-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Blog Post -- Authelia - Traefik Setup Guide #8316
base: master
Are you sure you want to change the base?
Conversation
ArtifactsThese changes are published for testing on Buildkite, DockerHub and GitHub Container Registry. Docker Container
|
WalkthroughA new document, Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant Traefik
participant Authelia
User->>Traefik: Request access
Traefik->>Authelia: Validate user
Authelia-->>Traefik: User validated
Traefik-->>User: Access granted
Possibly related PRs
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
✅ Deploy Preview for authelia-staging ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 2
🧹 Outside diff range and nitpick comments (3)
docs/content/blog/authelia-traefik-setup-guide/index.md (3)
19-19
: Let's make this intro stronger, fool!Instead of "take a look", let's be more direct!
-This is not a demo. If you would like an all-in-one demo, please take a look at our [local bundle](https://www.authelia.com/integration/deployment/docker/#local). +This is not a demo. If you would like an all-in-one demo, check out our [local bundle](https://www.authelia.com/integration/deployment/docker/#local).🧰 Tools
🪛 LanguageTool
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....(TAKE_A_LOOK)
284-291
: Listen up fool, your access control needs more explanation!Add comments explaining the security levels for each policy to help users understand the difference between one_factor and two_factor authentication.
access_control: default_policy: deny rules: + # Traefik dashboard requires single-factor authentication - domain: traefik.example.com policy: one_factor + # Secure whoami endpoint requires two-factor authentication for enhanced security - domain: whoami-secure.example.com policy: two_factor
1-313
: I pity the fool who deploys without security guidance!Consider adding a "Security Best Practices" section that covers:
- Proper secret management in production
- Regular security updates
- Network segmentation recommendations
- SSL/TLS best practices
- Monitoring and logging considerations
Would you like me to help draft this section?
🧰 Tools
🪛 LanguageTool
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....(TAKE_A_LOOK)
[style] ~21-~21: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: ...these items have already been completed prior to starting this guide. - [Docker](https:/...(EN_WORDINESS_PREMIUM_PRIOR_TO)
🪛 Markdownlint (0.35.0)
49-49: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time(MD001, heading-increment)
245-245: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time(MD001, heading-increment)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
docs/content/blog/authelia-traefik-setup-guide/index.md
(1 hunks)
🧰 Additional context used
🪛 LanguageTool
docs/content/blog/authelia-traefik-setup-guide/index.md
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....
(TAKE_A_LOOK)
[style] ~21-~21: ‘prior to’ might be wordy. Consider a shorter alternative.
Context: ...these items have already been completed prior to starting this guide. - [Docker](https:/...
(EN_WORDINESS_PREMIUM_PRIOR_TO)
🪛 Markdownlint (0.35.0)
docs/content/blog/authelia-traefik-setup-guide/index.md
49-49: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
245-245: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
🔇 Additional comments (2)
docs/content/blog/authelia-traefik-setup-guide/index.md (2)
5-5
:
Hey fool, check that date! It's in the future!
The post date is set to November 2024, which might cause issues with blog visibility. Consider setting it to the current date.
-date: 2024-11-23T10:10:09+10:00
+date: 2023-11-23T10:10:09+10:00
Likely invalid or redundant comment.
138-138
:
I ain't letting this security risk slide, fool!
The insecureSkipVerify: true
setting disables SSL/TLS verification, which could expose your system to man-in-the-middle attacks! You better explain why this is needed or remove it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
🧹 Outside diff range and nitpick comments (3)
docs/content/blog/authelia-traefik-setup-guide/index.md (3)
19-38
: I pity the fool who don't make prerequisites crystal clear!Let's make the prerequisites section more direct and structured, fool!
