### Verify Authelia Release Artifact Signatures and Checksums (Shell) Source: https://www.authelia.com/overview/security/artifact-signing-and-provenance This snippet demonstrates how to download release artifacts, their checksums, and signature files, and then use GPG and SHA256sum to verify their integrity and authenticity. It requires `curl`, `gpg`, and `sha256sum` to be installed. ```shell # Download checksums and signature curl -fsSL \ -O https://github.com/authelia/authelia/releases/download/v4.39.14/authelia-v4.39.14-linux-amd64-musl.tar.gz \ -O https://github.com/authelia/authelia/releases/download/v4.39.14/authelia-v4.39.14-linux-amd64.tar.gz \ -O https://github.com/authelia/authelia/releases/download/v4.39.14/checksums.sha256 \ -O https://github.com/authelia/authelia/releases/download/v4.39.14/checksums.sha256.sig # Verify signature and checksums gpg --verify checksums.sha256.sig checksums.sha256 && sha256sum --ignore-missing -c checksums.sha256 ``` -------------------------------- ### Set File Permissions for Non-Root User (Shell) Source: https://www.authelia.com/overview/security/measures These shell commands demonstrate how to set ownership and permissions for Authelia data files when running as a non-root user. It includes examples for read-only access and read-write access for a specific group. ```shell chown -r 8000:9000 .data/authelia find .data/authelia/ -type d -exec chmod 750 {} \; find .data/authelia/ -type f -exec chmod 640 {} \; ``` ```shell chown -r 8000:9000 .data/authelia find .data/authelia/ -type d -exec chmod 770 {} \; find .data/authelia/ -type f -exec chmod 660 {} \; ``` -------------------------------- ### Verify Authelia Release Tarballs with SLSA Provenance (Shell) Source: https://www.authelia.com/overview/security/artifact-signing-and-provenance This snippet demonstrates how to download Authelia release tarballs and their corresponding SLSA provenance file for a specific version, and then uses `slsa-verifier` to verify the integrity of these artifacts. It iterates through a list of tarball names, downloads them using `curl`, and then executes the verification command. ```shell V=v4.39.14 for F in authelia-${V}-{linux-{amd64,arm,arm64,amd64-musl,arm-musl,arm64-musl},freebsd-amd64,public_html}.tar.gz authelia.intoto.jsonl; do curl -fsSLO https://github.com/authelia/authelia/releases/download/${V}/${F} done slsa-verifier verify-artifact authelia-${V}-{linux-{amd64,arm,arm64,amd64-musl,arm-musl,arm64-musl},freebsd-amd64,public_html}.tar.gz --provenance-path authelia.intoto.jsonl --source-uri "github.com/authelia/authelia" ``` -------------------------------- ### Run Authelia Container with Docker CLI PUID/PGID (Shell) Source: https://www.authelia.com/overview/security/measures This command demonstrates running the Authelia Docker container using the PUID and PGID environment variables to specify the user and group (UID 8000, GID 9000). It also mounts a volume for configuration. ```shell docker run -e PUID=8000 -e PGID=9000 -v /authelia:/config authelia/authelia:latest ``` -------------------------------- ### Configure Authelia Service with Docker Compose PUID/PGID (YAML) Source: https://www.authelia.com/overview/security/measures This Docker Compose configuration defines an Authelia service that uses the PUID and PGID environment variables to set the user and group (UID 8000, GID 9000). It specifies the image, container name, environment variables, and volume mapping for configuration. ```yaml services: authelia: image: authelia/authelia container_name: 'authelia' environment: PUID: 8000 PGID: 9000 volumes: - ./authelia:/config ``` -------------------------------- ### Authelia Access Control Rule Configuration Source: https://www.authelia.com/overview/authorization/access-control Defines a sample access control rule for Authelia. This rule specifies conditions such as the domain, resource path regex, user subject (group), required authentication policy ('two_factor'), allowed HTTP methods, and permitted client network ranges. ```yaml access_control: rules: - domain: 'dev.example.com' resources: - '^/groups/dev/.*$' subject: 'group:dev' policy: 'two_factor' methods: - 'GET' - 'POST' networks: - '192.168.1.0/24' ``` -------------------------------- ### Run Authelia Container with Docker CLI User Directive (Shell) Source: https://www.authelia.com/overview/security/measures This command shows how to run the Authelia Docker container as a specific user and group (UID 8000, GID 9000) using the Docker CLI's --user argument. It also mounts a volume for configuration. ```shell docker run --user 8000:9000 -v /authelia:/config authelia/authelia:latest ``` -------------------------------- ### Fail2ban Jail Configuration for Authelia Source: https://www.authelia.com/overview/security/measures This configuration snippet adds Authelia to your Fail2ban jail.local file, enabling IP blocking for repeated failed logins. It specifies the ports to monitor, the filter to use, the log file path, retry thresholds, ban duration, and the action to take (iptables-allports). Adjust 'logpath' to your Authelia log file location. ```ini [authelia] enabled = true port = http,https,9091 filter = authelia logpath = /path-to-your-authelia.log maxretry = 3 bantime = 1d findtime = 1d chain = DOCKER-USER action = iptables-allports[name=authelia] ``` -------------------------------- ### Configure Authelia Service with Docker Compose User Directive (YAML) Source: https://www.authelia.com/overview/security/measures This Docker Compose configuration defines an Authelia service that runs as a specific user and group (UID 8000, GID 9000). It specifies the image, container name, user directive, and volume mapping for configuration. ```yaml services: authelia: image: authelia/authelia container_name: 'authelia' user: 8000:9000 volumes: - ./authelia:/config ``` -------------------------------- ### Fail2ban Filter for Authelia Source: https://www.authelia.com/overview/security/measures This Fail2ban filter configuration helps detect and block repeated failed authentication attempts for Authelia. It includes rules for 1FA, 2FA, and password reset attempts, while ignoring informational and warning messages. Ensure your Authelia logs are accessible to Fail2ban. ```autocomp # Fail2Ban filter for Authelia # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend # only contains a single IP address (the one from the end-user), and not the proxy chain # (it is misleading: usually, this is the purpose of this header). # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt # second line) as a failure. # the ignoreregex rule ignores info and warning messages as all authentication failures are flagged as errors # the third line catches incorrect usernames entered at the password reset form # the fourth line catches attempts to spam via the password reset form or 2fa device reset form. This requires debug logging to be enabled [Definition] failregex = ^.*Unsuccessful (1FA|TOTP|Duo|U2F) authentication attempt by user .*remote_ip"?(:|=)"?"?.* ^.*user not found.*path=/api/reset-password/identity/start remote_ip"?(:|=)"?"?.* ^.*Sending an email to user.*path=/api/.*/start remote_ip"?(:|=)"?"?.* ignoreregex = ^.*level"?(:|=)"?info.* ^.*level"?(:|=)"?warning.* ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.