Video tutorial coming soon.
Deploy Authelia on Ubuntu to add single sign-on and two-factor authentication in front of any service running behind Nginx Proxy Manager or Traefik.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authelia/authelia-ubuntu.sh
chmod +x authelia-ubuntu.sh
sudo bash authelia-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authelia/authelia-ubuntu.shchmod +x authelia-ubuntu.shThe script installs Docker if needed, then deploys Authelia with its configuration file ready for customization.
sudo bash authelia-ubuntu.shOpen your browser and navigate to:
http://<your-server-ip>:9091Add Authelia middleware to your Nginx Proxy Manager or Traefik configuration to gate access to any service behind the auth portal.
| Port | Purpose |
|---|---|
| 9091 | Authelia Auth Portal |
Authelia is a lightweight, open-source authentication and authorization server that sits in front of your self-hosted applications. It enforces single sign-on, two-factor authentication (TOTP, WebAuthn, push notifications), and access policies without requiring a full identity provider. Designed to work seamlessly as middleware with Nginx Proxy Manager and Traefik.
Authelia solves the problem of publicly exposed self-hosted services with no authentication layer. Instead of relying on each app's individual login page, Authelia provides a unified SSO portal with 2FA enforcement that applies to all your services at once. It's the fastest way to add enterprise-grade access control to your homelab.
Authelia listens on port 9091 for its auth portal. This port should be accessible from your reverse proxy (Nginx or Traefik) but not directly from the internet. All external access should go through your reverse proxy with SSL termination.
Authentik (full identity provider with user management UI, SAML/OIDC), Keycloak (enterprise Java IdP, heavy), Vouch-proxy (simpler, less features), Pomerium (identity-aware proxy). Authelia is the best choice when you want lightweight 2FA enforcement without full IdP complexity.
If you need OAuth2/OIDC/SAML for third-party app integrations, or a full user management UI with self-service registration, use Authentik instead. Authelia is a gateway enforcer — it doesn't act as an OAuth2 provider that other apps authenticate against.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Authelia is a lightweight forward-auth gateway — it sits in front of your apps and enforces login/2FA at the proxy level. Authentik is a full identity provider that apps integrate with via OAuth2/OIDC/SAML. If you want to protect services without modifying them, Authelia is simpler. If you need app-level OAuth2 flows, use Authentik.
Yes. In NPM's advanced configuration for a proxy host, add an `auth_request` directive pointing to Authelia's `/api/verify` endpoint. NPM will send every request to Authelia for verification before forwarding it to the upstream service.
Yes, Authelia has first-class Traefik support via the ForwardAuth middleware. Add the Authelia container as a Traefik middleware and apply it to any router. This is the most seamless integration — labels on each Docker container control which services require auth.
Authelia supports TOTP (compatible with Google Authenticator, Aegis, and any RFC 6238 app), WebAuthn hardware security keys (YubiKey, passkeys), and Duo Push notifications. Users enroll their 2FA device on first login.
Yes. Access control rules support `policy: bypass` for specific domains or paths. For example, you can require 2FA for your admin panel while bypassing auth for a public-facing blog, all through the same Authelia instance.
Add users to users_database.yml with a hashed password. Generate the hash with `docker run --rm authelia/authelia:latest authelia crypto hash generate argon2`. Authelia will reload users automatically or after a container restart.
Yes. Authelia supports LDAP and Active Directory as authentication backends. Configure the LDAP connection in configuration.yml under the `authentication_backend.ldap` section. This lets you manage users centrally in your LDAP directory.
Run `docker compose pull && docker compose up -d`. Your configuration.yml and users_database.yml are mounted as volumes and are not affected by image updates. Check the Authelia changelog for breaking config changes before major version upgrades.