FOSS Authentication

Views: —

With Traefik up and running, I’ve locked down my server like a fortified town with a single gate. But right now, that gate’s wide open. Time to hire some guards.

Basic Rate Limiting and Secure Headers

Traefik lets me expose any Docker-hosted application as a service—or a public router if I choose. Going public, though, invites all sorts of malicious actors to take a swing. To keep things tight, I set up some Traefik dynamic config files to enforce basic protections.

Here’s a quick look at my rate-limiting setup:

ymlrate-limit.yml
http:
  middlewares:
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50

I’ve got a separate config for secure headers, but I’m keeping that one close to the chest. Hit me up if you want to dive into the details.

Secrets Management

For keys, passwords, and sensitive data, I rely on randomly generated secrets stored in a low-permission folder. These are critical for securing the authentication middleware we’ll set up next. With secrets locked down, it was time to tackle authentication.

Authentication Setup

I debated between Authelia and Authentik. At first, I went with Authentik, thinking its robustness would be a win. A few hours in, I realized it was overkill for my needs. So, I switched to Authelia—and it was a game-changer. Setup was straightforward, and it does exactly what I need. Adding Duo push notifications gave it a polished, professional vibe.

The Traefik middleware for Authelia was a breeze to configure. I’m keeping the code under wraps, but feel free to reach out if you have questions.

Setting up Duo takes some effort, but it’s free and boosts security with 2FA. Spend the time configuring the necessary secrets—it integrates seamlessly with Authelia, and the documentation is extensive.

Don’t skip setting up Fail2Ban for Authelia. It plays nice with ufw and other tools, but configuring it specifically for Authelia hardens your setup against DDoS and DoS attacks.

Final Thoughts

Setting up domain-wide authentication with Authelia and Traefik was like locking the gates of my digital fortress while still letting the right people through. The combo of rate limiting, secure secrets, and 2FA with Duo creates a lean but powerful security layer. It’s not just about keeping the bad actors out—it’s about building a system you can trust to scale with your needs. Authelia’s simplicity won me over, and I’m glad I didn’t overcomplicate things with a heavier solution. If you’re self-hosting, take the time to get this right—it’s worth it.

Stay authenticated, stay secure.

—