Protecting Internal Web Resources

TL;DR: This blog post is a write-up of the process I went through to setup a set of internal web resources and apps for a small company I am running in my spare time (providing a Single-Sign-On / SSO experience for internal users with web applications protected by flexible access policies including single and multi-factor authentication / two-factor authentication or 2FA).

Background

As I mentioned in the TL;DR above, I run a small software/technology company whereby I needed a way to stand up a few internal resources and web applications for our growing needs.

These needed to be protected and secured from unauthorized access. In addition to this, since the company’s primary mission is all about “self hosting” software and services, it also had to be self hosted or self-hostable.

There were numerous other options I explored but dismissed for various reasons including:

  • Setting up an internal VPN
  • Just exposing the web applications / resources directly without extra security.
  • Using Basic or Digest Auth and a Reverse Proxy
  • Using oauth2-proxy and some other solution based on oauth2-proxy that got spun into a commercial company.

Suffice to say a lot of existing solutions were either “too complicated” to setup, proprietary or commercial in some way or just didn’t quite fit the bill.

In the end I picked:

Why I picked Authelia?

I had my eye on Authelia for a while now, and today (based on needs and internal demands) I finally decided to take a serious look at it.

Immediately I noticed the Docker local bundle which then lead me to an example docker-compose setup. This is important to me as I’m quite a lazy sysadmin and I really hate being one, its boring and installing packages and writes tonnes of configuration is just well not enjoyable.

Do not worry my Kubernetes friends, Deployments has you covered with a k8s deployment (because k8s is an operating system rigt?! 🙄), there’s even a Bare-Metal installation, and I’m quite sure you could adapt Authelia in any environment.

The other reasons I picked Authelia are:

  • It provides a simple built-in Authentication layer using a simple YAML file for defining Users, Credentials and other metadata like Display Name, Groups, Email Address, etc.
  • It provides a really flexible way to define Access Control so it was very easy for me to setup all the rules I needed for public access, internal access and everything in-between.
James Mills @prologic