Now is the best time to buy FlexiSpot Ergonomic Chair. 30 days free return, try it with confidence! Use code "C730" for $30 off! US: bit.ly/4c8Tq2z CA: bit.ly/4aWkpNQ
I like how this proxy setup is able to support differing policies for different URIs. Once you have authenticated without 2FA for a non-config URI, your config is still protected. This sort of behaviour from built in authentication would require much more work for the developers and consequently introduce risk. Very slick. Once again, thank you for sharing your experience!
About Frigate not having authentication - the current beta (0.14) has authentication exposed on port 8080, with 5000 being now considered an "internal endpoint", that should isolated from "normal" network.
I've been running authelia with docker and traefik and it's amazing. All the apps that have OIDC use OIDC the rest use proxy auth. The nice thing about using it with services like traefik is that once set up it's a single line in the YML to enable it for a service. God, I love Docker. I've even started adding OIDC auth to my own projects since it makes auth so much simpler to manage in the long run.
I use a different approach, none of my services are exposed to the internet except for v2ray. I used v2ray when I lived in a country with censored internet and I keep using it to connect to my services securely. Because it can be set up to work over standard https, it works everywhere, even in places were wireguad and OpenVPN are blocked (which is very common nowadays). Because nothing is exposed, I use the DNS method of renewing the letsencrypt certificate instead of the https.
I'm running Windows AD on my homelab and Keycloak for handling the SSO to OIDC apps (Portainer, Paperless-NGX, PGAdmin, XO-CE and Proxmox [as I'm experimenting with different hypervisors at the moment]). Nothing exposed publicly, remote access is all over Wireguard.
Thank you for the video! As for my current setup I don't run any authentication server however I'm using client TLS certificates and Wireguard for remote access. I think that's secure enough.
client TLS certs are an extremely secure form of auth if the CA is properly hardened / offline I've been using client tls certs before I had this setup, it's just a pain to re-key clients every few months.
Awesome video , thanks! I know there are many solutions like this , but since you are already using caddy ... probably caddy-security would make sense here
I intend to setup authentik at some point. It's probably way too much for my needs. That said, I know there's documentation for the one application I actually host. Heh.
I've been looking at Authelia, Authentik, and Zitadel for my own homelab. Is there anything in particular about one that makes it better than another? I can't seem to find too many videos about Zitadel
I work for a network security company that provides, among other things, a large enterprise grade authentication platform, and I get it for free for "testing" purposes, so I run that in my lab. Way overkill, but it does RADIUS, LDAP, SAML, etc. so I can make it work with just about anything I want to run. Definitely don't recommend it for home labbers though, since even the smallest VM license is 4 figures.
Part of the issue is that different industries have different historical standards which they follow. RADIUS came from dial-up authentication and became the standard in everything networking (like 802.1X), OIDC/OAuth run over HTTP(s) so they can be done by web apps without an installed client, and Kerberos is a great solution and could be universal but is really only possible on domain-joined computers (at least with current implementations), unfortunately.
@@apalrdsadventures Yeah it definitely makes sense how we got to this point, just sad we haven't seen a unified push to adopt or build a universal standard. And I don't think we're likely to see it happen in my lifetime...
Currently i do not host any service that does not have it's own authentication but authelia looks pretty good, do you know if authelia could in theory authenticate the user on the backend service, like some kind of sso? Without using ldap? That would help me get rid of one reverse proxy and really simplify my setup but i would prefer to keep it simple instead of adding a behemoth like ldap
File and LDAP are the options with Authelia. LDAP is a bit of a lowest common denominator, it's so old that it's generally the core of most big networks. Some more complex options support other backends, for example Keycloak supports Kerberos.
I'd like to run a single sign on thing, but covering web apps; user accounts on lxcs, smb shares, real hosts, and windows computers; and managing ssh keys is just too much. None of my services (except wireguard) are publicly accessible, so i basically have 0 authentication on services.
