🛡️ Setup Authelia — Lightweight SSO & 2FA Gateway
Deploy Authelia on Ubuntu to add single sign-on and two-factor authentication in front of any service running behind Nginx Proxy Manager or Traefik.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along with the video.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authelia/authelia-ubuntu.sh
chmod +x authelia-ubuntu.sh
sudo bash authelia-ubuntu.sh
Tutorial Steps
1 Download the Script
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authelia/authelia-ubuntu.sh
2 Make it Executable
chmod +x authelia-ubuntu.sh
3 Run the Installer
The script installs Docker if needed, then deploys Authelia with its configuration file ready for customization.
sudo bash authelia-ubuntu.sh
4 Access the Auth Portal
Open your browser and navigate to:
http://<your-server-ip>:9091
5 Protect Your First App
Add Authelia middleware to your Nginx Proxy Manager or Traefik configuration to gate access to any service behind the auth portal.
Ports Used
| Port | Purpose |
|---|---|
| 9091 | Authelia Auth Portal |
Overview
Authelia is a lightweight, open-source authentication and authorization server that sits in front of your self-hosted applications. It enforces single sign-on, two-factor authentication (TOTP, WebAuthn, push notifications), and access policies without requiring a full identity provider. Designed to work seamlessly as middleware with Nginx Proxy Manager and Traefik.
Why Use It
Authelia solves the problem of publicly exposed self-hosted services with no authentication layer. Instead of relying on each app's individual login page, Authelia provides a unified SSO portal with 2FA enforcement that applies to all your services at once. It's the fastest way to add enterprise-grade access control to your homelab.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
Authelia listens on port 9091 for its auth portal. This port should be accessible from your reverse proxy (Nginx or Traefik) but not directly from the internet. All external access should go through your reverse proxy with SSL termination.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
Authentik (full identity provider with user management UI, SAML/OIDC), Keycloak (enterprise Java IdP, heavy), Vouch-proxy (simpler, less features), Pomerium (identity-aware proxy). Authelia is the best choice when you want lightweight 2FA enforcement without full IdP complexity.
When Not to Use It
If you need OAuth2/OIDC/SAML for third-party app integrations, or a full user management UI with self-service registration, use Authentik instead. Authelia is a gateway enforcer — it doesn't act as an OAuth2 provider that other apps authenticate against.
PrismaTechWork Professional Help
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
What is the difference between Authelia and Authentik?
Authelia is a lightweight forward-auth gateway — it sits in front of your apps and enforces login/2FA at the proxy level. Authentik is a full identity provider that apps integrate with via OAuth2/OIDC/SAML. If you want to protect services without modifying them, Authelia is simpler. If you need app-level OAuth2 flows, use Authentik.
Does Authelia work with Nginx Proxy Manager?
Yes. In NPM's advanced configuration for a proxy host, add an `auth_request` directive pointing to Authelia's `/api/verify` endpoint. NPM will send every request to Authelia for verification before forwarding it to the upstream service.
Can I use Authelia with Traefik?
Yes, Authelia has first-class Traefik support via the ForwardAuth middleware. Add the Authelia container as a Traefik middleware and apply it to any router. This is the most seamless integration — labels on each Docker container control which services require auth.
What 2FA methods does Authelia support?
Authelia supports TOTP (compatible with Google Authenticator, Aegis, and any RFC 6238 app), WebAuthn hardware security keys (YubiKey, passkeys), and Duo Push notifications. Users enroll their 2FA device on first login.
Can I allow some services without authentication?
Yes. Access control rules support `policy: bypass` for specific domains or paths. For example, you can require 2FA for your admin panel while bypassing auth for a public-facing blog, all through the same Authelia instance.
How do I add new users to Authelia?
Add users to users_database.yml with a hashed password. Generate the hash with `docker run --rm authelia/authelia:latest authelia crypto hash generate argon2`. Authelia will reload users automatically or after a container restart.
Does Authelia support LDAP for user management?
Yes. Authelia supports LDAP and Active Directory as authentication backends. Configure the LDAP connection in configuration.yml under the `authentication_backend.ldap` section. This lets you manage users centrally in your LDAP directory.
How do I update Authelia?
Run `docker compose pull && docker compose up -d`. Your configuration.yml and users_database.yml are mounted as volumes and are not affected by image updates. Check the Authelia changelog for breaking config changes before major version upgrades.
