--- title: Authelia: un système SSO unifié author: Frederic AOUSTIN version: 1.O --- # Authelia: un système de SSO unifié ![category](developpement) ![tag](docker) Dans le cadre de la mise en place d'un serveur **Searxng** j'avais besoin de rajouter une interface de contrôle. Cette interface doit me permettre de fournir des droits aux personnes pouvant ou pas se connecter à ce serveur. L'idée était aussi de pouvoir réutiliser cette authentification pour d'autres applications auto-hébergés. Mon architecture est la suivante ```mermaid flowchart LR traefick["Traefick"] nginx2["Nginx2"] authelia["Authelia"] users[(users)] searngx["SearNgx"] nginx1["Nginx1 securisé"] authelia --> users traefick --> authelia authelia --> searngx traefick -.-> searngx authelia --> nginx1 traefick -.-> nginx1 traefick --> nginx2 ``` Nous allons utiliser *docker compose* pour élaborer ces éléments notre fichier docker-compose.yml ressemble a ``` version: '2' services: reverse-proxy: image: traefik:v2.11.34 command: - --api.insecure=true - --providers.docker - --providers.docker.exposedbydefault=false - --providers.file.directory=/etc/traefik/dynamic - --entryPoints.web.address=:80 - --entryPoints.websecure.address=:443 - --entrypoints.web.http.redirections.entrypoint.to=websecure - --entrypoints.web.http.redirections.entrypoint.scheme=https ports: - "80:80" - "443:443" - "8090:8080" volumes: - /var/run/docker.sock:/var/run/docker.sock - /root/docker/data/traefik/certs-traefik.yaml:/etc/traefik/dynamic/certs-traefik.yaml - /root/docker/data/traefik/certs/:/etc/certs/ - /root/docker/data/traefik/supervision.yaml:/etc/traefik/dynamic/supervision.yaml - /root/docker/data/traefik/authelia.yaml:/etc/traefik/dynamic/authelia.yaml authelia: image: authelia/authelia:latest container_name: authelia restart: unless-stopped volumes: - /root/docker/data/authelia:/config labels: - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`auth.fraoustin.fr`)" - "traefik.http.routers.authelia.entrypoints=websecure" - "traefik.http.routers.authelia.tls=true" - "traefik.http.services.authelia.loadbalancer.server.port=9091" nginxone: image: nginx volumes: - /root/docker/data/nginxone:/usr/share/nginx/html restart: always labels: - "traefik.enable=true" - "traefik.http.routers.nginxone.entrypoints=websecure" - "traefik.http.routers.nginxone.tls=true" - "traefik.http.routers.nginxone.rule=Host(`nginxone.fraoustin.fr`)" - "traefik.http.services.nginxone-service.loadbalancer.server.port=80" - "traefik.http.routers.nginxone-insecure.entrypoints=web" - "traefik.http.routers.nginxone-insecure.rule=Host(`nginxone.fraoustin.fr`)" - "traefik.http.routers.nginxone-insecure.middlewares=https-redirect" - "traefik.http.routers.search.middlewares=authelia@file" nginxtwo: image: nginx volumes: - /root/docker/data/nginxtwo:/usr/share/nginx/html restart: always labels: - "traefik.enable=true" - "traefik.http.routers.nginxtwo.entrypoints=websecure" - "traefik.http.routers.nginxtwo.tls=true" - "traefik.http.routers.nginxtwo.rule=Host(`nginxtwo.fraoustin.fr`)" - "traefik.http.services.nginxtwo-service.loadbalancer.server.port=80" - "traefik.http.routers.nginxtwo-insecure.entrypoints=web" - "traefik.http.routers.nginxtwo-insecure.rule=Host(`nginxtwo.fraoustin.fr`)" - "traefik.http.routers.nginxtwo-insecure.middlewares=https-redirect" searxng: image: searxng/searxng:latest container_name: searxng volumes: - ./data/sam/searxng:/etc/searxng:rw environment: - SEARXNG_SECRET_KEY=ZOPFRZIGfdsfdgokgfdgs0OCqCKe labels: - "traefik.enable=true" - "traefik.http.routers.search.entrypoints=websecure" - "traefik.http.routers.search.tls=true" - "traefik.http.routers.search.rule=Host(`search.fraoustin.fr`)" - "traefik.http.services.search-service.loadbalancer.server.port=8080" - "traefik.http.routers.search-insecure.entrypoints=web" - "traefik.http.routers.search-insecure.rule=Host(`search.fraoustin.fr`)" - "traefik.http.routers.search-insecure.middlewares=https-redirect" - "traefik.http.routers.search.middlewares=authelia@file" extra_hosts: - host.docker.internal:host-gateway restart: always ``` Le fichier *data/traefik/authelia.yaml* comporte ``` http: middlewares: authelia: forwardAuth: address: http://authelia:9091/api/authz/forward-auth trustForwardHeader: true authResponseHeaders: - Remote-User - Remote-Groups - Remote-Name - Remote-Email ``` Nous passons ensuite à la configuration **Authelia** Dans le fichier *data/authelia/configuration.yml* ``` server: address: tcp://0.0.0.0:9091 log: level: info authentication_backend: file: path: /config/users_database.yml access_control: default_policy: deny rules: - domain: nginxone.fraoustin.fr policy: one_factor - domain: search.fraoustin.fr policy: one_factor session: secret: CHANGE_ME cookies: - domain: fraoustin.fr authelia_url: https://auth.fraoustin.fr storage: local: path: /config/db.sqlite3 notifier: filesystem: filename: /config/notification.txt ``` Il faut aussi créer le fichier *users_database.yml* ``` users: sam: disabled: false displayname: Sam password: "$argon2id$v=19$m=65536,t=3,p=4$..." email: sam@fraoustin.fr groups: - admins ``` pour générer un password ``` docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password mypassword ``` Si vous souhaitez des règles de gestion du type groupe d'utilisateur A peut utiliser nginx et groupe d'utilisateur B et A Seargnx. Il faut modifier la gestion des utilisateurs ``` users: alice: groups: - A bob: groups: - A - B charlie: groups: - B ``` et dans *configuration.yml* ``` access_control: default_policy: deny rules: - domain: "nginxone.fraoustin.fr" policy: one_factor subject: - "group:A" - domain: "search.fraoustin.fr" policy: one_factor subject: - "group:A" - "group:B" ```