span class=\"nb\">chmod <\/span>600 configuration.yml<\/code><\/pre>\n<h3 id=\"starting-authelia-for-the-first-time\">Starting Authelia for the first time<\/h3>\n<p>There we go &#8211; authelia should be able to run already &#8211; if you do<\/p>\n<pre class=\"highlight\"><code>systemctl start authelia\u2029systemctl status authelia<\/code><\/pre>\n<p>you should see all green and be able to browse to <code>http:\/\/localhost:9091<\/code> and see the authelia login prompt. Even though this is an important checkpoint (in the sense that we can see if authelia will run at all), we can\u2019t really use it yet. We need to take care of the following things:<\/p>\n<ol>\n<li>All domain names still point to example.com<\/li>\n<li>The start up checks are disabled (especially checking for an e-mail Server)<\/li>\n<\/ol>\n<p><strong>You will need a real e-Mail account \/ Server for Authelia to work correctly<\/strong> (Users need this to reset their password and to register 2FA devices)<\/p>\n<ol>\n<li>We have no TLS enabled<\/li>\n<li>The policies need to be adapted<\/li>\n<li>We need to increase the security and hide Authelia behind an NGINX Server<\/li>\n<li>We need to harden the server<\/li>\n<li>The user accounts are not real<\/li>\n<\/ol>\n<h3 id=\"adapting-and-securing-authelia\">Adapting and securing authelia<\/h3>\n<p>to get a first idea of how much you need to change do <code>grep example.com \/etc\/authelia\/configuration.yml<\/code> &#8211; that shows you all the lines where we specified the example.com domain.<\/p>\n<h3 id=\"enabling-the-startup-checks-and-change-the-domain-names\">Enabling the startup checks and change the domain names<\/h3>\n<p>The first one is the mail server. We need to edit the configuration.yml and give it the login data of a real mail server. This is done in the <code>notifier<\/code> section of the config:<\/p>\n<pre class=\"highlight\"><code><span class=\"na\">notifier<\/span><span class=\"pi\">:<\/span> \u2029  <span class=\"na\">disable_startup_check<\/span><span class=\"pi\">:<\/span> <span class=\"no\">true<\/span>\u2029  <span class=\"na\">smtp<\/span><span class=\"pi\">:<\/span>\u2029    <span class=\"na\">host<\/span><span class=\"pi\">:<\/span> <span class=\"s\">smtp.domain.com<\/span>\u2029    <span class=\"na\">port<\/span><span class=\"pi\">:<\/span> <span class=\"m\">465<\/span>\u2029    <span class=\"na\">timeout<\/span><span class=\"pi\">:<\/span> <span class=\"s\">5s<\/span>\u2029    <span class=\"na\">username<\/span><span class=\"pi\">:<\/span> <span class=\"s\">noreply@auth.example.com<\/span>\u2029    <span class=\"na\">sender<\/span><span class=\"pi\">:<\/span> <span class=\"s2\">\"<\/span><span class=\"s\">Authentication<\/span> <span class=\"s\">Service<\/span> <span class=\"s\">&lt;noreply@auth.example.com&gt;\"<\/span>\u2029    <span class=\"na\">subject<\/span><span class=\"pi\">:<\/span> <span class=\"s2\">\"<\/span><span class=\"s\">{title}\"<\/span>\u2029    <span class=\"na\">startup_check_address<\/span><span class=\"pi\">:<\/span> <span class=\"s\">noreply@auth.example.com<\/span><\/code><\/pre>\n<p>Change all the settings to reflect a real mailbox that you control. Once you have done that, change the <code>disable_startup_check: true<\/code> to <code>disable_startup_check: false<\/code> and restart authelia:<\/p>\n<div class=\"language-bash highlighter-rouge\">\n<div class=\"highlight\">\n<pre class=\"highlight\"><code>systemctl restart authelia\u2029systemctl status authelia\u2029<\/code><\/pre>\n<\/div>\n<\/div>\n<p>If you see errors, i.e. Authelia idn\u2019t start then that\u2019s because now it checks if it can log into the mailbox at startup. Reminder: The password it uses for the mailbox Server is in <code>\/etc\/authelia\/.secrets\/smtp<\/code><\/p>\n<p>Onc Authelia starts, move on to the next step.