Authelia
App in the BluixApps catalog
What it is
Authelia is an authentication and authorization server providing SSO and 2FA for self-hosted apps. Acts as a forward-auth provider in front of reverse proxies (nginx, Traefik, Caddy) — protect any app with SSO without modifying the app itself.
For self-hosters with 10+ apps who want one login covering everything (Authelia + reverse proxy = OAuth-style SSO for non-OAuth apps), Authelia is the lightweight answer.
What it's for
- Single sign-on — one login covering all your self-hosted apps
- Two-factor authentication — TOTP, WebAuthn, mobile push
- Authorization rules — per-app access control
- OAuth provider — provide OIDC for apps that support it
- Brute-force protection — failed-login throttling
Who it's for
- Self-hosters with 10+ apps wanting unified auth
- Privacy-bound orgs requiring central auth control
- Internal IT teams running employee self-service
- Tech enthusiasts building secure home infrastructure
- Compliance-focused orgs needing audit-able auth
Why teams pick Authelia over alternatives
- Apache 2.0 — fully open
- Forward-auth model — works with any app behind reverse proxy
- Lightweight — runs on minimal hardware
- 2FA support — TOTP, WebAuthn, mobile push, Duo
- OIDC provider — issue tokens for apps supporting OAuth
- Active development — strong community
Integrations
- Reverse proxies — Traefik, nginx, Caddy, HAProxy
- Identity backends — LDAP, file-based, OpenID Connect
- 2FA methods — TOTP, WebAuthn (FIDO2), Duo, mobile push
- Notification channels — email, SMTP
- Storage — SQLite, MySQL, Postgres
- Session backend — Redis for shared sessions
- OIDC clients — provide SSO to apps supporting OIDC
Notable users & community
- 23k+ GitHub stars
- Active community on Matrix + GitHub
- Long-running OSS project
- Featured in homelab SSO guides
- Frequent releases
Tips & operations
- Forward-auth setup is per-proxy — Traefik vs nginx config differs significantly
- Backup user DB — your auth state is critical
- Use LDAP for many users — file-based fine for small; LDAP scales
- Postgres + Redis for multi-instance — HA setup needs both
- 2FA enforcement — require 2FA for admin / sensitive apps
- Audit log review — failed logins indicate attack attempts
What we ship in BluixApps
- Docker compose: Authelia + Redis + Postgres
- Pinned
authelia/authelia:4.38(release-tagged) - HTTPS via Let's Encrypt
- Admin user via env config
- Persistent volumes for Postgres + Redis
- Reverse proxy integration documented for Traefik / nginx
- Backup hook covers Postgres (users + sessions)
Get this app — pick a BluixApps plan
Same catalog. Scaling tenant isolation, white-label and support tier.
| Tier | Tenants | Catalog | Support | White-label | Monthly | |
|---|---|---|---|---|---|---|
| Stacks | 1 | 19 curated stacks | Standard | — | $19/mo | DetailDeploy |
| Starter | 10 | Full catalog | Standard | +$15–25/mo | $49/mo | DetailDeploy |
| Pro | 25 | Full catalog | Priority bugfix | +$15–25/mo | $149/mo | DetailDeploy |
| Growth | 100 | Full catalog | Priority bugfix | +$15–25/mo | $349/mo | DetailDeploy |
| Scale | 500 | Full catalog | 7-day window | +$15–25/mo | $799/mo | DetailDeploy |
| Enterprise | Unlimited | Full catalog | Priority 7-day | Bundled | $1,499/mo | DetailDeploy |