Authelia Authentication on Synology and Nginx Proxy Manager

Setup the docker container

Save these three files to:

/volume1/docker/authelia/docker-compose.yml
/volume1/docker/authelia/config/users.yml
/volume1/docker/authelia/config/configuration.yml

docker-compose.yml

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    restart: unless-stopped
    volumes:
      - ./config:/config
    environment:
      - TZ=America/Denver
    ports:
      - "9091:9091"
    networks:
      - authelia_network

networks:
  authelia_network:
    driver: bridge

configuration.yml

• jwt_secret - random strong above 20 characters
• session --> secret - random string
• storage --> encryption key - random string
• change sub.foo.bar to your site you want to protect
• change foo.bar to your top level domain

theme: auto

identity_validation:
  reset_password:
    jwt_secret: "3VHr43lmohyvIpdV3dew3sW7qAXXHJSdewd51kXK1v9q8d" 

server:
  address: "tcp://0.0.0.0:9091/"

log:
  level: info
  format: text

authentication_backend:
  file:
    path: /config/users.yml

access_control:
  default_policy: deny
  rules:
    - domain: "sub.foo.bar" 
      policy: one_factor  # Require login
      subject:
        - "group:admins"  # Allow only users in 'admins' group

session:
  name: authelia_session
  secret: "iYWvthAPHjbBwGfC9Komqu89njdkwjjiwdQU33gi3KeUl"
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
  cookies:
    - name: authelia_session
      domain: foo.bar
      same_site: lax
      expiration: 12h
      authelia_url: "https://authhost.foo.bar"

storage:
  encryption_key: "zcVCx3Vt7Yz0d290mioe2h89QlKaYYUKecbHMGMRuSbA"
  local:
    path: /config/db.sqlite3  # Can switch to MySQL/PostgreSQL later if needed

notifier:
  filesystem:
    filename: /docker/authelia/config/authelia-notification.log

users.yml

You will need to SSH to the Synology to generate a password hash. SSH to the Synology,

cd /volume1/docker/authelia
sudo docker run --rm authelia/authelia authelia crypto hash generate --password "Thisisthepasswordyouwant."

Another option is to use this site: argon2.online

Put in your password, click the gear button to generate a salt. Chose the options below. ![[Pasted image 20250208144248.png]]

users:
  <yourusername>:
    displayname: "<yourdisplayname>"
    password: "<put the full argon string here>"
    email: <your email here>
    groups:
      - admins
      - dev

Configuring nginx (must be done for each app)

Update the nginx proxy for the app you want to protect

• Open Nginx Proxy Manager in your browser.
• Go to Proxy Hosts → Select the service you want to protect (e.g., sub.foo.bar).
• Click on Advanced and add the following custom configuration changing some key settings:
  • error_page 401
  • proxy_pass (both)

  • location / {
        auth_request /authelia;
        auth_request_set $target_url $scheme://$http_host$request_uri;
        auth_request_set $user $upstream_http_remote_user;
        auth_request_set $groups $upstream_http_remote_groups;
        error_page 401 =302 https://authhost.foo.bar?rd=$target_url; #Replace with your domain for Authelia
    
        proxy_pass http://<autheliahostIP>:9090; #Replace with the target address of the service
        client_body_buffer_size 128k;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        send_timeout 5m;
        proxy_read_timeout 360;
        proxy_send_timeout 360;
        proxy_connect_timeout 360;
    
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Uri $request_uri;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_redirect http:// $scheme://;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_cache_bypass $cookie_session;
        proxy_no_cache $cookie_session;
        proxy_buffers 64 256k;
    
        set_real_ip_from 10.0.0.0/8;
        set_real_ip_from 172.0.0.0/8;
        set_real_ip_from 192.168.0.0/16;
        set_real_ip_from fc00::/7;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;
    }
    
    location /authelia {
        internal;
        proxy_pass http://<autheliahostIP>:9091/api/verify; #Replace with your host's IP address for Authelia's API
        proxy_set_header Host $http_host;
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Content-Length "";
        proxy_pass_request_body off;
    }
    

The proxy host should show online. ![[Pasted image 20250207152941.png]]