-This is not a demo. If you would like an all-in-one demo, please take a look at our [local bundle](https://www.authelia.com/integration/deployment/docker/#local). +# Prerequisites + +Before you start: +- This is a production setup guide. For a demo environment, check our [local bundle](https://www.authelia.com/integration/deployment/docker/#local) +- Ensure you have [Docker](https://docs.docker.com/engine/install/) installed and configured +- Have a domain name ready for use + ## Assumptions and Adaptation🧰 Tools
🪛 LanguageTool
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....(TAKE_A_LOOK)
138-138
: Hey fool, you got a typo in there!Fix that typo, sucka!
-Now we configure Traeifk. +Now we configure Traefik.
65-65
: Listen up, fool! Your markdown headings ain't following the rules!Fix these heading levels to maintain proper hierarchy:
-#### Docker Compose +### Docker Compose -#### Authelia Configuration +### Authelia Configuration -###### Core Configuration +#### Core ConfigurationAlso applies to: 247-247, 319-319
🧰 Tools
🪛 Markdownlint (0.35.0)
65-65: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time(MD001, heading-increment)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
docs/content/blog/authelia-traefik-setup-guide/index.md
(1 hunks)
🧰 Additional context used
🪛 LanguageTool
docs/content/blog/authelia-traefik-setup-guide/index.md
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....
(TAKE_A_LOOK)
[style] ~40-~40: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...n ## File Structure The first thing we want to do is set up the file structure. Which ...
(REP_WANT_TO_VB)
[uncategorized] ~335-~335: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... - Configure brute-force protection and rate limiting * [Notifier](https://www.authelia.com/c...
(EN_COMPOUND_ADJECTIVE_INTERNAL)
🪛 Markdownlint (0.35.0)
docs/content/blog/authelia-traefik-setup-guide/index.md
65-65: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
247-247: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
319-319: Expected: h5; Actual: h6
Heading levels should only increment by one level at a time
(MD001, heading-increment)
320-320: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
321-321: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
322-322: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
325-325: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
326-326: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
327-327: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
328-328: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
331-331: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
332-332: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
335-335: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
336-336: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
344-344: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
345-345: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
346-346: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
🔇 Additional comments (1)
docs/content/blog/authelia-traefik-setup-guide/index.md (1)
149-149
: Debug logging in production? I ain't getting on no plane with that, fool!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few suggestions and nits, there's a couple questions just to gauge thoughts.
I'm not overly fussed with where we land with regards to the questions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 2
🧹 Outside diff range and nitpick comments (2)
docs/content/blog/authelia-traefik-setup-guide/index.md (2)
13-17
: I pity the fool who don't optimize for search engines!The SEO fields are empty. Add relevant descriptions to improve visibility:
seo: - title: "" # custom title (optional) - description: "" # custom description (recommended) + title: "Complete Guide: Setting up Authelia with Traefik Reverse Proxy" + description: "Step-by-step tutorial for integrating Authelia authentication with Traefik proxy, including Docker Compose configurations and security best practices." canonical: "" # custom canonical URL (optional) noindex: false # false (default) or true
70-73
: I ain't letting no container hog all the resources, fool!Add resource limits to prevent potential denial of service:
traefik: image: traefik:latest container_name: traefik restart: unless-stopped + deploy: + resources: + limits: + memory: 256M + reservations: + memory: 128M
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
docs/content/blog/authelia-traefik-setup-guide/index.md
(1 hunks)
🧰 Additional context used
🪛 Markdownlint (0.35.0)
docs/content/blog/authelia-traefik-setup-guide/index.md
65-65: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
247-247: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
319-319: Expected: h5; Actual: h6
Heading levels should only increment by one level at a time
(MD001, heading-increment)
320-320: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
321-321: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
322-322: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
325-325: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
326-326: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
327-327: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
328-328: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
331-331: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
332-332: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
335-335: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
336-336: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
344-344: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
345-345: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
346-346: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
🪛 LanguageTool
docs/content/blog/authelia-traefik-setup-guide/index.md
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....
(TAKE_A_LOOK)
[style] ~40-~40: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...n ## File Structure The first thing we want to do is set up the file structure. Which ...
