Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
Secure authentication for EVERYTHING! // Authentik | Christian Lempa | YouTubeToText
YouTube Transcript: Secure authentication for EVERYTHING! // Authentik
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This content demonstrates how to centralize and enhance home lab authentication using Authentik, an open-source identity provider, enabling single sign-on (SSO) and multi-factor authentication (MFA) for various services.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
hey everybody this is Christian and
today I'm going to show you how I'm from
no on handling the authentication for
everything in my home laab let me
introduce you to authentic an
open-source identity provider or shortly
called IDP that allows me to securely
log into all my administrative services
in my home lab like POA proxmox and even
protect web applications with a lock and
prompt they don't have any form of user
management at all believe me this is so
incredible L useful with this setup I
never need to lock in twice anymore I
just need to sign in once to authentic
and then I'm automatically logged into
everything else and the best is because
I'm using a strong multiactor
authentication in authentic it is even
much more secure of course it's well
integrated into the entire rest of my
home lab setup like traffic and Docker
so I'm pretty sure if you haven't looked
at secure authentication with an IDP
before this is going to change
everything for you so let me show you
how I've installed and set up authentic
in my home lab and how you can do this
in your environment as well but wait
before we start I have another very cool
thing I want to show you that's going to
help making our home Labs much more
secure a big Thanks goes out to the
people at Wasa for supporting this video
Wasa is an open-source security platform
that unifies extended detection and
response with a security information and
event management system to protect your
endpoints and Cloud workloads I'm
currently testing this on on my own homb
Linux servers and it gives me an
in-depth analysis of any security events
that occur in my systems for example
when somebody tries to log in Via SSH
and many many more it has a huge set of
preconfigured rules and checks that
constantly collect any of those events
on my servers and in the central
dashboard I can drill into all of the
details set up alerts and get notified
when something bad happens on my systems
and what I personally like the most
right now is the security configuration
assessment that checks my server's
configuration against the CIS Benchmark
list which is a set of best practices
and security configuration guidelines
and this helps me so much to learn more
about secure server configuration and
how I can improve the overall security
of my hom lab services so it is really
an amazing tool I definitely want to
make a dedicated video about it at some
point but if you'd like to have a look
or you want to use it within your own
environment to secure and protect your
devices then check out Wasa I'll leave
you a link in the description of this
video now let's get back to topic and
talk about secure
authentication okay so first of all as
always let us take a closer look at the
official homepage go authentic. where we
can learn more about this application
and as you can see this is an open
source identity provider that focuses on
flexibility and
versatility it aims to replace existing
directory services like active directory
or OCTA with a unified platform form
that simplifies the login sign up and
recovery process for both your external
users and team members in One unified
identity management platform what
exactly that means we'll cover in a few
minutes so I know this can get quite
complex because authentic is a real
Beast it has tons and tons of features
such as saml 2 oo 2 open ID connect lop
and radio so that means authentic can
work as your radios or alup server and
it has a lot of ping features like
multiactor authentication conditional
access it is open source and has an
application proxy integrated the only
thing that it doesn't do is device
authentication support but as you can
see none of the other competitors do in
a good way either at least that's what
authentic is going to tell us authentic
has a rich documentation about all those
different provider settings the
configuration the installation and
architecture I could just recommend to
go through some of the pages such as is
the architecture page which describes
more of the core components of this
platforms and also the terminology page
is really interesting because it
explains some of the technical Concepts
and terminologies that authentic uses in
their platform and I have to be honest
with you guys so first once I had a look
at this platform I was a bit confused
about all those different terminologies
and this authentication specific jargon
yeah such as what is an application what
is a provider policy what the heck is an
Outpost and I just decided to just go
and set it up once and try it out so I
went through a lot of trial and error
process until it finally clicked and I
understood okay so this is how this
platform functions so that's why I try
to keep it simple in this tutorial so
you don't have to worry about all of
this stuff yourself so let's go and
let's start installing authentic on one
of my demo servers I'm just going to
open a connection to my server demo one
where I have already installed Docker
and Docker compost by the way if if
you're not familiar with Docker and you
haven't worked with this before you
definitely should check out my patreon
course about Docker it is still work in
progress but it is entirely free for you
to watch so I will link you that in the
description down below okay so I'm going
to create another directory which is
called authentic demo 1 n CD into this
directory and I'm just opening a remote
connection to this server in Visual
Studio code so this is how we can better
work with those uh configuration files
so let's open the folder in here as
