@boostchicken feel free to add this to your list of utilities if others may be able to use it.
After successfully getting NGINX Proxy Manager running on the UDM-P following the instructions here I figured I would tackle Authelia to compliment NGINX since they go hand in hand. I opted for the Authelia-lite deployment since it uses a small sqlite db and yml files for user configuration.
Here's how I got it running.
/mnt/data/on_boot.d/10-authelia.sh
#!/bin/sh
## configuration variables:
VLAN=5
IPV4_IP_AUTHELIA="10.0.5.5"
# This is the IP address of the container. You may want to set it to match
# your own network structure such as 192.168.5.3 or similar.
IPV4_GW="10.0.5.1/24"
# As above, this should match the gateway of the VLAN for the container
# network as above which is usually the .1/24 range of the IPV4_IP
# container name; e.g. nextdns, pihole, adguardhome, etc.
CONTAINER_AUTHELIA=authelia
## network configuration and startup:
CNI_PATH=/mnt/data/podman/cni
if [ ! -f "$CNI_PATH"/macvlan ]; then
mkdir -p $CNI_PATH
curl -L https://github.com/containernetworking/plugins/releases/download/v1.0.0/cni-plugins-linux-arm64-v1.0.0.tgz | tar -xz -C $CNI_PATH
fi
mkdir -p /opt/cni
rm -f /opt/cni/bin
ln -s $CNI_PATH /opt/cni/bin
for file in "$CNI_PATH"/*.conflist
do
if [ -f "$file" ]; then
ln -fs "$file" "/etc/cni/net.d/$(basename "$file")"
fi
done
# set VLAN bridge promiscuous
ip link set br${VLAN} promisc on
# create macvlan bridge and add IPv4 IP
ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge
ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute
# set macvlan bridge promiscuous and bring it up
ip link set br${VLAN}.mac promisc on
ip link set br${VLAN}.mac up
#######################################################################################
# add IPv4 route to DNS container
ip route add ${IPV4_IP_AUTHELIA}/32 dev br${VLAN}.mac
#######################################################################################
#######################################################################################
if podman container exists ${CONTAINER_AUTHELIA}; then
podman start ${CONTAINER_AUTHELIA}
else
logger -s -t podman-dns -p ERROR Container $CONTAINER_AUTHELIA not found, make sure you set the proper name, you can ignore this error if it is your first time setting it up
fi
#######################################################################################
In /mnt/data/authelia you'll need to create 2 yml files. configuration.yml and user_database.yml.
See authelia's documentation for how to configure these files.
This is where things got a little complicated. In NGINX proxy manager you'll need a minimum of 2 proxy hosts setup. 1 for your authelia instance, and 1 for any service you want behind a reverse proxy (ie: sonarr, radarr, etc...)
Authelia proxy host configuration (Be sure to change YOURDOMAIN):
Details tab:
domain name: auth.YOURDOMAIN.com
Scheme: http
Forward Hostname/IP: 10.0.5.5
Forward Port: 9091
Cache Assets: ON
Block Common Exploits: ON
SSL:
Request a new SSL certificate
Force SSL: ON
HTTP/2 Support: ON
Advanced:
location / {
set $upstream_authelia http://10.0.5.5:9091;
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP, assumes you're using Cloudflare. Adjust IP for your Docker network.
set_real_ip_from 192.168.0.0/24;
real_ip_header CF-Connecting-IP;
real_ip_recursive on;
}
All other proxy hosts configurations. Setup hosts like normal, but add the following to the advanced tab. Be sure to change YOURDOMAIN to whatever your proper domain is.
There you have it, a fully functional authelia deployment on the UDM-P giving 2FA capabilities to your proxy hosts through NGINX Proxy Manager also running on the UDM-P
@boostchicken feel free to add this to your list of utilities if others may be able to use it.
After successfully getting NGINX Proxy Manager running on the UDM-P following the instructions here I figured I would tackle Authelia to compliment NGINX since they go hand in hand. I opted for the Authelia-lite deployment since it uses a small sqlite db and yml files for user configuration.
Here's how I got it running.
/mnt/data/on_boot.d/10-authelia.sh
/mnt/data/podman/cni/20-authelia.conflist
podman command
In /mnt/data/authelia you'll need to create 2 yml files. configuration.yml and user_database.yml. See authelia's documentation for how to configure these files.
This is where things got a little complicated. In NGINX proxy manager you'll need a minimum of 2 proxy hosts setup. 1 for your authelia instance, and 1 for any service you want behind a reverse proxy (ie: sonarr, radarr, etc...)
Authelia proxy host configuration (Be sure to change YOURDOMAIN):
All other proxy hosts configurations. Setup hosts like normal, but add the following to the advanced tab. Be sure to change YOURDOMAIN to whatever your proper domain is.
There you have it, a fully functional authelia deployment on the UDM-P giving 2FA capabilities to your proxy hosts through NGINX Proxy Manager also running on the UDM-P