Authelia: lightweight SSO and 2FA authorization proxy for nginx and Traefik

What is Authelia?

Authelia is an open-source authentication server and authorization proxy under Apache 2.0 license that ranks as the slimmest practical SSO solution for Swiss SMEs in May 2026. The project started in 2018 as a Python application, was completely rewritten in Go in 2020, and has since had under 30 MB binary size. It runs as single binary or Docker container, takes 50-100 MB RAM in productive use, and integrates with nginx, Traefik, HAProxy, Caddy, and Envoy as reverse-proxy sidecar.

The operating principle is clear: Authelia sits between the publicly reachable reverse proxy and the internal services. When a user calls a protected URL (for example n8n.treuhand-müller.ch), the reverse proxy first forwards the request to Authelia. Authelia checks whether the user is logged in (cookie token), whether the session is still valid, and whether the configured authorization level for this URL is met (1-factor, 2-factor, particular group membership). On fulfilled conditions Authelia allows pass-through to the backend; otherwise it redirects to the login page.

Configuration runs via a single YAML file (configuration.yml) plus an access rules file. Authentication backends: local file-based user list for mini setups, LDAP/Active Directory for mid-market setups, Authentik/Keycloak integration as OIDC provider for hybrid setups. Storage backends for sessions and 2FA factors: SQLite (default), PostgreSQL, MySQL. Cache backend: Redis for multi-instance setups.

Two-factor authentication supports four methods in May 2026: (1) TOTP via authenticator app (Google Authenticator, Authy, 1Password, Bitwarden), (2) WebAuthn/FIDO2 with hardware keys (YubiKey, SoloKeys, Titan Key), (3) mobile push via Duo integration, (4) email OTP as fallback. FIDO2 hardware keys are the most phishing-resistant method and should be standard for admin accounts in 2026.

Authorization rules are YAML lists defining per URL pattern the necessary level. Example: main domain treuhand-müller.ch needs only a valid session (1-factor), admin backend admin.treuhand-müller.ch demands 2-factor, Vault UI vault.treuhand-müller.ch demands 2-factor plus group membership "admins". Rules are evaluated in order, first match wins.

Why it matters for Swiss SMEs and fiduciaries

Authelia solves three concrete problems for Swiss SMEs.

SSO instead of distributed logins: a typical fiduciary office runs 5-10 internal services (Nextcloud, n8n, Grafana, Vault UI, Wazuh Dashboard, client portal). Without SSO every employee has 5-10 separate logins, own passwords, own forgot-password workflows. Authelia puts a central login page in front, the employee logs in once, all services see them as authenticated. Employee onboarding and offboarding is reduced to one place.

Phishing-resistant 2FA via FIDO2: classic TOTP 2FA (authenticator app) is only partially robust against phishing -- a fake login form can forward TOTP codes in real time. FIDO2 hardware keys (YubiKey, SoloKeys) are structurally phishing-resistant: the key checks the domain cryptographically and releases the token only to the real URL. For law firms with professional secrecy under Art. 321 SCC, FIDO2 is standard for all admin accounts in May 2026 and should apply to all employee accounts.

Authorization proxy instead of app auth: many internal tools (Grafana, n8n, Loki, Qdrant UI) have own login mechanisms with different security levels. Some do not support 2FA out of the box. Authelia solves the problem structurally: tools need not implement auth themselves, Authelia takes that over in the proxy layer. That unifies the security level and reduces maintenance.

Regulatory link: Art. 8 revFADP demands state-of-the-art protective measures. 2FA for administrative accounts is state of the art in 2026 and is demanded by the FDPIC guideline, by ISO 27001 (Annex A.9.4.2), and by all Swiss cyber insurances. Authelia delivers that with minimal setup effort.

Especially SME-fit: Authelia needs no own database infrastructure (SQLite suffices for setups up to 100 users), no Postgres cluster, no own identity schema. Setup effort 2-4 hours for a productive fiduciary setup with 10-20 users. Compared to Authentik (Python-based, with Postgres requirement) Authelia is the significantly slim choice for small setups.

Setup with nginx and Docker Compose

We show a productive Authelia setup with nginx reverse proxy that we deploy at Fairlane for client deployments.

```yaml version: "3.8" services: authelia: image: authelia/authelia:4.39 container_name: authelia restart: unless-stopped volumes: - ./authelia-config:/config environment: - TZ=Europe/Zurich ports: - "127.0.0.1:9091:9091" redis: image: redis:7-alpine container_name: authelia-redis restart: unless-stopped volumes: - ./redis-data:/data ```

Configuration file authelia-config/configuration.yml (abbreviated):

```yaml server: address: tcp://0.0.0.0:9091 log: level: info totp: issuer: treuhand-müller.ch authentication_backend: file: path: /config/users_database.yml access_control: default_policy: deny rules: - domain: portal.treuhand-müller.ch policy: one_factor - domain: ["n8n.treuhand-müller.ch", "grafana.treuhand-müller.ch"] policy: two_factor - domain: ["vault.treuhand-müller.ch", "admin.treuhand-müller.ch"] policy: two_factor subject: "group:admins" session: name: authelia_session domain: treuhand-müller.ch expiration: 1h inactivity: 5m redis: host: authelia-redis port: 6379 storage: encryption_key: <random-64-char-key> local: path: /config/db.sqlite3 notifier: smtp: host: smtp-relay.brevo.com port: 587 username: <brevo-user> password: <brevo-key> sender: "Authelia <auth@treuhand-müller.ch>" identity_providers: oidc: hmac_secret: <random> issuer_private_key: | <pem-key> ```

nginx snippet for protected subdomain: ```nginx location / { set $upstream_authelia http://authelia:9091/api/verify; auth_request /authelia; auth_request_set $target_url $scheme://$http_host$request_uri; auth_request_set $user $upstream_http_remote_user; proxy_set_header Remote-User $user; error_page 401 =302 https://auth.treuhand-mueller.ch/?rd=$target_url; proxy_pass http://n8n:5678; } location /authelia { internal; proxy_pass $upstream_authelia; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-Method $request_method; proxy_pass_request_body off; proxy_set_header Content-Length ""; } ```