(REP_WANT_TO_VB)
[uncategorized] ~335-~335: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... - Configure brute-force protection and rate limiting * [Notifier](https://www.authelia.com/c...
(EN_COMPOUND_ADJECTIVE_INTERNAL)
🔇 Additional comments (3)
docs/content/blog/authelia-traefik-setup-guide/index.md (3)
253-253
: Debug logging issue already addressed in previous review!
361-362
: Default password warning already addressed in previous review!
76-81
: 🛠️ Refactor suggestion
Listen up fool! Your network setup needs some muscle!
The current network configuration exposes services more than necessary. Consider using internal networks where possible and limit exposure:
networks:
- proxy: {}
+ proxy:
+ aliases: [] # Restrict unnecessary DNS aliases
authelia:
aliases:
- '{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}'
Likely invalid or redundant comment.
Excited for this to come out! Once it's done, I'd like to copy this template to create a blog post using Podman instead of Docker, there's a few gotchas in Podman that have to deal with SELinux security in the docker-compose file. (following) |
cb460f6
to
ae7ed61
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Nitpick comments (4)
docs/content/blog/authelia-traefik-setup-guide/index.md (4)
358-364
: I ain't letting you use default passwords in production, fool!The warning about changing the default password is good, but let's make it even more prominent and add instructions for generating a secure password.
displayname: "Authelia User" - # WARNING: This is a default password for testing only! - # IMPORTANT: Change this password before deploying to production! - # Generate a new hash using the instructions at: - # https://www.authelia.com/reference/guides/passwords/#passwords + # ⚠️ DANGER ZONE! ⚠️ + # YOU MUST CHANGE THIS PASSWORD BEFORE DEPLOYING TO PRODUCTION! + # + # Generate a new secure password hash using: + # docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'your_secure_password' + # + # For more information visit: + # https://www.authelia.com/reference/guides/passwords/#passwords # Password is 'authelia' password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/"
303-307
: Tighten up that security regulation, fool!The current regulation settings might be too lenient. Let's make it more secure by reducing retries and increasing ban time.
regulation: - max_retries: 4 - find_time: 120 - ban_time: 300 + max_retries: 3 + find_time: 60 + ban_time: 900
345-351
: Listen up about them secrets, fool!Add more specific instructions about generating secure secrets and handling them properly.
-There are 3 required secrets that we need to create and put in `authelia/secrets/` directory: +There are 3 required secrets that we need to create and put in the `authelia/secrets/` directory: * jwt_secret.txt * storage_encryption_key.txt * session_secret.txt -It is *strongly recommended* that these 3 values are [Random Alphanumeric Strings](https://www.authelia.com/reference/guides/generating-secure-values/#generating-a-random-alphanumeric-string) with 64 or more characters. +It is *mandatory* to generate these secrets using secure random generators. Generate them using: + +```bash +# Generate each secret +openssl rand -base64 64 | tr -d '\n' > jwt_secret.txt +openssl rand -base64 64 | tr -d '\n' > storage_encryption_key.txt +openssl rand -base64 64 | tr -d '\n' > session_secret.txt + +# Set proper permissions +chmod 600 *.txt +```🧰 Tools
🪛 LanguageTool
[uncategorized] ~345-~345: You might be missing the article “the” here.
Context: ...crets that we need to create and put inauthelia/secrets/
directory: * jwt_secr...(AI_EN_LECTOR_MISSING_DETERMINER_THE)
🪛 Markdownlint (0.37.0)
346-346: Expected: dash; Actual: asterisk
Unordered list style(MD004, ul-style)
347-347: Expected: dash; Actual: asterisk
Unordered list style(MD004, ul-style)
348-348: Expected: dash; Actual: asterisk
Unordered list style(MD004, ul-style)
372-373
: Hold up fool! We need some verification steps!Add verification steps after starting the stack to ensure everything is working correctly.