<\/p>\n<h3 id=\"tls\">TLS<\/h3>\n<p>Before we can <em>really<\/em> use Authelia, we need to provide it with <em>real<\/em>SSL certificates. Use your own or get them from letsencrypt.<\/p>\n<p>Once you have copied the certificate and key to the server, adapt the configuration.yml file:<\/p>\n<div class=\"language-yml highlighter-rouge\">\n<div class=\"highlight\">\n<pre class=\"highlight\"><code><span class=\"na\">server<\/span><span class=\"pi\">:<\/span>\u2029  <span class=\"na\">host<\/span><span class=\"pi\">:<\/span> <span class=\"s\">0.0.0.0<\/span>\u2029  <span class=\"na\">port<\/span><span class=\"pi\">:<\/span> <span class=\"m\">9091<\/span>\u2029  <span class=\"na\">asset_path<\/span><span class=\"pi\">:<\/span> <span class=\"s\">\/etc\/authelia\/.assets\/<\/span>\u2029  <span class=\"na\">tls<\/span><span class=\"pi\">:<\/span>\u2029    <span class=\"na\">key<\/span><span class=\"pi\">:<\/span> <span class=\"s\">\/etc\/authelia\/certs\/server.key<\/span>\u2029    <span class=\"na\">certificate<\/span><span class=\"pi\">:<\/span> <span class=\"s\">\/etc\/authelia\/certs\/server.crt<\/span>\u2029<\/code><\/pre>\n<\/div>\n<\/div>\n<p>Basically I\u2019ve just added the tls section and point it to the certificates. Again &#8211; restart Authelia, check the status. If it starts and if you can browse to <code>https:\/\/...:9091<\/code> rather than <code>http...<\/code>then you can move to the next step.<\/p>\n<h3 id=\"bind-port\" class=\"\">bind port<\/h3>\n<p>For the moment Authelia listens on <em>any<\/em> interface, i.e. we can browse to port 9091 from the outside. We will however hide it behind an NGINX server. For this, Authelia should only listen to the localhost interface. Change the configuration.yml from<\/p>\n<div class=\"language-yml highlighter-rouge\">\n<div class=\"highlight\">\n<pre class=\"highlight\"><code><span class=\"na\">server<\/span><span class=\"pi\">:<\/span>\u2029  <span class=\"na\">host<\/span><span class=\"pi\">:<\/span> <span class=\"s\">0.0.0.0<\/span>\u2029  <span class=\"na\">port<\/span><span class=\"pi\">:<\/span> <span class=\"m\">9091<\/span>\u2029<\/code><\/pre>\n<\/div>\n<\/div>\n<p>to<\/p>\n<div class=\"language-yml highlighter-rouge\">\n<div class=\"highlight\">\n<pre class=\"highlight\"><code><span class=\"na\">server<\/span><span class=\"pi\">:<\/span>\u2029  <span class=\"na\">host<\/span><span class=\"pi\">:<\/span> <span class=\"s\">127.0.0.1<\/span>\u2029  <span class=\"na\">port<\/span><span class=\"pi\">:<\/span> <span class=\"m\">9091<\/span>\u2029<\/code><\/pre>\n<\/div>\n<\/div>\n<p>Restart and check &#8211; you should not be able to browse to it from the outside.<\/p>\n<h3 id=\"hiding-authelia-behind-nginx\">Hiding Authelia behind NGINX<\/h3>\n<p>In this step we install NGINX, let it listen to the outside world on port 443 and forward all requests to Authelia on the local host. You can use the templates from <a href=\"https:\/\/github.com\/onemarcfifty\/cheat-sheets\/tree\/main\/templates\/nginx\/authelia\">My cheat sheet repo on Github<\/a><\/p>\n<div class=\"language-bash highlighter-rouge\">\n<div class=\"highlight\">\n<pre class=\"highlight\"><span class=\"c\"><code># install nginx<\/code><\/span>\u2029<code>apt <span class=\"nb\">install<\/span> <span class=\"nt\">-y<\/span> nginx<\/code>\u2029<span class=\"c\"><code># stop NGINX<\/code><\/span>\u2029<code>systemctl stop nginx<\/code>\u2029<span class=\"c\"><code># remove the default site<\/code><\/span>\u2029<code><span class=\"nb\">rm<\/span> \/etc\/nginx\/sites-enabled\/<span class=\"k\">*<\/span><\/code>\u2029<span class=\"c\"><code># download the templates from Marc's cheat sheets<\/code><\/span>\u2029<code>wget https:\/\/raw.githubusercontent.com\/onemarcfifty\/cheat-sheets\/main\/templates\/nginx\/authelia\/siteconf <span class=\"nt\">-O<\/span> \/etc\/nginx\/sites-available\/authelia.conf\u2029wget