Wong Edan's
Cover
Coding & Algorithms

Authelia: Stop Leaving Your Homelab Front Door Wide Open!

March 15, 2026 • By Azzar Budiyanto

Welcome, you beautiful, disorganized digital hoarders. Look at you, sitting there with your rack of decommissioned enterprise servers, sucking up enough electricity to dim the streetlights in three neighboring zip codes. You’ve got Plex, you’ve got Jellyfin, you’ve got a dashboard for your smart toaster, and you’ve got exactly fifty-seven different usernames and passwords because you’re “organized.” Or, more likely, you use the same password for everything—including your self-hosted vault of “highly sensitive Linux ISOs”—and that password is probably your dog’s name followed by 123.

I’m here because I’m a professional, and by professional, I mean I’ve broken my Nginx config so many times that I see the “502 Bad Gateway” error in my sleep. Today, we are talking about Authelia. This isn’t just another “cool tool” to add to your Docker Compose file so you can feel superior on Reddit. This is the velvet rope, the bouncer with the clipboard, and the biometric scanner for your entire digital kingdom. It is a self-hosted Single Sign-On (SSO) and Identity and Access Management (IAM) solution that turns your chaotic collection of web services into a unified, secure fortress.

What is Authelia, and Why Does Your Identity Need Managing?

According to the facts—and my own caffeine-fueled research—Authelia is an open-source authentication and authorization server. It is essentially the “Identity Provider” (IdP) for your homelab. Imagine you arrive at a fancy club (your homelab). Instead of every individual bar inside the club asking for your ID, you show it once at the door. Authelia gives you a wristband. Now, you can go to the bar, the dance floor, and the VIP lounge without being harassed by the staff every five minutes. That’s Single Sign-On.

But Authelia isn’t just about convenience. It’s an OpenID Certified solution. For those of you who don’t speak “nerd,” that means it adheres to the industry standard for modern authentication. It provides a web portal where you can manage your session, and it acts as the gatekeeper for any application that sits behind your reverse proxy. Whether you’re using Traefik, Nginx Proxy Manager, HAProxy, or Caddy, Authelia intercepts the request, checks if you’re a legitimate human or a script-kiddie from across the ocean, and then either lets you in or sends you packing.

The Core Functionality: The “Three Pillars” of Authelia

  • Single Sign-On (SSO): Log in once to the Authelia portal, and boom—you’re authenticated for all your connected services. No more logging into Sonarr, then Radarr, then Portainer separately.
  • 2nd Factor Authentication (2FA): This is where the real security happens. Authelia supports TOTP (Google Authenticator, Authy), U2F/WebAuthn (YubiKeys, Windows Hello, FaceID), and Duo. If someone steals your dog-themed password, they still can’t get in without your physical key or your phone.
  • Access Control: You can define granular rules. Maybe your roommate can access Plex, but only you can access the server management console. Authelia lets you define these policies in a simple (well, simple-ish) configuration file.

The Architecture: How the Magic Happens

Authelia doesn’t just “run” on top of your apps; it integrates with your infrastructure. In a typical homelab setup (like the ones discussed on r/selfhosted or using Unraid and Docker), Authelia sits alongside your reverse proxy. When a user tries to access https://files.yourdomain.com, the reverse proxy sends a “Forward Auth” request to Authelia. Authelia checks the cookies. If the cookie is missing or invalid, it redirects the user to the Authelia portal for a login. Once authenticated, Authelia sends the user back with a gold-plated permission slip.

This “Forward Auth” mechanism is brilliant because the application you’re protecting doesn’t even need to know Authelia exists. You could be hosting a legacy web app from 2004 that has zero security, and Authelia will wrap it in a layer of modern 2FA protection like a warm, secure blanket.

“Authelia acts as an authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal.” — This isn’t just marketing fluff; it’s the bedrock of a secure self-hosted stack.

The Setup: Getting Your Hands Dirty with YAML

If you hate YAML, you’re in the wrong hobby. Go buy a Mac and use iCloud. For the rest of us, Authelia’s configuration is handled via a configuration.yml file. This file defines everything from your domain name to your password hashing algorithm.

Step 1: The Docker Compose

Most of us are running this in Docker. Here is a skeletal example of what your service might look like. Don’t just copy-paste this blindly; you’re better than that.


services:
authelia:
image: authelia/authelia:latest
container_name: authelia
volumes:
- ./config:/config
networks:
- proxy_network
expose:
- 9091
restart: unless-stopped
environment:
- TZ=America/New_York

Step 2: The Configuration File

The configuration.yml is where the brain lives. You need to define your JWT Secret, your Session Secret, and your Storage backend. While Authelia supports SQLite for small setups, if you’re a “Wong Edan” level power user, you’ll probably want to hook it up to a MariaDB or PostgreSQL instance for better performance and backups.