### Starting the Stack Once all the configuration for [Traefik](https://doc.traefik.io/traefik/) and [Authelia](https://www.authelia.com/) are complete, from the `project/` directory run `docker compose up -d` to download and start the containers. + +### Verification Steps + +1. Check if all containers are running: + ```bash + docker compose ps + ``` + +2. Verify Traefik is accessible: + ```bash + curl -I https://traefik.example.com + ``` + +3. Test Authelia authentication: + ```bash + curl -I https://whoami-secure.example.com + ``` + +4. Check container logs for any errors: + ```bash + docker compose logs + ```
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
docs/content/blog/authelia-traefik-setup-guide/index.md
(1 hunks)
🧰 Additional context used
🪛 LanguageTool
docs/content/blog/authelia-traefik-setup-guide/index.md
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....
(TAKE_A_LOOK)
[style] ~40-~40: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...n ## File Structure The first thing we want to do is set up the file structure. Which ...
(REP_WANT_TO_VB)
[uncategorized] ~337-~337: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... - Configure brute-force protection and rate limiting * [Notifier](https://www.authelia.com/c...
(EN_COMPOUND_ADJECTIVE_INTERNAL)
[uncategorized] ~345-~345: You might be missing the article “the” here.
Context: ...crets that we need to create and put in authelia/secrets/
directory: * jwt_secr...
(AI_EN_LECTOR_MISSING_DETERMINER_THE)
🪛 Markdownlint (0.37.0)
docs/content/blog/authelia-traefik-setup-guide/index.md
66-66: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
247-247: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
321-321: Expected: h5; Actual: h6
Heading levels should only increment by one level at a time
(MD001, heading-increment)
322-322: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
323-323: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
324-324: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
327-327: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
328-328: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
329-329: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
330-330: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
333-333: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
334-334: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
337-337: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
338-338: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
346-346: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
347-347: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
348-348: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
🔇 Additional comments (3)
docs/content/blog/authelia-traefik-setup-guide/index.md (3)
253-253
:
I pity the fool who leaves debug logging enabled in production!
Change the log level from 'debug' to 'info' for production environments. Debug logging can expose sensitive information and impact performance!
- level: debug
+ level: info
Likely invalid or redundant comment.
183-194
: 🛠️ Refactor suggestion
Listen up fool! Your TLS config needs some muscle!
Strengthen your security by upgrading to TLS 1.3 and modern cipher suites!
tls:
options:
default:
- minVersion: "VersionTLS12"
+ minVersion: "VersionTLS13"
cipherSuites:
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+ - TLS_AES_128_GCM_SHA256
+ - TLS_AES_256_GCM_SHA384
+ - TLS_CHACHA20_POLY1305_SHA256
Likely invalid or redundant comment.
296-302
: 🛠️ Refactor suggestion
Time to beef up that session security, fool!
Add security-related session configurations to protect against session hijacking and other attacks!
session:
name: authelia_session
secret: {{ secret "/secrets/session_secret.txt" | mindent 0 "|" | msquote}}
+ expiration: 1h
+ inactivity: 5m
+ remember_me_duration: 1M
cookies:
- domain: '{{< sitevar name="domain" nojs="example.com" >}}'
authelia_url: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}'
+ same_site: strict
+ secure: true
+ http_only: true
Likely invalid or redundant comment.
We appreciate the involvement from the community. In this instance I believe the intention is for this blog post to be a stop-gap solution to some feedback we've had. We're likely to integrate it with the get started guide long term where we can include podman elements too. It might be wise to start a discussion surrounding it so we can consider how this may look in the planning phase. |
Some inconsistencies I noticed:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
♻️ Duplicate comments (3)
docs/content/blog/authelia-traefik-setup-guide/index.md (3)
183-194
: 🛠️ Refactor suggestionListen up fool, your TLS config needs some muscle!
The TLS configuration could be strengthened by using TLS 1.3 and modern cipher suites.
tls: options: default: - minVersion: "VersionTLS12" + minVersion: "VersionTLS13" cipherSuites: - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256
254-254
:⚠️ Potential issueHey fool, you got debug logging in production!
