informatica:software:aplicaciones_web:authelia
                Diferencias
Muestra las diferencias entre dos versiones de la página.
| Ambos lados, revisión anteriorRevisión previaPróxima revisión | Revisión previa | ||
| informatica:software:aplicaciones_web:authelia [2023/11/15 11:00] – [Docker] tempwin | informatica:software:aplicaciones_web:authelia [2023/11/21 10:24] (actual) – [Authelia] tempwin | ||
|---|---|---|---|
| Línea 5: | Línea 5: | ||
| * [[https:// | * [[https:// | ||
| + | {{ https:// | ||
| ===== Instalación ===== | ===== Instalación ===== | ||
| Línea 32: | Línea 33: | ||
| * '' | * '' | ||
| * '' | * '' | ||
| + | |||
| + | ===== Configuración ===== | ||
| + | |||
| + | * [[https:// | ||
| Ejemplo de fichero '' | Ejemplo de fichero '' | ||
| Línea 40: | Línea 45: | ||
| ############################################################################### | ############################################################################### | ||
| - | theme: | + | theme: | 
| jwt_secret: B0346B15DD27774E98C1E4E82562BFDB2081E8CB66C78751983380B0F1211F3C | jwt_secret: B0346B15DD27774E98C1E4E82562BFDB2081E8CB66C78751983380B0F1211F3C | ||
| - | default_redirection_url: | + | # Opcional: | 
| + | # default_redirection_url: | ||
| server: | server: | ||
| host: 0.0.0.0 | host: 0.0.0.0 | ||
| port: 9091 | port: 9091 | ||
| - | #  path: "" | ||
| - | # buffers: | ||
| - | # read: 4096 | ||
| - | # write: 4096 | ||
| - | #  enable_pprof: | ||
| - | #  enable_expvars: | ||
| - | #  disable_healthcheck: | ||
| - | # tls: | ||
| - | #    key: "" | ||
| - | #    certificate: | ||
| - | |||
| - | #ntp: | ||
| - | #  address: " | ||
| - | # version: 3 | ||
| - | # max_desync: 3s | ||
| - | #  disable_startup_check: | ||
| - | #  disable_failure: | ||
| log: | log: | ||
| Línea 71: | Línea 60: | ||
| file_path: / | file_path: / | ||
| + | # Uso de contraseña única basada en tiempo como segundo factor de autenticación (2FA) | ||
| totp: | totp: | ||
| + | disable: false | ||
| + | algorithm: sha1 | ||
| issuer: tempwin.net | issuer: tempwin.net | ||
| + | digits: 6 | ||
| period: 30 | period: 30 | ||
| skew: 1 | skew: 1 | ||
| + | secret_size: | ||
| + | |||
| + | # Uso de clave a través del navegador como segundo factor de autenticación (2FA) | ||
| + | webauthn: | ||
| + | disable: false | ||
| + | display_name: | ||
| + | attestation_conveyance_preference: | ||
| + | user_verification: | ||
| + | timeout: 60s | ||
| authentication_backend: | authentication_backend: | ||
| - | #  password_reset: | ||
| - | # disable: false | ||
| - | #  refresh_interval: | ||
| file: | file: | ||
| path: / | path: / | ||
| password: | password: | ||
| - | algorithm: | + | algorithm: | 
| - |  | + |  | 
| - |  | + |  | 
| - |  | + |  | 
| - | memory: | + | memory: | 
| - | parallelism: | + | parallelism: | 
| + | key_length: 32 | ||
| + | salt_length: | ||
| access_control: | access_control: | ||
| - | default_policy: | + | default_policy: | 
| rules: | rules: | ||
| - domain: authelia.midominio.com | - domain: authelia.midominio.com | ||
| Línea 97: | Línea 98: | ||
| - domain: sub1.midominio.com | - domain: sub1.midominio.com | ||
| policy: one_factor | policy: one_factor | ||
| - | - domain: | + | - domain: | 
| + | - sub3.midominio.com | ||
| + | - sub4.midominio.com | ||
| + | - sub5.midominio.com | ||
| policy: two_factor | policy: two_factor | ||
| + | # Cookies de sesión | ||
| session: | session: | ||
| name: authelia_session | name: authelia_session | ||
| - |  | + |  | 
| - | expiration: | + | secret: B0346B15DD27774E98C1E4E82562BFDB2081E8CB66C78751983380B0F1211F3C | 
| - | inactivity: | + | expiration: | 
| - |  | + | inactivity: | 
| + |  | ||
| + | |||
| + | # Authelia puede bloquear temporalmente cuentas cuando hay demasiados intentos | ||
| + | # de autenticación. Esto ayuda a prevenir ataques de fuerza bruta. | ||
| regulation: | regulation: | ||
| max_retries: | max_retries: | ||
| Línea 112: | Línea 121: | ||
| ban_time: 12h | ban_time: 12h | ||
| + | # Configuración del almacenamiento SQL | ||
| + | # (para guardar preferencias de usuario, logs, dispositivos 2FA...) | ||
| storage: | storage: | ||
| - | encryption_key: | + | encryption_key: | 
| local: | local: | ||
| path: / | path: / | ||
|  |  | ||
| notifier: | notifier: | ||