well let's go back to the documentation
and go to the installation page as you
can see you can install it in many
different ways such as on kubernetes
clusters with automated installed or
reverse proxy integration for me
personally I found it to be the most
useful way to install it in Darker
compost and integrate it with my reverse
proxy traffic so here we can just follow
these instructions authentic already has
a Docker compost file generated that you
can use as a template and customize it
to your needs that's exactly what we're
going to do so I will just download this
file here and upload it on my remote
server I'm just going to
rename the file type and remove the
version string at the beginning we
actually don't need that as I can see
there's a lot of preconfigured stuff in
here that I'm going to change and
customize it to my needs so you don't
have to follow all the same steps like I
do you basically can just go deploy it
and it will automatic install a deploy
authentic with a self-signed certificate
and exposes on the port 9,000 and 9,000
for for free however because I've
already installed traffic as a reverse
proxy on this darker server I'm going to
integrate it and uh this is also pretty
useful because we later can then protect
other web services that are exposed via
the traffic reverse proxy and protect it
with a lockin prompt in authentic so
this is then in the end all well
integrated but just to know so you can
follow a different type of setup process
if you're not using traffic or you're
using something else okay so the first
thing that I'm going to do is I'm going
to add uh this Docker compost project to
my networks that I'm using so on this
Docker server I already have a frontend
network so I'm going
to add this to the file and a backend
Network so we can attach the docker
containers to those two networks here
the docker compos consists of four
different Services the server component
the worker component and two database
component the reddish database is a fast
cache database and the postgress SQL
database is a database that actually
contains the data about the users the
configuration and so on and I'm also
adding the worker component to the back
end uh but the user facing application
so that actually exposes the dashboard
of authentic I'm going to add to the
front end Network as
well okay so all of these containers
should be connected to the same network
backend and uh the front end Network
should be connected with the traffic reverse
reverse
proxy and now I'm also going to add a
container name because I just like my
containers to have uh named in the same
style so I'm just going to give it the
name of the project postgress SQL for
example and I'm going to copy this and
I'm going to do the same for
redis for the
server and for the workhub process as
well now that we have this um I want to
manage the environment variables in a
slightly different way because I I don't
I just don't like this formatting in
this style and I want to have all those
environment variables later in one EnV
file that only contains the necessary
credentials and not too much other
information as you can see they use a
bunch of different uh environment
variables for the image name or the
image tagging so I'm going to remove all
of this
here um first of all I'm going to add a
different formatting to the environment
variables you can you can use any format
that you like so you you don't have to
use my um formatting style but I I just
feel much more comfortable with this one
here and I'm just going to rename the
environment variables exactly as the
same that is passed through in the
container so I think this is much more
readable and then we can start
formatting the server environment
variables as well not um those double
underscores here these are really
important just referred to the official
documentation so it is important that
you keep it this
way and um we also need to Define two
more variables here according to the
documentation you can enable the error
reporting by setting this environment
variable so we are also going to do that
and we're also going to need one more
environment variable for the authentic
secret key so this is a secret key that
is used to um encrypt the database you
need to make sure that this is not
exposed in any way so this is really
really important now we can basically
copy those variables here and set it for
the worker process as well we don't need
those comments here and the EnV file
statement we can also remove so I'm also
also going to modify or remove the
environment variables from the image tag
we will use a pin taged version which is
always uh the recommended way so don't
use just the latest tag use one specific
version and then I do those uh updates
manually uh the server and the worker
process is by the way using the same
darker image so don't be confused by
this but it's actually started with a
different command so the command for
starting the worker process and another
command for starting the
server all okay perfect so I think we
can create thein v file so that contains
all the secrets remember we just had the
environment variables for the database
configuration such as the database name
the user and a secure password which
ideal should not be test test test but
I'm just doing a demo here so I I'll be
fine right and we also need the
authentic secret key and to generate the
secret key we'll have to go back to the
documentation and as you can see you can
use use uh this command here the open
SSL command to generate a new random key
so that's what I'm going to do right now
copy this secret of course as I said
don't expose this
one and paste it in here as well okay
great so now we have the EnV file that
contains the secrets and the darker
compos file uh one thing that uh might
be worth noting is if you want to have
an email configuration it is optional
but it is of course recommended you can
also set those environment variables and
set it to your server and worker process
to send Arrow notifications or configure
email credentials and all those type of