Debug level logging can expose sensitive information and impact performance. Set it to 'info' for production environments!
- level: debug + level: info
297-303
: 🛠️ Refactor suggestionBeef up that session security, fool!
The session configuration is missing important security-related settings.
session: name: authelia_session secret: {{ secret "/secrets/session_secret.txt" | mindent 0 "|" | msquote}} + expiration: 1h + inactivity: 5m + remember_me_duration: 1M cookies: - domain: '{{< sitevar name="domain" nojs="example.com" >}}' authelia_url: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}' + same_site: strict + secure: true + http_only: true
🧹 Nitpick comments (2)
docs/content/blog/authelia-traefik-setup-guide/index.md (2)
21-21
: I pity the fool who can't spell 'reasonably'!There's a typo in the word "reasonablly" - it should be "reasonably".
-This guide makes a few assumptions. These assumptions may require adaptation in more advanced and complex scenarios. We can not reasonablly have examples for every advanced configuration option that exists. +This guide makes a few assumptions. These assumptions may require adaptation in more advanced and complex scenarios. We can not reasonably have examples for every advanced configuration option that exists.
373-374
: Listen up fool, we need more startup instructions!The startup instructions could use more detail about verifying the setup and troubleshooting.
### Starting the Stack Once all the configuration for [Traefik](https://doc.traefik.io/traefik/) and [Authelia](https://www.authelia.com/) are complete, from the `project/` directory run `docker compose up -d` to download and start the containers. + +### Verifying the Setup +1. Check container status: `docker compose ps` +2. View logs for issues: `docker compose logs` +3. Access Traefik dashboard at `https://traefik.example.com` +4. Test authentication at `https://whoami-secure.example.com` + +### Troubleshooting +- Check container logs: `docker compose logs authelia` +- Verify network connectivity: `docker network inspect authelia` +- Ensure all secrets files exist and have correct permissions
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
docs/content/blog/authelia-traefik-setup-guide/index.md
(1 hunks)
🧰 Additional context used
🪛 LanguageTool
docs/content/blog/authelia-traefik-setup-guide/index.md
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....
(TAKE_A_LOOK)
[style] ~40-~40: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...n ## File Structure The first thing we want to do is set up the file structure. Which ...
(REP_WANT_TO_VB)
[uncategorized] ~338-~338: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... - Configure brute-force protection and rate limiting * [Notifier](https://www.authelia.com/c...
(EN_COMPOUND_ADJECTIVE_INTERNAL)
🪛 Markdownlint (0.37.0)
docs/content/blog/authelia-traefik-setup-guide/index.md
66-66: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
248-248: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
322-322: Expected: h5; Actual: h6
Heading levels should only increment by one level at a time
(MD001, heading-increment)
323-323: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
324-324: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
325-325: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
328-328: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
329-329: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
330-330: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
331-331: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
334-334: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
335-335: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
338-338: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
339-339: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
347-347: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
348-348: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
349-349: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
🔇 Additional comments (2)
docs/content/blog/authelia-traefik-setup-guide/index.md (2)
142-142
: LGTM! You got that logging level right, fool!
The log level is appropriately set to INFO for production use.
357-370
: 🛠️ Refactor suggestion
I ain't letting you use that default password in production, fool!
While the warning comment is good, let's make it more prominent and add a note about generating secure passwords.
users:
authelia: # Username
displayname: "Authelia User"
+ # ⚠️ SECURITY WARNING ⚠️
# WARNING: This is a default password for testing only!
# IMPORTANT: Change this password before deploying to production!
# Generate a new hash using the instructions at:
# https://www.authelia.com/reference/guides/passwords/#passwords
+ # For production:
+ # 1. Generate a strong password (min 16 chars with mixed case, numbers, and symbols)
+ # 2. Generate a new hash using the link above
+ # 3. Replace the hash below
# Password is 'authelia'
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/"
Likely invalid or redundant comment.