| - | disable_startup_check: | + | disable_startup_check: | 
| smtp: | smtp: | ||
| - | username: usuario | ||
| - | password: contraseña | ||
| host: smtp.servidor.com | host: smtp.servidor.com | ||
| port: 587 | port: 587 | ||
| + | username: usuario | ||
| + | password: contraseña | ||
| sender: noreply@authelia.midominio.com | sender: noreply@authelia.midominio.com | ||
| subject: " | subject: " | ||
| Línea 141: | Línea 152: | ||
| * '' | * '' | ||
| * '' | * '' | ||
| - | * '' | + | * '' | 
| * '' | * '' | ||
| Línea 147: | Línea 158: | ||
| Siempre que se modifique el fichero de configuración (para añadir nuevos dominios, por ejemplo) es necesario reiniciar el contenedor. Lo más fácil es '' | Siempre que se modifique el fichero de configuración (para añadir nuevos dominios, por ejemplo) es necesario reiniciar el contenedor. Lo más fácil es '' | ||
| </ | </ | ||
| + | |||
| + | La configuración se puede validar antes de aplicar mediante el binario: | ||
| + | |||
| + | < | ||
| + | authelia validate-config --config configuration.yml | ||
| + | </ | ||
| + | |||
| + | ===== Usuarios ===== | ||
| Ejemplo de fichero '' | Ejemplo de fichero '' | ||
| Línea 155: | Línea 174: | ||
| #                         Users Database | #                         Users Database | ||
| ############################################################### | ############################################################### | ||
| - | |||
| - | # This file can be used if you do not have an LDAP set up. | ||
| - | |||
| - | # List of users | ||
| users: | users: | ||
| pepito: | pepito: | ||
| Línea 181: | Línea 196: | ||
| < | < | ||
| - | $argon2id$v=19$m=65536, | + | Digest: | 
| </ | </ | ||
| - | Esto tendremos que ponerlo en el campo '' | + | Lo que va a continuación de //Digest:// es lo que tendremos que ponerlo en el campo '' | 
| Por último, el correo debe ser válido, ya que para activar el 2FA se enviará un mail de activación. Los grupos se pueden dejar como están, porque es para configuraciones más avanzadas. | Por último, el correo debe ser válido, ya que para activar el 2FA se enviará un mail de activación. Los grupos se pueden dejar como están, porque es para configuraciones más avanzadas. | ||
| + | |||
| + | ===== Integración con Nginx ===== | ||
| + | |||
| + | Para integrar Authelia con el proxy inverso Nginx, aplicaremos la siguiente configuración a nivel del //virtual host// que vamos a proteger con Authelia: | ||
| + | |||
| + | < | ||
| + | set $upstream_authelia http:// | ||
| + | |||
| + | ## Virtual endpoint created by nginx to forward auth requests. | ||
| + | location /authelia { | ||
| + | ## Essential Proxy Configuration | ||
| + | internal; | ||
| + | proxy_pass $upstream_authelia; | ||
| + | |||
| + | ## Headers | ||
| + | ## The headers starting with X-* are required. | ||
| + | proxy_set_header X-Original-URL $scheme:// | ||
| + | proxy_set_header X-Original-Method $request_method; | ||
| + | proxy_set_header X-Forwarded-Method $request_method; | ||
| + | proxy_set_header X-Forwarded-Proto $scheme; | ||
| + | proxy_set_header X-Forwarded-Host $http_host; | ||
| + | proxy_set_header X-Forwarded-Uri $request_uri; | ||
| + | proxy_set_header X-Forwarded-For $remote_addr; | ||
| + | proxy_set_header Content-Length ""; | ||
| + | proxy_set_header Connection ""; | ||
| + | |||
| + | ## Basic Proxy Configuration | ||
| + | proxy_pass_request_body off; | ||
| + | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead | ||
| + | proxy_redirect http:// $scheme://; | ||
| + | proxy_http_version 1.1; | ||
| + | proxy_cache_bypass $cookie_session; | ||
| + | proxy_no_cache $cookie_session; | ||
| + | proxy_buffers 4 32k; | ||
| + | client_body_buffer_size 128k; | ||
| + | |||
| + | ## Advanced Proxy Configuration | ||
| + | send_timeout 5m; | ||
| + | proxy_read_timeout 240; | ||
| + | proxy_send_timeout 240; | ||
| + | proxy_connect_timeout 240; | ||
| + | } | ||
| + | |||
| + | ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. | ||
| + | auth_request /authelia; | ||
| + | |||
| + | ## Set the $target_url variable based on the original request. | ||
| + | |||
| + | ## Comment this line if you're using nginx without the http_set_misc module. | ||
| + | set_escape_uri $target_url $scheme:// | ||
| + | |||