things I'm not going it to do it in this
demo here right now but yeah if you're
using this in a production environment
you definitely should configure this
okay great so now we could basically
just start and use it with the
integrated proxy service of authentic
but as I said in the beginning I want to
integrate authentic to my existing
reverse Proxes set up with traffic if
you new to traffic you don't know what
this is about and how to install and set
it up on docker or on kubernetes of
course I've made tutorials about this so
I'm going to link you that in the
description as well so go check out
traffic it's really a great reverse
proxy that works perfectly together with
Docker and also kubernetes so it's
definitely my my favorite
application and because this is already
running here we want to expose the
authentic services so the web service
via the traffic labels and not directly
through the pods because if you're using
traffic you can make sure that you
protecting the authentic services or web
services with a trusted SSL certificate
that is managed in the traffic reverse
proxy and you don't have to use the
authentic self sign certificate okay so
we don't need to expose these ports
anymore instead we want to add the
labels for traffic so I'm going to add
another uh section here that is called
labels and this first uh will enable
traffic to look for this container and
try to expose it I'm going to copy some
of the labels that I've prepared uh but
basically what what this is about it it
will create a new router for this domain
here so this is the authentic U I'm I'm
going going to change the uh evaluation
of course
to demo right uh but uh then authentic
will be exposed on this subdomain here
on my server demo
one it will use a trusted TLS connection
it will try to issue a new certificate
using my cloud flare certificate
resolver and it is also important that
you have to configure the service Port
so the internal Service Port of the
traffic web service remember this was
using Port 9,000 um so we have to
configure this as well so the traffic
reverse proxy knows what servers it
should connect to that should be all so
now we can start running the
server and of course you can go into the
project directory here you can uh do a
Docker compose up DD in the background
and so on but I'll do it in vs code I
think this is the most simple way to do
it on remote server so just fire up the
docker up command as you can see it's
now putting down the latest image for
the authentic pin TCT version that we'
have configured here so the version
2024 2.2 this currently running the
deployment process or the initial a
deployment process of authentic so it
starts creating some database entries
and so on of course that might take a
few minutes so it's tea
time okay perfect so server deployment
has been completed so let let's check if
everything was successful so let's open
the subdomain that I've uh configured in
traffic authentic demo one. server demo
1. home.
c.de and yep so it all worked whoa first
first try it did work so I'm a little
proud of myself
yeah and now we can start logging in so
authentic by default does not have any
default password it only has a default
administrative user which is called the
a K admin to start the initial setup we
have to navigate to this URL here so we
have to use the server IP or host name
the port we don't need because we have
exposed it on the for for free Port
using traffic and now we have to set an
admin email address so this is always
required I'm just adding
my uh business uh address in here and
use a strong password for the default
administrator account there is no
configuration in here of course we
haven't configured any application or so
but if you would log in with a user to
authentic you would see all the
different applications so later you will
see my proxmox server my my painer web
interface and so on in here and if you
want to switch to the admin interface
click here this will take you to the
administrator login account so uh there
you can see all the different uh
statistic like the synchronization
status if all services are online you
can also see the logins or
authorizations if there are any faade
logins or successful logins to one of
those Services here and on the left side
side you will find the menu for
configuring the applications the
providers The Outpost again look at the
terminology page if you don't understand
one of those things here but anyway I
will walk you through the process after
doing the initial setup there are a few
things uh recommended by authentic to
secure the platform and of course I
don't want to use the AK admin account
for my regular user account as you can
see it has this default username and you
cannot really change it what I want to
do is I want to keep it like the default
admin but I want to create a new user
for myself that I want to protect with a
multiactor authentication and I'll make
this the new administrator account and
how you can do this how you can create
new users um you just go to the
directory uh tab here by the way you can
also set up the groups the roles um the
permissions and all of this stuff in
this menu here I'm not going through all
of the details here so I'm focusing more
on the uh initial setup that you that
you're going to need so I'm going to add
my my username in here here what is the
user type it is an internal user or
external user service account whatsoever
I'm also going to give it my business
email address in here of course the user
is active and it's in this default path
user so that should be fine let's create
it specify a passwords here so let's
click on this user set a password so I'm
going to click on this user here click
on group and now we can add it to an
existing Group which is the authentic
administrator group so this will make my
my new user account the administrator
for authentic okay great now that we
have this we can set up a strong
multifactor authentication for this user
so let's log out and log in with my new
username and password as you can see it
automatically catches my avatar icon
