Authelia

App in the BluixApps catalog

What it is

Authelia is an authentication and authorization server providing SSO and 2FA for self-hosted apps. Acts as a forward-auth provider in front of reverse proxies (nginx, Traefik, Caddy) — protect any app with SSO without modifying the app itself.

For self-hosters with 10+ apps who want one login covering everything (Authelia + reverse proxy = OAuth-style SSO for non-OAuth apps), Authelia is the lightweight answer.

What it's for

  • Single sign-on — one login covering all your self-hosted apps
  • Two-factor authentication — TOTP, WebAuthn, mobile push
  • Authorization rules — per-app access control
  • OAuth provider — provide OIDC for apps that support it
  • Brute-force protection — failed-login throttling

Who it's for

  • Self-hosters with 10+ apps wanting unified auth
  • Privacy-bound orgs requiring central auth control
  • Internal IT teams running employee self-service
  • Tech enthusiasts building secure home infrastructure
  • Compliance-focused orgs needing audit-able auth

Why teams pick Authelia over alternatives

  • Apache 2.0 — fully open
  • Forward-auth model — works with any app behind reverse proxy
  • Lightweight — runs on minimal hardware
  • 2FA support — TOTP, WebAuthn, mobile push, Duo
  • OIDC provider — issue tokens for apps supporting OAuth
  • Active development — strong community

Integrations

  • Reverse proxies — Traefik, nginx, Caddy, HAProxy
  • Identity backends — LDAP, file-based, OpenID Connect
  • 2FA methods — TOTP, WebAuthn (FIDO2), Duo, mobile push
  • Notification channels — email, SMTP
  • Storage — SQLite, MySQL, Postgres
  • Session backend — Redis for shared sessions
  • OIDC clients — provide SSO to apps supporting OIDC

Notable users & community

  • 23k+ GitHub stars
  • Active community on Matrix + GitHub
  • Long-running OSS project
  • Featured in homelab SSO guides
  • Frequent releases

Tips & operations

  • Forward-auth setup is per-proxy — Traefik vs nginx config differs significantly
  • Backup user DB — your auth state is critical
  • Use LDAP for many users — file-based fine for small; LDAP scales
  • Postgres + Redis for multi-instance — HA setup needs both
  • 2FA enforcement — require 2FA for admin / sensitive apps
  • Audit log review — failed logins indicate attack attempts

What we ship in BluixApps

  • Docker compose: Authelia + Redis + Postgres
  • Pinned authelia/authelia:4.38 (release-tagged)
  • HTTPS via Let's Encrypt
  • Admin user via env config
  • Persistent volumes for Postgres + Redis
  • Reverse proxy integration documented for Traefik / nginx
  • Backup hook covers Postgres (users + sessions)
Read this app's deep dive on bluix.app ↗

Get this app — pick a BluixApps plan

Same catalog. Scaling tenant isolation, white-label and support tier.

TierTenantsCatalogSupportWhite-labelMonthly
Stacks119 curated stacksStandard$19/moDetailDeploy
Starter10Full catalogStandard+$15–25/mo$49/moDetailDeploy
Pro25Full catalogPriority bugfix+$15–25/mo$149/moDetailDeploy
Growth100Full catalogPriority bugfix+$15–25/mo$349/moDetailDeploy
Scale500Full catalog7-day window+$15–25/mo$799/moDetailDeploy
EnterpriseUnlimitedFull catalogPriority 7-dayBundled$1,499/moDetailDeploy

Powered by WHMCompleteSolution