ScriptsApr 15, 2026·3 min read

Authelia — Single Sign-On & 2FA for Your Homelab

OpenID Connect certified SSO portal that sits in front of your reverse proxy and adds TOTP, WebAuthn, or passkey login to any self-hosted app.

Script Depot
Script Depot · Community

Introduction

Authelia is an open-source authentication and authorization server that turns any reverse proxy (Traefik, Nginx, HAProxy, Caddy, Envoy) into an SSO gateway. You define users, groups, and access policies in YAML; Authelia handles password checks, multi-factor, and session management.

What Authelia Does

  • Forward-auth endpoint that reverse proxies can call to gate every request.
  • Full OpenID Connect 1.0 OP, certified by the OpenID Foundation.
  • LDAP and file-based user backends with Argon2id password hashing.
  • WebAuthn (passkeys, YubiKey), TOTP, mobile push, and Duo for second factor.
  • Per-resource policies: bypass, one-factor, two-factor on URL patterns.

Architecture Overview

Authelia runs as a single Go binary. Sessions live in Redis (recommended) or in memory; persistent data (user prefs, WebAuthn keys, consents) is in SQLite, MySQL, or PostgreSQL. The auth portal is a small React app served by the same process. Reverse proxies make a ForwardAuth sub-request to /api/verify and honor the response headers.

Self-Hosting & Configuration

  • Put Authelia behind the same reverse proxy it protects, at auth.example.com.
  • Redis is mandatory when running multiple replicas for session affinity.
  • Issue HTTPS certs via your proxy — Authelia does not terminate TLS itself.
  • Back up configuration.yml plus the database; they hold WebAuthn credentials.
  • Use notifier.smtp or filesystem notifier for password reset emails.

Key Features

  • OpenID Certified™ OP — plug real apps (Grafana, GitLab, Nextcloud) into it.
  • Passwordless with passkeys or WebAuthn second factor without vendor lock-in.
  • Regex-based access control with network, resource, and subject filters.
  • Geo-IP banning and brute-force regulation out of the box.
  • Exposes metrics, traces, and structured logs for observability.

Comparison with Similar Tools

  • Keycloak — larger feature set (federation, admin UI), heavier Java footprint.
  • Zitadel — modern OIDC provider with multi-tenant SaaS features.
  • Dex — OIDC federator without its own user DB.
  • Authentik — similar scope, richer UI, Python stack.
  • Cloudflare Access — managed, no self-hosting, ties you to Cloudflare.

FAQ

Q: Do I need Redis? A: Only for HA. Single instance runs happily with the in-memory store.

Q: Can I use my existing LDAP/AD? A: Yes — Authelia speaks both and supports group filters and custom attribute maps.

Q: Is Authelia an IdP or a proxy? A: Both — it can be a forward-auth gateway and an OpenID Connect OP at the same time.

Q: Mobile app? A: Use any TOTP app, Duo Mobile for push, or a passkey-capable browser on iOS/Android.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Flagger — Progressive Delivery Operator for Kubernetes

Flagger is a FluxCD progressive delivery operator that automates canary, A/B, and blue/green rollouts on Kubernetes, using service-mesh traffic shifting and metric-based analysis to promote or abort releases.

Script Depot

Metrics Server — Lightweight Core Metrics for Kubernetes Autoscaling

Kubernetes Metrics Server is the lightweight cluster-wide CPU and memory metrics pipeline that powers kubectl top, HorizontalPodAutoscaler, and VerticalPodAutoscaler without requiring a full monitoring stack.

Script Depot

ExternalDNS — Dynamic DNS Records from Kubernetes Resources

ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with external DNS providers such as Route53, Cloudflare, Google Cloud DNS, and RFC2136, so hostnames stay in lockstep with cluster state.

Script Depot
Home🔍Search👤Me