it makes no difference either way, I'm happy to switch it to the other one.
docker-compose.yml and compose.yml are interchangable, compose.yml is the "correct" one for the
It wasn't meant to indicate the start of a new yaml document, a continuation of the existing compose.yaml. If you have a better way of indicating that, I am all ears. Thanks for looking at it :) |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #8316 +/- ##
==========================================
+ Coverage 73.79% 73.89% +0.10%
==========================================
Files 349 349
Lines 30294 30294
Branches 864 864
==========================================
+ Hits 22354 22386 +32
+ Misses 7057 7023 -34
- Partials 883 885 +2
Flags with carried forward coverage won't be shown. Click here to find out more. |
Maybe something like |
@jay-elizaga-dev Triple dots have a special meaning in the yaml syntax, which most people don't know about.
From section 2.2 of the yaml specification. A solution has already been discussed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Nitpick comments (2)
docs/content/blog/authelia-traefik-setup-guide/index.md (2)
346-351
: Listen up fool, secrets ain't no joke!The secrets section needs more emphasis on secure generation and handling:
- Never store secrets in version control
- Use proper permissions (600) for secret files
- Consider using a secrets management service in production
🧰 Tools
🪛 LanguageTool
[uncategorized] ~346-~346: You might be missing the article “the” here.
Context: ...crets that we need to create and put inauthelia/secrets/
directory: * jwt_secr...(AI_EN_LECTOR_MISSING_DETERMINER_THE)
🪛 Markdownlint (0.37.0)
347-347: Expected: dash; Actual: asterisk
Unordered list style(MD004, ul-style)
348-348: Expected: dash; Actual: asterisk
Unordered list style(MD004, ul-style)
349-349: Expected: dash; Actual: asterisk
Unordered list style(MD004, ul-style)
373-374
: I pity the fool who can't verify their setup!Add verification steps after starting the stack:
- Check container logs for errors
- Verify services are accessible
- Test authentication flows
Would you like me to generate a troubleshooting section with common issues and solutions?
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
docs/content/blog/authelia-traefik-setup-guide/index.md
(1 hunks)
🧰 Additional context used
🪛 LanguageTool
docs/content/blog/authelia-traefik-setup-guide/index.md
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....
(TAKE_A_LOOK)
[style] ~40-~40: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...n ## File Structure The first thing we want to do is set up the file structure. Which ...
(REP_WANT_TO_VB)
[uncategorized] ~338-~338: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... - Configure brute-force protection and rate limiting * [Notifier](https://www.authelia.com/c...
(EN_COMPOUND_ADJECTIVE_INTERNAL)
[uncategorized] ~346-~346: You might be missing the article “the” here.
Context: ...crets that we need to create and put in authelia/secrets/
directory: * jwt_secr...
(AI_EN_LECTOR_MISSING_DETERMINER_THE)
🪛 Markdownlint (0.37.0)
docs/content/blog/authelia-traefik-setup-guide/index.md
66-66: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
248-248: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
322-322: Expected: h5; Actual: h6
Heading levels should only increment by one level at a time
(MD001, heading-increment)
323-323: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
324-324: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
325-325: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
328-328: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
329-329: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
330-330: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
331-331: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
334-334: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
335-335: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
338-338: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
339-339: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
347-347: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
348-348: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
349-349: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
🔇 Additional comments (5)
docs/content/blog/authelia-traefik-setup-guide/index.md (5)
254-254
: Hey fool, you still got debug logging in production!
Debug level logging can expose sensitive information and impact performance. Set it to 'info' for production environments!
183-194
: Time to beef up that TLS security, fool!
Add modern cipher suites and strengthen the TLS configuration.
297-303
: Strengthen that session security, fool!
Add security-related session configurations.
359-365
:
I pity the fool who deploys with default passwords!
The warning about changing the default password needs to be more prominent and visible.
