Anyone have Authelia working with HA to handle authentication?

I started playing around with Authelia in an attempt to create a standardized 2FA/SSO authentication scheme for my services. I’m trying to tackle the most important service first, Home Assistant. :smiley: I’ve got a reverse proxy enabled and working already so I’m just trying to augment that with this authentication package for HA.

I enabled it tonight and got everything working via Chrome browser on my PC but when I fired up the mobile app, it complained that it couldn’t connect at first and when I hit the “Wait” option it gave me to the login screen for Authelia. I thought I was golden. Then I logged in and Authelia gave me the green check mark (session success) but nothing happened after that.

I expected it to forward me back to the mobile app but it just sat at the green check mark screen. When I try to get back to the app it just complains that it cannot connect to the server.

I’m guessing I need to configure some kind of redirect/forward but I’m not sure how or where to do that. It’s probably on the Authelia side or maybe the reverse-proxy side but Google and Community.HA.io searches get pretty light when hunting for something so specific; I’ve come up empty handed. Anyone have this working and/or care to share their configuration?

Thanks!

1 Like

I am also interested in this method, I have started trying but no luck yet. I just get the blue bar across the top and nothing else loads for me (in PC browser)

I think I got it all working correctly. I’m using swag as a reverse proxy for a while and it works really great, it has letsencrypt and Authalia support build in. + It has reverse proxy configs for a lot of services, both subdomain, and subfolder.

You should check it out.

Oh and your post reminded me I needed to inform the makers that the HA config needs a small addition, with this PR it should work perfect.

Hi @golles, thanks for the info. I don’t suppose you could share some of your config for HA through swag with us? I searched for Home Assistant on the swag page you shared but there doesn’t seem to be any documentation for that. I found this post from Juan that talks about swag but he didn’t share any HA-specific config for swag. Does it just work out of the box?

The proxy config I’m using is: reverse-proxy-confs/homeassistant.subdomain.conf.sample at f9d6d9ca4f0d17be2e30b8a186746033b0ea8dc2 · linuxserver/reverse-proxy-confs · GitHub

I have the 2 lines for Authalia uncommented.

LinuxServer.io has a blog post, that’s what I followed (I have swag already running for a long time so that I skip) Setting Up Authelia With SWAG | LinuxServer.io

@SpikeyGG before you change too much of your setup. I think I have now got it going. I am using Cloudflare, NGNIX, Authelia and it is working via web & app. It will just take me a little to write it all up…

@SpikeyGG I am using a few tutorials myself to have the Cloudflare setup with NGINX & Authelia running on my Unraid server. I am running home assistant on another machine (proxmox) however, one day I will switch it over to Unraid as well. For reference, my HA install is on 192.168.1.10 and Unraid/Authelia 192.168.1.100.

Before I start, I must give credit to Sycotix at IBRACORP as I wouldn’t have been here without the tutorial videos. I have forgotten which ones exactly contributed to this particular part of my setup, but, these 3 are worth watching:

In Cloudflare, I have set up the CNAME domain auth.YOURDOMAIN.com for Authelia and homeassistant.YOURDOMAIN.com for Home Assistant.

So that will point through to Nginx proxy manager and then that subsequently is set up for Authelia authentication.

Below is how I have configured NGINX:

screenshot.2021-07-11 (1)

Here is the code in the advanced tab:

location /authelia {
internal;
set $upstream_authelia http://192.168.1.100:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;    
proxy_set_header Content-Length "";

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr; 
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;

send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

location / {
set $upstream_homeassistant http://192.168.1.10:8123;
proxy_pass $upstream_homeassistant;

auth_request /authelia;
auth_request_set $target_url https://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
													
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
									 
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://auth.YOURDOMAIN.com/?rd=$target_url;

																

client_body_buffer_size 128k;

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

set_real_ip_from 172.17.0.0/16;
set_real_ip_from 172.18.0.0/16;
set_real_ip_from 172.19.0.0/16;
set_real_ip_from 192.168.1.0/24;
set_real_ip_from 192.168.122.0/24;
real_ip_header CF-Connecting-IP;
real_ip_recursive on;

}

Within Authelia yml config I have this rule for home assistant:

  rules:
    - domain: "homeassistant.YOURDOMAIN.com"
      subject:
        - "group:admins"
      policy: two_factor

Edit 21 July. Since 2021.7 you do need some of the http settings within the configuration.yaml: within Home Assistant :

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24

That way the nginx can use home assistant without https but it is still using https externally via Cloudflare. So far this is working for web internal & external and app internal & external.

