Page 1 of 1
TOTP? Authelia?
Posted: Sat Jul 24, 2021 11:15 pm
by tsp84
Anyone setup Authelia for TOTP and zoneminder? I haven't even tried yet but thought I would ask if anyone here has anything kind of like that setup? Im guessing it would mess with the API calls and trying to view streams/events via browser and zmNinja?
Almost all my services are secured with TOTP and i'm itching to figure out a way to get ZM behind that auth mechanism and not break functionality.
Anyone else?
Re: TOTP? Authelia?
Posted: Sat Aug 28, 2021 9:06 am
by tsp84
Got it working with a rough setup. I need to refine the 'resource' calls to only what zmNinja would need so it can bypass authelia. Basically authelia will put TOTP on top of your ZM auth and login page. Right now I can access my streams and events via zmNinja by bypassing authelia for that specifically and the /zm webgui is protected by TOTP and ZM auth.
Just an extra layer of security. I added some fail/success logging for my forked mlapi for logging in and created a fail2ban filter for it as well.
Re: TOTP? Authelia?
Posted: Sun Sep 05, 2021 8:17 pm
by tsp84
Example scenario ->
- Have a TLD example.com using cloudflare DNS and proxy.
- SSL cert for *.example.com from Lets Encrypt that NPM handles.
- The port for your event server is not proxied through cloudflare i.e. port 9000 is forwarded to your event server host so zmNinja can talk to it directly
- Using NPM (NGINX Proxy Manager) as a reverse proxy.
- Have auth.example.com setup in DNS and NPM.
- Have zm.example.com setup in DNS and NPM.
- Authelia host IP is 10.0.0.20 and port is 9091.
If using gmail as your email provider for example.com you can have authelia send emails from your @example.com account for the notifier
*** You have to allow Insecure apps and create an app for authelia and then get the insecure app token to use as the password instead of your actual account password.
Install authelia and get it setup for NPM as a proxy host ->
- Have an SSL cert setup for this proxy host using the *.example.com cert.
This is what I have in advanced to make it forward correct IPs and such ->
Code: Select all
location / {
set $upstream_authelia http://10.0.0.20:9091; # SET YOUR AUTHELIA SCHEMA IP AND PORT HERE
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
Setup your zm.example.com proxy host in NPM ->
- Set up SSL with *.example.com cert.
Setup your advanced tab like so ->
Code: Select all
location /authelia {
internal;
set $upstream_authelia http://10.0.0.20:9091/api/verify; #ADD YOUR IP AND PORT OF AUTHELIA
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_photoprism https://10.0.0.21:443; #ADD IP AND PORT OF SERVICE
proxy_pass $upstream_photoprism; #change name of the service
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://auth.EXAMPLE.COM/?rd=$target_url; #change EXAMPLE.COM to your domain
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# set_real_ip_from 192.168.1.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
That should work