Kerberos is actually quite old (Developed in the 80s), so it's unrelated to 'modern' standards like TLS and doesn't even use public key cryptography at all (purely AES). So while it's extremely well designed from a security and usability standpoint, it's hard to integrate into web apps and requires a client program. Microsoft Active Directory uses Kerberos auth for domain joined computers, so that's where it's most commonly used. The client requirement means it's really only usable on domain-joined or similarly managed devices.
Would also be very keen to see Keycloak. Initially research seems to indicate that it’s the best of the three. Authentik is maintained by a single guy, nothing against that person but it means that CVE’s would be slower to fix (as demonstrated by main being left broken for several days while he was on holiday). Hopefully more people jump in to support him but until then. Meanwhile keycloak has red hat behind it. Since we’re talking about a critical security application, this is significant
Now is the best time to buy FlexiSpot Ergonomic Chair. 30 days free return, try it with confidence! Use code "C730" for $30 off!
US: bit.ly/4c8Tq2z
CA: bit.ly/4aWkpNQ
I like how this proxy setup is able to support differing policies for different URIs. Once you have authenticated without 2FA for a non-config URI, your config is still protected. This sort of behaviour from built in authentication would require much more work for the developers and consequently introduce risk. Very slick. Once again, thank you for sharing your experience!
About Frigate not having authentication - the current beta (0.14) has authentication exposed on port 8080, with 5000 being now considered an "internal endpoint", that should isolated from "normal" network.
I've been running authelia with docker and traefik and it's amazing. All the apps that have OIDC use OIDC the rest use proxy auth. The nice thing about using it with services like traefik is that once set up it's a single line in the YML to enable it for a service. God, I love Docker. I've even started adding OIDC auth to my own projects since it makes auth so much simpler to manage in the long run.
I use a different approach, none of my services are exposed to the internet except for v2ray.
I used v2ray when I lived in a country with censored internet and I keep using it to connect to my services securely. Because it can be set up to work over standard https, it works everywhere, even in places were wireguad and OpenVPN are blocked (which is very common nowadays).
Because nothing is exposed, I use the DNS method of renewing the letsencrypt certificate instead of the https.
Yep. I use pfsense's HAProxy and ACME to handle the certificates for Let's Encrypt. Real happy that it supports DNS to verify the domain.
Awesome to see someone that uses v2ray! I discovered that through the "hysteria toolkit". I found it fascinating and functional..🐯🙏
I've been able to get Authentik working for a simple setup and plan to expand. It can act as an LDAP (and other) user stores for wide compatibility.
Is the setup as "simple" as the authelia setup seems here? And how easy is it to integrate it with common applications like nextcloud, jellyfin, etc?
I'm running Windows AD on my homelab and Keycloak for handling the SSO to OIDC apps (Portainer, Paperless-NGX, PGAdmin, XO-CE and Proxmox [as I'm experimenting with different hypervisors at the moment]). Nothing exposed publicly, remote access is all over Wireguard.
That's great. Do you know one can setup Keycloak to handle SSO for non OIDS apps?
Great stuff as always. I've been thinking about authentication for a while.
Thank you for the video!
As for my current setup I don't run any authentication server however I'm using client TLS certificates and Wireguard for remote access.
I think that's secure enough.
client TLS certs are an extremely secure form of auth if the CA is properly hardened / offline
I've been using client tls certs before I had this setup, it's just a pain to re-key clients every few months.
@@apalrdsadventures hello, can authella be used to add 2FA to wireguard?
Authentik is great and works with duo push.
Pretty cool, definitely something I'll take a look at the next time I rework my home network :^)
Awesome video , thanks!
I know there are many solutions like this , but since you are already using caddy ... probably caddy-security would make sense here
I intend to setup authentik at some point. It's probably way too much for my needs. That said, I know there's documentation for the one application I actually host.
Heh.
7:00 For SMTP I run local mailpit. It's pretty good.