This is pretty long and hopefully it mostly makes sense. Good luck :wink:

2 Likes

Does this work with multiple users in Home Assistant? Because that is what I am personally looking for. I know you can bypass login when you have only one user in HA and then use Authelia as the ‘frontdoor’, but if this works for multiple users then this is golden.

I have multiple users in both HA & Authelia. So far so good. I am not sure what will happen after an extended period of time, ie. how often they need to reauthenticate.

Sounds good, and also works with the HA apps on Android/iOS?

Yep, you just get the Authelia authentication prior to making it to HA. You just need to put in the info for your site in then press done, that makes the Authelia authentication screen come up.

Hm, it gives me unknown errors (btw it seemed the code I already used was pretty similar to yours, except I used the X-Forwarded-For header instead of the CF IP, though the result should be the same. I have also added some security headers, which you don’t need since they already come with the CF proxy).

Could you maybe tell me how you have setup your authentication providers in HA?
E.g. I have the following lines:

# Home Assistant
homeassistant:
  customize: !include customize.yaml
  packages: !include_dir_named packages/
  external_url: !secret base_url
  internal_url: !secret internal_url
  media_dirs:
    media: media/
  auth_providers:  
   - type: trusted_networks 
     trusted_networks: 
       - 127.0.0.1 
       - 10.0.0.0/24
   - type: homeassistant

But HA has to get the user info from authelia somehow no?

At the moment I still have normal user authentication on for HA. However, I am considering turning it off in some way once I am satisfied it is working. So it is a little annoying when you set up the device as you need to login twice… once in Authelia & once in HA

Ah that is what I thought, hence why I have setup a bypass in Authelia since logging in twice (both 2FA) is a no go.

Thanks for the explanation.

For those updating to 2021.7… there is a breaking change that stopped my config from working. I had to make sure I had these lines in my configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24

I have managed to connect the app by changing the authlia config for homeassistant to bypass. But how do I configure authelia to use two_factor for normal log in and bypass the /api and /auth ?

I tried:

- domain: "homeassistant.mydomain.org"
      subject: 
        - "group:admins"
      policy: two_factor

    - domain: "homeassistant.mydomain.org"
      resources:
        - "^/api.*$"
        - "^/auth/token/.*$"
      policy: bypass

But if I look in the authlia log it still blocks requests to /api/verify and /auth/token

1 Like

I haven’t setup HA through authelia yet, but I do know your bypass rule must come BEFORE your two_factor rule. Swap the order and test it out to see if it works. I’d be interested if it does because i’d like to require two-factor from a browser but allow the app on my phone.

Hi,
Don’t know if this is the best way, but I managed to be able to use the app while protecting the web interface with Authelia.
In Authelia’s config I have this (I stripped other domains) :

- domain: "ha.MYDOMAIN.COM"
  policy: bypass
  resources:
    - "^/api.*"
    - "^/auth/token.*"
    - "^/.external_auth=."
    - "^/service_worker.js"
    - "^/static/.*"
- domain: # Proxies needing 2 factor below
    - "ha.MYDOMAIN.COM"
  policy: two_factor

It is indeed very important to put your “bypass” block before the two_factor one (as @MRobi said), otherwise it will be ignored.

I modified the given rules and added some others from what I saw in Authelia’s logs.
It seems to be working just fine right now.

And just a final note to say I don’t have Authelia only, but also a password with Double Authentication set at HA’s level.

[EDIT] Removed a “/” in one of the rules because the path is “/auth/token” and not “/auth/token/”

1 Like