from gravitar so it's also pretty cool
you have to set up the email address for
this and configure your avatar in the
gravitar service and uh now in this user
interface in here when we go to this uh
settings menu there we can now set up
multiactor authentication devices and
then you can uh enroll web
authentication devices so if you want to
use passwordless authentication with
pass keys or a hardware token or
anything like this or a top or onetime
password device which is pretty useful
so you have to scan this QR code with an
authenticator device such as your phone
use Google Authenticator Microsoft
authenticator or AI just like what is
your favorite authentication Service and
then enter the onetime password code
from your phone click on continue and
then your multiactor authentication
device is now configured let's log in
again with my username or my email
address and now it uh prompts us to use
a one of our multiactor authentication
device the hardware token or the
traditional authenticator so let's enter
this and now we are successfully logged
in so what is also recommended let's go
to the admin interface and go back into
the directory Service as you can see we
now have our new user and still the
default AK admin user which we actually
don't need anymore so it's definitely
recommended to deactivate this user so
that no one is able to log in with this
default admin user that might not have a
second Factor
anymore okay amazing so we now have set
up authentic we have exposed it using
trusted TLS certificates in the traffic
reverse proxy and we also created
another user with a strong multiactor
authentication so now that we have this
Central user management platform we can
now start connecting all those different
services in my home lab to enable a
secure authentication against
authentic what type of services you know
want to connect with authentic is of
course very much depending on your own
personal setup and requirements so you
might have different systems and
platforms than I have if you want to
find out what exactly you can uh connect
with authentic just go to integration so
here you will find a list of
applications that are known to work with
authentic however of course because all
those Protocols are standardized like or
open ID connect lop and so on you could
connect actually basically any service
and platform that supports one of those
providers you can configure an authentic
so there are basically thousands of uh
applications that might work with it
however in this list you can very easily
find out so what type of support level
those applications might have for
example if you go to hypervisors and
orchestrators you can find rancher in
here which is a an Enterprise platform
for managing kubernetes environments and
this has a support level of authentic so
it's officially supported by
authentic uh others might have a
community level support such as ptena
and proxmox and I want to show you those
two examples because they use two
different types of protocols you have to
configure an authentic and I also found
it to be the most simple and useful for
me personally in my home lab as you
might know I'm using prox moogs to run
all my virtual machines and painer to
manage my darker containers but just go
through this list here you will find
many many more just like raana we have
covered it in a in a video before up
time Kuma I also made a video about
zabic I know this is still on my list I
have to do a video about it at someday
I'll probably do this it's not in the
near future but at some point I'll
probably take a look at this as well so
yeah just go through it you will find so
many many cool services that are
supported in
here so for example I'm running a poer
web server on the exact same server
where I can manage my containers but of
course I always have to log in with a
separate username and password to get
access to the paina web interface so
let's start connecting ptena to my
authentic platform basically you just
have to follow this documentation here
for any service that you want to connect
but let us run through this together
right so let's first of all go to
authentic and open the applications Tab
and go to providers we always need one
provider and one application to connect
a a separate service with the authentic
platform and we'll start with creating
another one in here so now we can select
what type of Provider we want to connect
that is now very much depending on the
other application that you want to
connect if it's using Lop authentication
if it's using oo or open ID proxy radios
whatever um as you can see in the
documentation so painer is using the O
of an open ID provider so we we going to
select this one here and click on
next so now we need to give it a name
such as paina demo one I'll just call it
the same like the subdomain so I can uh
always better remember so what type of
servers uh so what is the actual application
application
interface and in the authorization flow
we now can select two separate options
here we can use the explicit consent or
the implicit consent so the consent
means that when you are successfully
locked in uh using authentic uh to the
poas platform that you have to click on
consent so that it redirects you to the
actual application if you're choosing
implicit this content is automatically
done you don't need to do that all the
time explicit you always have to uh give
your content to open to authorize the
other application so I'm using explicit
to show you the content prompt that
shows up now it's important that uh you
have these protocol settings here like
the client type type the client ID the client
client
secret uh which ass signing key of
course it's using the self sign
certificate you can also configure uh
Advanced protocol settings like for how
long is the access token valid and so on
so usually you don't need to change
those type of things here following this
documentation you have to copy the
client ID and save it for later and the
client secret as well and the
redirection your Uris you have to