Add this warning block at the top of the users.yaml file:
users:
authelia: # Username
displayname: "Authelia User"
+ # ⚠️ SECURITY RISK ⚠️
+ # DO NOT USE THIS DEFAULT PASSWORD IN PRODUCTION!
+ # THIS IS FOR TESTING PURPOSES ONLY!
+ # YOU MUST CHANGE THIS BEFORE DEPLOYMENT!
+ #
+ # Generate a new secure password hash using:
+ # https://www.authelia.com/reference/guides/passwords/#passwords
# Password is 'authelia'
Likely invalid or redundant comment.
3-4
:
I pity the fool who leaves TODOs in production documentation!
The description and summary look good, but that TODO comment needs to be handled before this goes live, fool!
-summary: "In this guide we will walk through setting up Authelia with Traefik as the reverse proxy. This guide aims to provide an opinionated way to setup Authelia that is fully supported by the Authelia team." #TODO: change this description
+summary: "In this guide we will walk through setting up Authelia with Traefik as the reverse proxy. This guide aims to provide an opinionated way to setup Authelia that is fully supported by the Authelia team."
Likely invalid or redundant comment.
Signed-off-by: Brynn Crowley <littlehill723@gmail.com>
Co-authored-by: Hendrik Sievers <89412959+hendrik1120@users.noreply.github.com> Signed-off-by: Brynn Crowley <littlehill723@gmail.com>
Signed-off-by: Brynn Crowley <littlehill723@gmail.com>
806b471
to
5e7e5ef
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
♻️ Duplicate comments (4)
docs/content/blog/authelia-traefik-setup-guide/index.md (4)
185-196
: 🛠️ Refactor suggestionTime to beef up that TLS security, fool!
Upgrade to TLS 1.3 and modern cipher suites for better security.
tls: options: default: - minVersion: "VersionTLS12" + minVersion: "VersionTLS13" cipherSuites: - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256
254-255
:⚠️ Potential issueHey fool, you got debug logging in production!
Debug level logging can expose sensitive information and impact performance.
- level: debug + level: info
298-304
: 🛠️ Refactor suggestionStrengthen that session security, fool!
Add security-related session configurations.
session: name: authelia_session secret: {{ secret "/secrets/session_secret.txt" | mindent 0 "|" | msquote}} + expiration: 1h + inactivity: 5m + remember_me_duration: 1M cookies: - domain: '{{< sitevar name="domain" nojs="example.com" >}}' authelia_url: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}' + same_site: strict + secure: true + http_only: true
361-371
: 🛠️ Refactor suggestionI pity the fool who leaves default passwords in production!
The warning about changing the default password is good, but let's make it more prominent.
displayname: "Authelia User" - # WARNING: This is a default password for testing only! + # ⚠️ WARNING: This is a default password for testing only! + # ⚠️ IMPORTANT: Change this password before deploying to production! + # ⚠️ Generate a new hash using the instructions at: + # ⚠️ https://www.authelia.com/reference/guides/passwords/#passwords # Password is 'authelia'
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
docs/content/blog/authelia-traefik-setup-guide/index.md
(1 hunks)
🧰 Additional context used
🪛 LanguageTool
docs/content/blog/authelia-traefik-setup-guide/index.md
[style] ~19-~19: To make your writing clearer, consider a more direct alternative.
Context: ...u would like an all-in-one demo, please take a look at our [local bundle](https://www....
(TAKE_A_LOOK)
[style] ~21-~21: Unless you want to emphasize “not”, use “cannot” which is more common.
Context: ...more advanced and complex scenarios. We can not reasonably have examples for every adva...
(CAN_NOT_PREMIUM)
[style] ~40-~40: You have already used this phrasing in nearby sentences. Consider replacing it to add variety to your writing.
Context: ...n ## File Structure The first thing we want to do is set up the file structure. Which ...
(REP_WANT_TO_VB)
[uncategorized] ~339-~339: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ... - Configure brute-force protection and rate limiting * [Notifier](https://www.authelia.com/c...
