Anyone setup Authelia for TOTP and zoneminder? I haven't even tried yet but thought I would ask if anyone here has anything kind of like that setup? Im guessing it would mess with the API calls and trying to view streams/events via browser and zmNinja?
Almost all my services are secured with TOTP and i'm itching to figure out a way to get ZM behind that auth mechanism and not break functionality.
Anyone else?
TOTP? Authelia?
Re: TOTP? Authelia?
Got it working with a rough setup. I need to refine the 'resource' calls to only what zmNinja would need so it can bypass authelia. Basically authelia will put TOTP on top of your ZM auth and login page. Right now I can access my streams and events via zmNinja by bypassing authelia for that specifically and the /zm webgui is protected by TOTP and ZM auth.
Just an extra layer of security. I added some fail/success logging for my forked mlapi for logging in and created a fail2ban filter for it as well.
Just an extra layer of security. I added some fail/success logging for my forked mlapi for logging in and created a fail2ban filter for it as well.
Re: TOTP? Authelia?
Example scenario ->
*** You have to allow Insecure apps and create an app for authelia and then get the insecure app token to use as the password instead of your actual account password.
Install authelia and get it setup for NPM as a proxy host ->
Setup your zm.example.com proxy host in NPM ->
That should work
- Have a TLD example.com using cloudflare DNS and proxy.
- SSL cert for *.example.com from Lets Encrypt that NPM handles.
- The port for your event server is not proxied through cloudflare i.e. port 9000 is forwarded to your event server host so zmNinja can talk to it directly
- Using NPM (NGINX Proxy Manager) as a reverse proxy.
- Have auth.example.com setup in DNS and NPM.
- Have zm.example.com setup in DNS and NPM.
- Authelia host IP is 10.0.0.20 and port is 9091.
- ZM host is 10.0.0.21 .
*** You have to allow Insecure apps and create an app for authelia and then get the insecure app token to use as the password instead of your actual account password.
Install authelia and get it setup for NPM as a proxy host ->
- Example authelia configuration.yml to bypass apis and stuff zmNinja needs but will protect the webgui under /zm -> https://gist.github.com/baudneo/61b1d96 ... 8b4e715eba
- Have an entry for auth.example.com in NPM and forward it to your authelia host -> http://10.0.0.20:9091
- Have an SSL cert setup for this proxy host using the *.example.com cert.
Code: Select all
location / {
set $upstream_authelia http://10.0.0.20:9091; # SET YOUR AUTHELIA SCHEMA IP AND PORT HERE
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
Setup your zm.example.com proxy host in NPM ->
- Have an entry for zm.example.com in NPM and forward it to your ZM host -> https://10.0.0.21:443
- Set up SSL with *.example.com cert.
Code: Select all
location /authelia {
internal;
set $upstream_authelia http://10.0.0.20:9091/api/verify; #ADD YOUR IP AND PORT OF AUTHELIA
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
location / {
set $upstream_photoprism https://10.0.0.21:443; #ADD IP AND PORT OF SERVICE
proxy_pass $upstream_photoprism; #change name of the service
auth_request /authelia;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://auth.EXAMPLE.COM/?rd=$target_url; #change EXAMPLE.COM to your domain
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# set_real_ip_from 192.168.1.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}