specify in here so let's let's do that
I'm just copying this here by the way
this is not like a onetime password you
can always look it up later if you like
and here in the redirection URLs we have
to use this one here so the
URL where it should redirect us to and
let's click on finish so now that we
have the provider we now would need to
create an application but according to
the documentation we first need to log
in to
ptena and go to settings authentic
and now we can choose an authentication
method other than internal so that means
like internal user Management in POA and
select all off and also use single sign
on uh what you can also or what you
should also enable is automatic user
provisioning so when you enable this
here um that means that an user in paina
is automatically created when you locked
in successfully to authentic if you
don't want this so if you still want to
create the users manually in ptena you
need to disable this but it is actually
one of the whole reasons why I'm using
this system so I definitely don't want
to uh provision the users myself so
let's enable this and now because those
other features are all business features
we have a custom provider of course
which is authentic and here are the
settings where you have to put in the
client ID and secret so that that I just
copied so this is the client ID this is
the secret and now we need to go back to
the documentation it actually tells us
exactly what we need to fill in of
course you need to replace authentic
company with the fully qualified domain
name of authentic so for example let's
do that once together for the
authorization URL and we have to replace
this year with authentic demo one server
demo 1 .c
grave. and basically do the same for all
the other entries so here we need to pay
attention actually because uh this URL
uh if you go to the documentation uses
the name Porta so this is the name of
the application so that has to match um
the name that we give to this
application later so you can use POA if
you're using a different name you need
to make sure that you're using this
different name in the URL in here so in
my case for example
POA uh demo one yeah and also the user
identify now can be the username or the
email address so so depending on what
you want you can select username I'm
preferring the username in here and not
the email address okay let's just add
the scope you should not forget those
and then let's click on save settings
all right perfect so these are all the
settings required in ptena we now need
to follow step three which is create an
application which uses this provider so
again every provider in authentic needs
to have an application as well so let's
go to application click on create uh
remember I've used the name POA demo1
and I'm using the same slug in here now
we need to select a provider which is
our all off provider POA demo one and
that's basically everything we need so
let's click on
create okay so now that we have the
application and the provider if we now
go to the user interface you should see
a new application in here which is
called POA one so in the settings of the
application you could also change the
icon the name and those uh type of
things but if we click on that it will
take us to the POA page and now we have
a new button which is called login with
or off so we still could use the
internal authentication with admin user
and password but of course we want to
use our user configured in authentic so
let's click on login with o off and as
you can see this is the content that I
meant with explicit content we have
configured if you've used implicit
content it should automatically redirect
you to this application so let's click on
on
continue and now it's logging in us to
Pora awesome so that's everything as you
can see we don't see anything here in
pora right now because we are not logged
in with the admin user anymore we are
you locked in now with my authentic user
and this authentic user of course
doesn't have any administrative
privileges in painer automatically so
this is what you always have to do on
the separate system of course you have
to configure the permissions or the
privileges on the separate system to
those users that authentic has
automatically created so we need to lock
out once more log back into p demo1 and
use the internal authentication
again log in and if we now go to users
you can see that there is a new user
created so it's using the user
identifier if you have configured the uh
email address in here you should see
your new user with your email address
instead of the username by the way you
also see the authentication is not
internal uh instead it's O off and now
we can click on the user and make it an
administrator as well so now let's log
out and log in again with o off by the
way I just want to show you what happens
when you lck out from authentic yeah so
now we are not logged into authentic
anymore and if I know would go and open
the Porta web interface loog in with o
off it would first prompt us to securely
authenticate to authentic first before
it redirects us to the paina admin
interface so let's do that I also need
to authenticate with my multiactor
authentication of course and only then
I'm automatically logged in and
redirected to POA okay so let's do
another example I want to show you how
to connect proxmox to authentic because
again in proxmox I have to lock in with
a separate user with a separate password
so let's also connect those two
platforms just follow the same
documentation again just like with POA
we need to go to authentic and create
another provider in the applications
provider tab so let's create this one we
select the same provider just like with
POA or off/ openen
ID and here is all of the uh
confidential information like client ID
secret and so on I just need to add the
redirection URL so in this case it is um
this URL here not the absent of the
trailing slash here and that you need to
include the port number as well because
proxmox interface is using a different
port than any web interface here so now
we need to go to proxmox and set up
