TOTP? Authelia?

Discussions related to the 1.36.x series of ZoneMinder
Post Reply
tsp84
Posts: 227
Joined: Thu Dec 24, 2020 4:04 am

TOTP? Authelia?

Post by tsp84 »

Anyone setup Authelia for TOTP and zoneminder? I haven't even tried yet but thought I would ask if anyone here has anything kind of like that setup? Im guessing it would mess with the API calls and trying to view streams/events via browser and zmNinja?

Almost all my services are secured with TOTP and i'm itching to figure out a way to get ZM behind that auth mechanism and not break functionality.

Anyone else?
tsp84
Posts: 227
Joined: Thu Dec 24, 2020 4:04 am

Re: TOTP? Authelia?

Post by tsp84 »

Got it working with a rough setup. I need to refine the 'resource' calls to only what zmNinja would need so it can bypass authelia. Basically authelia will put TOTP on top of your ZM auth and login page. Right now I can access my streams and events via zmNinja by bypassing authelia for that specifically and the /zm webgui is protected by TOTP and ZM auth.

Just an extra layer of security. I added some fail/success logging for my forked mlapi for logging in and created a fail2ban filter for it as well.
tsp84
Posts: 227
Joined: Thu Dec 24, 2020 4:04 am

Re: TOTP? Authelia?

Post by tsp84 »

Example scenario ->
  • Have a TLD example.com using cloudflare DNS and proxy.
  • SSL cert for *.example.com from Lets Encrypt that NPM handles.
  • The port for your event server is not proxied through cloudflare i.e. port 9000 is forwarded to your event server host so zmNinja can talk to it directly
  • Using NPM (NGINX Proxy Manager) as a reverse proxy.
  • Have auth.example.com setup in DNS and NPM.
  • Have zm.example.com setup in DNS and NPM.
  • Authelia host IP is 10.0.0.20 and port is 9091.
  • ZM host is 10.0.0.21 .
If using gmail as your email provider for example.com you can have authelia send emails from your @example.com account for the notifier
*** You have to allow Insecure apps and create an app for authelia and then get the insecure app token to use as the password instead of your actual account password.

Install authelia and get it setup for NPM as a proxy host ->
  • Have an SSL cert setup for this proxy host using the *.example.com cert.
This is what I have in advanced to make it forward correct IPs and such ->

Code: Select all

location / {
        set $upstream_authelia http://10.0.0.20:9091;  # SET YOUR AUTHELIA SCHEMA IP AND PORT HERE
        proxy_pass $upstream_authelia;
        client_body_buffer_size 128k;
 
        #Timeout if the real server is dead
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 
        # Advanced Proxy Config
        send_timeout 5m;
        proxy_read_timeout 360;
        proxy_send_timeout 360;
        proxy_connect_timeout 360;
 
        # Basic Proxy Config
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Uri $request_uri;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_redirect  http://  $scheme://;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_cache_bypass $cookie_session;
        proxy_no_cache $cookie_session;
        proxy_buffers 64 256k;
 
        # If behind reverse proxy, forwards the correct IP
        set_real_ip_from 10.0.0.0/8;
        set_real_ip_from 172.0.0.0/8;
        set_real_ip_from 192.168.0.0/16;
        set_real_ip_from fc00::/7;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;
    }

Setup your zm.example.com proxy host in NPM ->
  • Set up SSL with *.example.com cert.
Setup your advanced tab like so ->

Code: Select all

location /authelia {
    internal;
    set $upstream_authelia http://10.0.0.20:9091/api/verify; #ADD YOUR IP AND PORT OF AUTHELIA
    proxy_pass_request_body off;
    proxy_pass $upstream_authelia;    
    proxy_set_header Content-Length "";

    # Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    client_body_buffer_size 128k;
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr; 
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;

    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}

    location / {
        set $upstream_photoprism https://10.0.0.21:443;  #ADD IP AND PORT OF SERVICE
        proxy_pass $upstream_photoprism;  #change name of the service
		
		auth_request /authelia;
		auth_request_set $target_url $scheme://$http_host$request_uri;
		auth_request_set $user $upstream_http_remote_user;
		auth_request_set $groups $upstream_http_remote_groups;
		proxy_set_header Remote-User $user;
		proxy_set_header Remote-Groups $groups;
		error_page 401 =302 https://auth.EXAMPLE.COM/?rd=$target_url; #change EXAMPLE.COM to your domain
		
		client_body_buffer_size 128k;

		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

		send_timeout 5m;
		proxy_read_timeout 360;
		proxy_send_timeout 360;
		proxy_connect_timeout 360;

		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $http_host;
		proxy_set_header X-Forwarded-Uri $request_uri;
		proxy_set_header X-Forwarded-Ssl on;
		proxy_redirect  http://  $scheme://;
		proxy_http_version 1.1;
		proxy_set_header Connection "";
		proxy_cache_bypass $cookie_session;
		proxy_no_cache $cookie_session;
		proxy_buffers 64 256k;

#		set_real_ip_from 192.168.1.0/16;
		real_ip_header X-Forwarded-For;
		real_ip_recursive on;

    }
That should work
Post Reply