(EN_COMPOUND_ADJECTIVE_INTERNAL)
🪛 Markdownlint (0.37.0)
docs/content/blog/authelia-traefik-setup-guide/index.md
66-66: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
249-249: Expected: h3; Actual: h4
Heading levels should only increment by one level at a time
(MD001, heading-increment)
323-323: Expected: h5; Actual: h6
Heading levels should only increment by one level at a time
(MD001, heading-increment)
324-324: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
325-325: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
326-326: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
329-329: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
330-330: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
331-331: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
332-332: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
335-335: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
336-336: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
339-339: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
340-340: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
348-348: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
349-349: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
350-350: Expected: dash; Actual: asterisk
Unordered list style
(MD004, ul-style)
🔇 Additional comments (1)
docs/content/blog/authelia-traefik-setup-guide/index.md (1)
140-140
:
I pity the fool who leaves debug mode on!
Debug mode should be disabled in production environments as it may expose sensitive information.
- debug: false
Likely invalid or redundant comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After executing docker-compose up -d
the traefik logs will indicate an error:
2024-12-23T23:16:21+01:00 ERR error="middleware \"authelia@docker\" does not exist" entryPointName=https routerName=whoami-secure@docker
2024-12-23T23:16:21+01:00 ERR error="middleware \"authelia@docker\" does not exist" entryPointName=https routerName=dashboard@docker
It should be noted that this error is expected on startup and that everything is working.
- cloudflare_email | ||
- cloudflare_api_key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These secrets are not being mentioned in the secrets section
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably avoid using anything platform specific like this and instead use HTTP-01 ACME challenges.
proxy: | ||
external: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no mention of this network in the guide. If this should be the primary proxy net, authelia itself has no access to it, which will generate the following traefik warning:
2024-12-23T22:41:06+01:00 WRN Defaulting to first available network (&{"project_authelia" "172.19.0.2" '\x00' "" "7ce3d349ad84c0cb0be75dd9aacf8da0977850a380c134b887452243a9051186"}) for container "/authelia". container=authelia-project-6baa555da2ba674e94ebc96d0e11ed733645e77842ef03f87b1872c19029d962 providerName=docker serviceName=authelia-project
A solution would be to either remove the proxy
network entirely or adding authelia to the network as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While yes its not mentioned, which I will fix, Authelia does not need to be on/have access to the proxy
network to work correctly. This is an ideal situation because it prevents malicious services on the proxy
network from inspecting non-tls traffic from authelia
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, sorry. I didn't think of that. Setting the traefik.docker.network
to project_authelia
will resolve the warning, because compose will always prefix the network with the stack name.
- cloudflare_api_key | ||
labels: | ||
traefik.enable: 'true' | ||
traefik.http.routers.dashboard.rule: 'Host(`traefik.{{< sitevar name="domain" nojs="example.com" >}})' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing `
traefik.http.routers.dashboard.rule: 'Host(`traefik.{{< sitevar name="domain" nojs="example.com" >}})' | |
traefik.http.routers.dashboard.rule: 'Host(`traefik.{{< sitevar name="domain" nojs="example.com" >}}`)' |
address: ":443" | ||
http: | ||
tls: | ||
certResolver: cloudflare@file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The file operator isn't working here as the provider is in the same file
certResolver: cloudflare@file | |
certResolver: cloudflare |
log: | ||
level: INFO | ||
filePath: /logs/traefik.log |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since a log file is defined here, traefik won't log to stdout anymore.
Maybe a hint on how to view these logs would help?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm somewhat inclined to think it may be more beneficial to log the standard logs to the console and keep the access logs to a log file.
proxy: {} | ||
authelia: | ||
aliases: | ||
- '{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxy: {} | |
authelia: | |
aliases: | |
- '{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}' | |
proxy: | |
aliases: | |
- '{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}' | |
authelia: {} |
This PR adds a new blog post containing a guide to setting up Authelia with Traefik.