Help configuring Authelia and Docker apps

[zkvvoob]

Hello all,

I've just finished setting up Authelia following this guide. I've got Nginx Proxy Manager working properly for all my subdomains/apps; Authelia is on a subdomain of its own (auth.mydomain.com), LDAP seems to be functioning correctly (as in, I can log in, use TOTP code and am redirected to the selected page).

What I can't figure out is how exactly does the authentication to any given apps work. I've tried with Gogs (a git app) - put the Nginx config in NPM and when I try to open gogs.mydomain.com, I'm redirected to Authelia (so far, so good), I enter my credentials and then the browser goes to gogs.mydomain.com where I can see 403 Forbidden error message.

I'm new to Nginx and I don't understand if there's additional configuration that needs to be done at each individual app so as to recognize the credentials passed by Authelia.

Ideally, I'd like successful authentication to load my Heimdall dashboard with tiles/apps for each individual user and then the user could click on the tile and be automatically logged in the respective app.

Thank you in advance for helping me.

 

[Rusty]

How did you setup access policies?

 

[zkvvoob]

Thanks for the hint. I looked at the access policies and simplified them to these:

access_control:
  default_policy: deny
      
  networks:
    - name: internal
      networks:
        - 10.0.0.1/16
 
  rules:
    - domain: "*.mydomain.com"
      subject: "user:zkvvoob"
      policy: two_factor

As a result, I'm now redirected to Gog's login page. Now, what do I need to do in order to be logged in automatically without having to submit separate credentials?

 

[Rusty]

Thanks for the hint. I looked at the access policies and simplified them to these:

access_control:
  default_policy: deny
     
  networks:
    - name: internal
      networks:
        - 10.0.0.1/16
 
  rules:
    - domain: "*.mydomain.com"
      subject: "user:zkvvoob"
      policy: two_factor

As a result, I'm now redirected to Gog's login page. Now, what do I need to do in order to be logged in automatically without having to submit separate credentials?

That’s not work that way. You have reached your limit.

The ide sod Authelia is to protect your non protected sites. Unless that destination app support and it’s configured to work with your LDAP that Authelia uses, you can’t log in without using a separate account in your case Gog credentials.

So authelia was here to protect access mainly for apps that a) don’t have login options or b) can work with your ldap but you want 2fa on top of that.

So you have passed authelia and reached your site, that’s it. Next you log into it.

This would work fine with heimdall for example but not for any app that already has its own login mechanism.

 

[zkvvoob]

That's a pity, but I understand.
Let's assume that Gogs can work with LDAP (which it really can). Is there a way for Authelia to pass the log in information to Gogs and skip the login screen, then?

 

[Rusty]

Is there a way for Authelia to pass the log in information to Gogs and skip the login screen, then?

I can't answer that because I haven't tried it, but as long as Gogs can talk to your LDAP, I see no reason not for this to work. How to pass info further down after you have logged in is also something that needs to be looked in Authelia docs.

My setup for Authelia was to protect the unprotected sites, so as I said, I don't have the answer for this of the top of my head.