https:\/\/raw.githubusercontent.com\/onemarcfifty\/cheat-sheets\/main\/templates\/nginx\/authelia\/proxy-snippet <span class=\"nt\">-O<\/span> \/etc\/nginx\/snippets\/proxy.conf\u2029wget https:\/\/raw.githubusercontent.com\/onemarcfifty\/cheat-sheets\/main\/templates\/nginx\/authelia\/ssl-snippet <span class=\"nt\">-O<\/span> \/etc\/nginx\/snippets\/ssl.conf<\/code>\u2029<span class=\"c\"><code># link back the authelia site as enabled to NGINX <\/code><\/span>\u2029<code><span class=\"nb\">ln<\/span> <span class=\"nt\">-s<\/span> \/etc\/nginx\/sites-available\/authelia.conf \/etc\/nginx\/sites-enabled\/authelia.conf<\/code>\u2029<span class=\"c\"><code># restart NGINX<\/code><\/span>\u2029<code>systemctl start nginx\u2029<\/code><\/pre>\n<\/div>\n<\/div>\n<h3 id=\"adapting-the-policies\">adapting the policies<\/h3>\n<p>The template file contains three sample policies for bypass, one factor and two factor. You will want to adapt these to your needs. My Server only has one policy:<\/p>\n<div class=\"language-yml highlighter-rouge\">\n<div class=\"highlight\">\n<pre class=\"highlight\"><code><span class=\"na\">access_control<\/span><span class=\"pi\">:<\/span>\u2029  <span class=\"na\">default_policy<\/span><span class=\"pi\">:<\/span> <span class=\"s\">deny<\/span>\u2029  <span class=\"na\">rules<\/span><span class=\"pi\">:<\/span>\u2029    <span class=\"pi\">-<\/span> <span class=\"na\">domain<\/span><span class=\"pi\">:<\/span> <span class=\"s1\">'<\/span><span class=\"s\">*.mydomain.com'<\/span>\u2029      <span class=\"na\">policy<\/span><span class=\"pi\">:<\/span> <span class=\"s\">two_factor<\/span>\u2029<\/code><\/pre>\n<\/div>\n<\/div>\n<h3 id=\"last-but-not-least\">Last but not least<\/h3>\n<p>The last steps are<\/p>\n<ul>\n<li>harden the server<\/li>\n<li>make the user accounts real<\/li>\n<\/ul>\n<p>Server hardening is not in the scope of this article. Basically at least you should do the following:<\/p>\n<ol>\n<li>Lock down the firewall to only let pass port 443 tcp incoming (optionally port 67 UDP if you use dhcp and port 22 tcp if you want to access the server via ssh)<\/li>\n<li>disable \/ expire the password of the root account<\/li>\n<li>Create a non-root user for login who has sudo capabilities with a loooong password<\/li>\n<li>switch off password authentication and root login for sshd<\/li>\n<\/ol>\n<p>Now just review the settings in the <code>\/etc\/authelia\/.users\/users_database.yml<\/code> and make sure that the user accounts are real accounts with real mail addresses.<\/p>\n<p>That\u2019s it &#8211; you\u2019re all set and can now use Authelia in front of your servers with NGINX\/Traefik\/Caddy or the like and\/or add OIDC providers for Proxmox, Gitea, Portainer, Nextcloud and so on\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How I use Authelia I use Authelia as an Identity Provide in my network. That means that everyone who wants to use resources (such as Jellyfin or Gitea or Nextcloud) or who wants to \u201ctraverse\u201d VLANs (e.g. to manage an OpenWrt router or switch or my Proxmox VE) has to login first. Authelia was my&#8230;<\/p>\n","protected":false},"author":1,"featured_media":8768,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"class_list":["post-8761","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacks"],"_links":{"self":[{"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=\/wp\/v2\/posts\/8761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8761"}],"version-history":[{"count":7,"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=\/wp\/v2\/posts\/8761\/revisions"}],"predecessor-version":[{"id":8775,"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=\/wp\/v2\/posts\/8761\/revisions\/8775"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=\/wp\/v2\/media\/8768"}],"wp:attachment":[{"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudonfire.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}