One of the most critical sections is the access_control. This is where you play God. You can set a “default_policy” (usually deny, because we aren’t savages) and then create specific rules:


access_control:
default_policy: deny
rules:
- domain: "public.example.com"
policy: bypass
- domain: "secure.example.com"
policy: two_factor
subject: "group:admins"

In this example, anyone can see the “public” site, but you need 2FA and admin group membership to touch the “secure” site. It’s elegant, it’s clean, and it makes you feel like a systems architect even if you’re just a guy in his basement.

Storage and User Backends: Where do the souls go?

Authelia needs to know who your users are. You have two main choices here, as highlighted by the community debates between Authelia and Keycloak:

1. The File Backend

For most homelabbers, a local users_database.yml is enough. You define your users, their (hashed!) passwords, and their emails right there. It’s portable, easy to backup, and doesn’t require running another service. However, if you have fifty friends using your server (and why do you have that many friends?), this becomes a nightmare to manage.

2. The LDAP Backend

If you’re running OpenLDAP or FreeIPA, Authelia can hook right into that. This is the “Pro” move. You manage your users in one central directory, and Authelia just queries it. This is particularly useful if you’re using other services that also support LDAP, creating a truly unified identity system across your entire network.

Authelia vs. Keycloak vs. Authentik: The Great Debate

The r/selfhosted community is constantly warring over which SSO is king. Let’s break it down with the facts we have:

  • Keycloak: This is the enterprise heavy-hitter. It’s made by Red Hat, it’s Java-based, and it’s a resource hog. If you have a cluster of servers and need every enterprise feature under the sun, Keycloak is for you. But for a homelab? It’s often like using a sledgehammer to crack a nut.
  • Authentik: A newer contender that is very popular because it has a fancy UI and handles both the “provider” and “proxy” parts very well. It’s built on Python and Go.
  • Authelia: This is the lean, mean, Go-binary machine. It’s incredibly lightweight. It doesn’t have a massive web GUI for configuration (it’s all YAML), which some people (the “Edan” ones) actually prefer. It’s fast, it’s stable, and it’s OpenID Certified.

The choice usually comes down to complexity vs. resource usage. If you want something that just works and doesn’t eat 2GB of RAM just sitting idle, Authelia is usually the winner in the homelab space.

The Pain Points: What the Manual Doesn’t Tell You

Listen, nothing is perfect. Setting up Authelia can be a massive headache if you don’t understand DNS and Cookies. Because Authelia relies on cookies to keep you logged in, all your services *must* be on the same root domain (e.g., app1.example.com, app2.example.com). If you try to mix example.com with myotherdomain.net, the cookies won’t share, and you’ll be stuck in a redirect loop that will make you want to throw your server out the window.

You also need a solid reverse proxy configuration. Whether it’s the auth_request module in Nginx or the forwardAuth middleware in Traefik, you have to get the headers right. If you miss a header, Authelia won’t know where the user was trying to go, and it’ll just dump them at the portal home screen, staring at them like a confused puppy.

A Note on Notifications

Authelia needs to talk to you. When you sign up for 2FA or need to reset a password, it sends an email. You can configure this to use a standard SMTP server (like Gmail or SendGrid), or for the truly lazy/private, you can just have it write the “emails” to a local file. This is a great feature for testing, but please, for the love of all that is holy, use a real SMTP server for your production setup. You don’t want to be locked out of your own server because you can’t read a text file inside a Docker container.

Wong Edan’s Verdict

Is Authelia perfect? No. Is it better than having a wide-open Portainer instance that any script-kiddie in a hoodie can find via Shodan? Absolutely. It’s the bridge between “I have a hobby” and “I have a secure infrastructure.”

The Good:

  • Lightweight and written in Go (so it’s fast, unlike your old laptop).
  • OpenID Connect support is a game-changer for modern apps.
  • Supports high-security hardware keys (WebAuthn).
  • Granular access control that actually makes sense.

The Bad:

  • Configuration is done in YAML, which means one missing space will break your entire life.
  • The initial learning curve for reverse proxy integration can be steep for beginners.
  • No fancy “click-to-configure” UI for users who are afraid of the terminal.

Final Thought: If you are self-hosting more than three services and you aren’t using an SSO like Authelia, you aren’t a sysadmin; you’re a victim-in-waiting. Go get Authelia, spend a Saturday afternoon swearing at your Nginx config, and finally enjoy the sweet, sweet bliss of logging in once and having the keys to the kingdom. Stay crazy, stay secure, and for heaven’s sake, stop using password123.