| + | ## Uncomment this line if you're using NGINX without the http_set_misc module. | ||
| + | # set $target_url $scheme:// | ||
| + | |||
| + | ## Save the upstream response headers from Authelia to variables. | ||
| + | auth_request_set $user $upstream_http_remote_user; | ||
| + | auth_request_set $groups $upstream_http_remote_groups; | ||
| + | auth_request_set $name $upstream_http_remote_name; | ||
| + | auth_request_set $email $upstream_http_remote_email; | ||
| + | |||
| + | ## Inject the response headers from the variables into the request made to the backend. | ||
| + | proxy_set_header Remote-User $user; | ||
| + | proxy_set_header Remote-Groups $groups; | ||
| + | proxy_set_header Remote-Name $name; | ||
| + | proxy_set_header Remote-Email $email; | ||
| + | |||
| + | ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. | ||
| + | error_page 401 =302 https:// | ||
| + | </ | ||
| + | |||
| + | Se da por hecho que: | ||
| + | |||
| + | * Authelia está accesible por el proceso de Nginx con el nombre de host '' | ||
| + | * La URL a la que quieres acceder a través de Authelia es https:// | ||
| + | |||
| + | ==== Usando la imagen de docker nginx-proxy ==== | ||
| + | |||
| + | Si el servicio que queremos proteger con Authelia es https:// | ||
| + | |||
| + | < | ||
| + | ## Start of configuration add by letsencrypt container | ||
| + | location ^~ / | ||
| + | auth_basic off; | ||
| + | auth_request off; | ||
| + | allow all; | ||
| + | root / | ||
| + | try_files $uri =404; | ||
| + | break; | ||
| + | } | ||
| + | ## End of configuration add by letsencrypt container | ||
| + | ## Virtual endpoint created by nginx to forward auth requests. | ||
| + | location /authelia { | ||
| + | ## Essential Proxy Configuration | ||
| + | internal; | ||
| + | proxy_pass http:// | ||
| + | |||
| + | ## Headers | ||
| + | ## The headers starting with X-* are required. | ||
| + | proxy_set_header X-Original-URL $scheme:// | ||
| + | proxy_set_header X-Forwarded-Method $request_method; | ||
| + | proxy_set_header X-Forwarded-Proto $scheme; | ||
| + | proxy_set_header X-Forwarded-Host $http_host; | ||
| + | proxy_set_header X-Forwarded-Uri $request_uri; | ||
| + | proxy_set_header X-Forwarded-For $remote_addr; | ||
| + | proxy_set_header Content-Length ""; | ||
| + | proxy_set_header Connection ""; | ||
| + | |||
| + | ## Basic Proxy Configuration | ||
| + | proxy_pass_request_body off; | ||
| + | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead | ||
| + | proxy_redirect http:// $scheme://; | ||
| + | proxy_http_version 1.1; | ||
| + | proxy_cache_bypass $cookie_session; | ||
| + | proxy_no_cache $cookie_session; | ||
| + | proxy_buffers 4 32k; | ||
| + | client_body_buffer_size 128k; | ||
| + | |||
| + | ## Advanced Proxy Configuration | ||
| + | send_timeout 5m; | ||
| + | proxy_read_timeout 240; | ||
| + | proxy_send_timeout 240; | ||
| + | proxy_connect_timeout 240; | ||
| + | } | ||
| + | |||
| + | ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. | ||
| + | auth_request /authelia; | ||
| + | |||
| + | ## Set the $target_url variable based on the original request. | ||
| + | |||
| + | ## Comment this line if you're using nginx without the http_set_misc module. | ||
| + | # | ||
| + | |||
| + | ## Uncomment this line if you're using NGINX without the http_set_misc module. | ||
| + | set $target_url $scheme:// | ||
| + | |||
| + | ## Save the upstream response headers from Authelia to variables. | ||
| + | auth_request_set $user $upstream_http_remote_user; | ||
| + | auth_request_set $groups $upstream_http_remote_groups; | ||
| + | auth_request_set $name $upstream_http_remote_name; | ||
| + | auth_request_set $email $upstream_http_remote_email; | ||
| + | |||
| + | ## Inject the response headers from the variables into the request made to the backend. | ||
| + | proxy_set_header Remote-User $user; | ||
| + | proxy_set_header Remote-Groups $groups; | ||
| + | proxy_set_header Remote-Name $name; | ||
| + | proxy_set_header Remote-Email $email; | ||
| + | |||
| + | ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. | ||
| + | error_page 401 =302 https:// | ||
| + | </ | ||
| + | |||
| + | Donde: | ||
| + | |||
| + | * '' | ||
| + | * '' | ||
informatica/software/aplicaciones_web/authelia.1700042408.txt.gz · Última modificación:  por tempwin
                
                