User file users_database.yml with Argon2id hashes: ```yaml users: vitalij: displayname: "Vitalij Strigailo" password: "$argon2id$v=19$m=65536,t=3,p=4$<hash>" email: vitalij@treuhand-müller.ch groups: ["admins", "developers"] ```

Generate password hash with: authelia hash-password "MyPassword". Recommended parameters Argon2id with memory 65536, iterations 3, parallelism 4.

Register FIDO2 hardware key: user logs in for the first time via TOTP, goes to auth.treuhand-müller.ch/2fa, selects "Add Webauthn Device", presses button on YubiKey. Authelia stores the public key in SQLite DB. On next login the key is requested -- USB plug plus button press is enough.

Authelia setup in 5 steps

1. 01Set up reverse proxy (nginx, Traefik, or Caddy) with TLS via Let's Encrypt; provide auth.treuhand-müller.ch subdomain.
2. 02Deploy Authelia via Docker Compose with Redis for session cache; configuration.yml with access-control rules (default deny, explicit allow per domain).
3. 03Create users: authelia hash-password for each user, users_database.yml with Argon2id hashes and group assignment; test SMTP notifier via Brevo.
4. 04Insert reverse-proxy snippets per protected subdomain: auth_request /authelia (nginx) or ForwardAuth (Traefik); error_page 401 redirect to login subdomain.
5. 05Enforce 2FA for all users: TOTP for everyone, FIDO2 hardware keys (YubiKey 5C) for admin accounts; print recovery codes and store securely.

When to deploy Authelia

Authelia is the right choice in four constellations in May 2026.

Small to mid-size Swiss SMEs (3-50 users) without LDAP: solo fiduciary, law firm, small agency. File-based user backend is sufficient, no Active Directory needed. Setup effort 2-4 hours, maintenance 1-2 hours per month. Compared to Authentik (Postgres requirement, Python stack) Authelia is significantly more pragmatic.

Reverse-proxy focused stacks (nginx, Traefik, Caddy): Authelia integrates natively via auth_request on nginx, ForwardAuth on Traefik, forward_auth on Caddy. The entire auth layer runs in the proxy, apps need not know anything. That makes Authelia the choice when you have a unified proxy stack and need only an auth layer.

Phishing-resistant FIDO2 2FA for admin accounts: Authelia supports WebAuthn/FIDO2 with YubiKey natively. YubiKey 5C costs around CHF 80 per piece. For a law firm with 5 admin accounts that is CHF 400 one-time for phishing-resistant 2FA. Compared to pure TOTP this is a notable security increase.

Minimal footprint and simple audit: single binary, one YAML configuration, SQLite DB. Auditors can review the configuration completely in an hour. Compared to Authentik with over 20 database tables and Python stack, Authelia is significantly more transparent.

Authelia is also good in hybrid setups: as authorization proxy in front of all internal services, with Authentik or Keycloak as central OIDC IdP. Authelia then delegates the login to the IdP but handles URL-based authorization itself. That scales from SME to mid-market.

When Authentik or Keycloak are better

Three cases where Authelia is not the right choice in May 2026.

SAML duty or OIDC provider role as main use case: Authelia is primarily an authorization proxy, with OIDC provider functionality as add-on. Anyone needing SAML 2.0 provider role (classic enterprise apps like SAP, Oracle, Workday) or a full-fledged identity management system with user self-service, group management via UI, external identity provider federation, is better served with Authentik or Keycloak.

LDAP as main IdP use case: Authelia can authenticate against LDAP but cannot act as LDAP server itself. Anyone needing an LDAP server for mail (Postfix SMTP auth), file server (Samba), VPN auth backend cannot avoid Authentik (with own LDAP outpost) or Keycloak.

Highly complex authorization models: Authelia's access control is URL-based with group matching. More complex models (attribute-based authorization, dynamic roles based on client affiliation, multi-tenant setups with different authorization schemes) are tedious to model in Authelia. Here Keycloak or Authentik with policy engine is better.

General pitfalls in Authelia setups: (a) leaving default policy at "allow" instead of "deny" -- every unsecured path passes through unintentionally. (b) Setting Argon2id parameters too weak -- memory under 65536 makes passwords attackable. (c) Setting session timeout too long -- 1h is standard for internal tools, shorter (15 minutes) for admin backend. (d) Hardcoding encryption key in YAML instead of fetching from Vault -- secret leak via backups. (e) Not testing SMTP notifier -- 2FA recovery mails do not arrive, users locked out.

Trade-offs

FAQ

Related topics

Sources

1. Authelia -- official documentation · 2026-05
2. Authelia GitHub -- v4.39 release notes · 2026-04
3. FIDO Alliance -- WebAuthn and FIDO2 specs · 2026-03
4. EDÖB -- Technische und organisatorische Massnahmen · 2026-04
5. OWASP Authentication Cheat Sheet · 2026-02