A simplified Authelia nginx reverse proxy configuration

authelia_nginx.md

Nginx baseurl with authelia

nginx is a reverse proxy supported by Authelia

https://www.authelia.com/integration/proxies/nginx/

Update info

Note

Updated 22/08/2025 using nginx docs

Please check the documentation for help. This setup should be almost 1:1 with the current guide with minor tweaks to use a baseurl instead of a sub domain.

Authelia config

Caution

You must have this configuration in your authelia config.yml. you can change port and baseurl If you change it here it needs to be change in the nginx authelia.conf to match.

server:
  endpoints:
    authz:
      auth-request:
        implementation: "AuthRequest"
  address: "tcp://127.0.0.1:9091/login"
  buffers:
    read: 4096
    write: 4096

Configuration

We will be working with these files.

/etc/nginx/conf.d/authelia.conf # this file should included into your nginx enabled in the server block
/etc/nginx/snippets/authelia_auth.conf # this file is loaded by protected endpoints to redirect to /login to auth
/etc/nginx/snippets/authelia_proxy.conf # this file is included in the authelia.conf /login location only

Warning

The default configuration below uses the baseurl of /login but this can be changed according to the notes of each conf.

authelia.conf /etc/nginx/conf.d/authelia.conf

Note

baseurl specific lines for /etc/nginx/conf.d/authelia.conf

set $authz "/login/api/authz/auth-request"; # prefix sub directory - here it is /login

location /login {

Create this file /etc/nginx/conf.d/authelia.conf and populate it with this:

set $upstream_authelia http://127.0.0.1:9091; # set the reused upstream proxypass url
set $authz "/login/api/authz/auth-request"; # prefix baseurl - here it is /login

location /login {
    include /etc/nginx/snippets/authelia_proxy.conf;
    proxy_pass $upstream_authelia;
}

location /internal/authelia/authz {
    internal;
    proxy_pass $upstream_authelia$authz; # $authz is suffixed here only

    ## Headers
    ## The headers starting with X-* are required.
    proxy_set_header X-Original-Method $request_method;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Content-Length "";
    proxy_set_header Connection "";

    ## Basic Proxy Configuration
    proxy_pass_request_body off;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
    proxy_redirect http:// $scheme://;
    proxy_http_version 1.1;
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
    client_body_buffer_size 128k;

    ## Advanced Proxy Configuration
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}

authelia_auth.conf /etc/nginx/snippets/authelia_auth.conf

Note

baseurl specific lines for the /etc/nginx/snippets/authelia_auth.conf

error_page 401 =302 https://$http_host/login/?rd=$target_url;

Create this file /etc/nginx/snippets/authelia_auth.conf and populate it with this:

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;

## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;

## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;

## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.

## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
# auth_request_set $redirection_url $upstream_http_location;

## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
# error_page 401 =302 $redirection_url;

## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
set $target_url $scheme://$http_host$request_uri;

## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update '.site.co.uk/' with their external authelia URL.
error_page 401 =302 https://$http_host/login/?rd=$target_url;

authelia_proxy.conf /etc/nginx/snippets/authelia_proxy.conf

Note

There no baseurl specific lines for the /etc/nginx/snippets/authelia_proxy.conf

Create this file /etc/nginx/snippets/authelia_proxy.conf and populate it with this:

## Headers
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;

## Basic Proxy Configuration
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

## Trusted Proxies Configuration
## Please read the following documentation before configuring this:
##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

Protected Endpoint

This is how you protect and endpoint, which is a app or webpagge being served by nginx.

Tip

location / will protect whole site but you only need to include the authelia_auth.conf on locations you want protected by authelia, like location /nextcloud

location / {
    set $upstream_nextcloud https://nextcloud;
    proxy_pass $upstream_nextcloud;
    include /etc/nginx/snippets/authelia_auth.conf; # Activates Authelia for specified route/location, please ensure you have setup the domain in your config.yml
}

Thanks for the gist! How did you install Authelia? I've been struggling this entire day to set it up with my existing nginx configuration. I have the default docker-compose.yml, their lite version, but that doesn't seem to work properly.

I don't use docker for this. my nginx is the system debian stable version and i use a binary version of authelia for the host x64_86.

So i cannot say how it applies to to docker but guess that things like set $upstream_authelia http://127.0.0.1:9091; will probably need to be the docker specific and use their internal IP for communication whereas this method configured for the host machine

The rest should be fine to apply in the sense of a template based of their docs (incase anything has been updated)

Alright makes sense, thanks! I'll figure it out, sometime

@RensOliemans Have you managed to get it running? ;) I have nginx already set up and been thinking about adding authelia without having to set up everything from scratch.

Thanks in advance!

EDIT: Finally got it working, just need to figure out how to integrate my services into it. Thanks for the config @userdocs.

Can't get authelia to work behind /login. It's trying to load some CSS/JS from /. Any suggestions?

FIXED IT
The baseurl bit is important. For any newcomers like me: It means you need to put login into server.path config option in authelia.

Hello All,
I am almost there with my config .. got the auth.domain.com working
but npm.domaind.com and speedtest.domain.com still giving issues

1. npm.domain.com takes me to npm.domain.com/login but will not log in
2. speedtest.domain.com takes me to speedtest.domain.com without user/pass
   anyone willing to take a look at config ?

Thanks all

This is probably an Authelia configuration problem. Make sure your config and domains are configured correctly.

https://www.authelia.com/configuration/security/access-control/#domain

Disclaimer: This was not tested with a multi sub domain setup, but I don't think there is much difference. You can always check here https://www.authelia.com/integration/proxies/nginx/ and ask in their support channels.

My nginx config is working just fine with Authelia. However, if I set a network ip address to bypass in Authelia access, it is not bypassing the Authelia login screen. What needs to be done in the nginx config to make sure these defined ip's bypass the Authelia login screen?

@afm-mike I have sth like this:

 access_control:
   ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
   ## resource if there is no policy to be applied to the user.
   default_policy: deny
 
   networks:
     - name: internal
       networks:
         - x.y.0.0/12
         - x.y.z.z
 
   rules:
     # public sites, bypass
     - domain:
       - abc.eu
       - mail.abc.eu
       policy: 'bypass'
 
     # INTERNAL ACCESS
     # no security, bypass
     - domain:
       - xxx.abc.eu
       - yyy.abc.eu
       - zzz.abc.eu
       networks:
         - internal
       policy: 'bypass'

It does sound more like a authelia config issue that an nginx one. The notification made me wonder if the config needed updating.

I was just looking at the doc to see what changed. https://www.authelia.com/integration/proxies/nginx/

Not a lot changed tbh but they do use the auth_request /internal/authelia/authz;

I could update this to be inline with the current docs but it not a major overhaul, just a a few lines changes.

I updated to current docs.

/api/verify is depreciated for /api/authz/auth-request

It's even less to customise now, mostly copy and pasted from docs.