That looks super useful, especially in a test environment
I've been looking at Authelia, Authentik, and Zitadel for my own homelab. Is there anything in particular about one that makes it better than another? I can't seem to find too many videos about Zitadel
I work for a network security company that provides, among other things, a large enterprise grade authentication platform, and I get it for free for "testing" purposes, so I run that in my lab. Way overkill, but it does RADIUS, LDAP, SAML, etc. so I can make it work with just about anything I want to run. Definitely don't recommend it for home labbers though, since even the smallest VM license is 4 figures.
RADIUS, LDAP, SAML… Kerberos, NTLM, OIDC, OAuth 2… Fk me no wonder so many apps don’t implement SSO, it shouldn’t be this hard…
Part of the issue is that different industries have different historical standards which they follow. RADIUS came from dial-up authentication and became the standard in everything networking (like 802.1X), OIDC/OAuth run over HTTP(s) so they can be done by web apps without an installed client, and Kerberos is a great solution and could be universal but is really only possible on domain-joined computers (at least with current implementations), unfortunately.
@@apalrdsadventures Yeah it definitely makes sense how we got to this point, just sad we haven't seen a unified push to adopt or build a universal standard. And I don't think we're likely to see it happen in my lifetime...
Frigate has been on my list to mess around with. TIL that it didn't have auth yet. (but seeing in another comment saying it does now in beta)
Currently i do not host any service that does not have it's own authentication but authelia looks pretty good, do you know if authelia could in theory authenticate the user on the backend service, like some kind of sso? Without using ldap? That would help me get rid of one reverse proxy and really simplify my setup but i would prefer to keep it simple instead of adding a behemoth like ldap
File and LDAP are the options with Authelia. LDAP is a bit of a lowest common denominator, it's so old that it's generally the core of most big networks. Some more complex options support other backends, for example Keycloak supports Kerberos.
Someday I would like to get far enough with my learning where I feel comfortable trying to implement a single sign on solution.
I'd like to run a single sign on thing, but covering web apps; user accounts on lxcs, smb shares, real hosts, and windows computers; and managing ssh keys is just too much. None of my services (except wireguard) are publicly accessible, so i basically have 0 authentication on services.
Great Video, are there any GUI available for managing Authelia? If so, could you create a video?
Authelia itself has a GUI for managing password reset and TOTP/WebAuthn configuration. The only thing 'missing' is the initial user creation.
if you connect to an LDAP service you can create users with a GUI. LLDAP is an easy, lightweight way to do this
I'm expecting this to be used by people with
openldap Please for user management.. Will be perfect for next integrations and some GUI also for openldap. thank you
I thought I'm a homelab guy, but then I found myself not know what frigate is. Taking my hat, eating it, and taking my leave
It's more popular when there's overlap with Home Automation, but it's also an app I use that has no authentication and made a good demo
What's the app you use to create these diagrams?
draw.io
my homelab SSO solution is password reuse :P
Hello apalrds would you Zitadel SSO server?
Blog link -> 404 - Page not found...
fixed
Can I beg a keycloak video?
I'll consider it... it does Kerberos so maybe
@@apalrdsadventures Thank you! I don't have much experience with Kerberos Know there are some cool SSO Stuff
Kerberos is actually quite old (Developed in the 80s), so it's unrelated to 'modern' standards like TLS and doesn't even use public key cryptography at all (purely AES). So while it's extremely well designed from a security and usability standpoint, it's hard to integrate into web apps and requires a client program.
Microsoft Active Directory uses Kerberos auth for domain joined computers, so that's where it's most commonly used. The client requirement means it's really only usable on domain-joined or similarly managed devices.
Would also be very keen to see Keycloak. Initially research seems to indicate that it’s the best of the three. Authentik is maintained by a single guy, nothing against that person but it means that CVE’s would be slower to fix (as demonstrated by main being left broken for several days while he was on holiday). Hopefully more people jump in to support him but until then.
Meanwhile keycloak has red hat behind it. Since we’re talking about a critical security application, this is significant
круто, но слишком замороченная настройка
First 😅