those type of things here you can you do
it in the UI you could also execute this
command here in the CLI of proxmox but
of course uh I'm using the UI it's it's
simpler so you have to go to Data Center
and then go to Realms under the
permissions Tab and add a new real
choosing the open ID connect server so
I'm just going to use the same fully
qualified domain name and again the
application proxmox here in my case I
will name PRX production 2 so the real
you can set any name I'll just send it
to authentic and paste in the client ID
from the provider settings and the same
for the client secret now the username
claim you can set to the username or to
the email address again same just like
with painer you can also make it the
default so that it automatically uh
selects this in the login screen of uh
prox MOX ah I forgot to add this here
the autocreate user of course we need to
enable this otherwise the new user which
is authenticated in authentic is not
created on proxmox and again we need an
application so let's go PX production 2
the slack is the same and now we want to
select our proxmox provider and that's
it okay so let's uh hope this will work
go to the user interface and go to
proxmox can now select the real to
authentic log in with open ID connect
again same thing as with POA we don't
have any permissions in uh Pro MOX so we
need to lck out and log in again with
our administrative user and go to Data
Center again and now click on
permissions tab now we can add um
permissions for the user so you should
find it in here so let's just click uh
the root path
and now you should have the uh username
at and then the name of the real in our
case authentic and we just give it the
role administrator propagate click on
ADD and now when we log out again log in
using open ID connect and now you can
see I'm logged in with my authentic user
but I now have access to any
administrative privileges on my proxo
server honestly I think this is really
amazing I can now simplify the login
procedure on basically any admin
ministrative web service in my home lab
I'm just going to show you one more
thing because I promised you in the
beginning to show you how to protect any
web application that you expose using a
reverse proxy like traffic with an
authentic lockin even though the
application doesn't have any form of
user management and all and I know the
video is already pretty long as you can
see I'm really exhausted my tea is
already empty but I'm going to show you
that as well because I think this is
really cool so let's uh let's do one
more example let's assume I want to
check a simple web application just like
this engine X web server with a lockin
prompt using my authentic provider of
course this static web page doesn't have
any form of user management at all so it
doesn't support or off or open ID but I
still can protect it when it's using the
same reverse proy on the same server
where authentic is running no this has
to be the same server now as you can see
authentic comes with its own proxy
provider but you can also integrate
other ones using the forward
authentication so the way how this works is
is
when the user does the initial request
to the reverse proxy the reverse proxy
first checks if the user is
authenticated if it is not it will
redirect it to the authentic login page
and only if the user is successfully
authenticated it will forward the
initial request to the actual service
and sends the response back to the
user's device you can use the forward
authentication with yeah all types of
reverse proxies that supports forward Al
such as the engine X web server so this
will also work with engine X and also
engine X proxy manager by the way
traffic which is my favorite reverse
proxy I probably told you a couple of
times there but I can't tell you
enough and also KY I know many many uh
people in our community love KY for
whatever reason yeah maybe one day
you'll convince me but for now I'm still
in the traffic fan team so I'm going to
use this there are a couple of steps
involved that you have to do you have to
configure a middleware and you have to
configure your web app that you are
exposing using traffic to use this
middleware so that it's actually
redirected to the authentic
platform so let's go back to my visual
studio code instance so I'm not going to
need this here anymore so here I'm
running the docker compos file for this
enginex web server you can see this is
exposed using the enginex evaluation one
uh subdomain on the server demo one so
these are the traffic labels and there's
also the traffic reverse proxy running
this is uh this year in the traffic
configuration file I have added a new
file provider to watch the directory Etc
traffic slon which is located on the
host in this directory so any yl
configuration file for traffic such as
this heads. yaml will automatically be
loaded into the dynamic config of
traffic and this is exactly where we can
put the example configuration for the
middleware in so let's just paste it we
just need to change one thing
and it is the address for The Outpost
and this has to match the internal uh
container name of the authentic server
so that's also the reason why in the
authentic Docker compost file I've
configured the server with the container
name authentic demo one server because
we canot just copy this name and paste
it as the server address so that's also
important you have to put the traffic
reverse proxy in the same Docker network
no we can just go to the the uh reverse
proxy and add a new label in here which
is traffic router middleware and set it
to authentic so this name needs to match
the name of the middleware you have
configured here of course we need to
take the engine X web server down and
restart it so that the new label is
attached to the container but we also
have to go into authentic because if we
refresh the page you can see this is not
working so we have to go into authentic
once more go to the admin page and first
create a new provider for it so let's
click on Create and now we are not using
the or open ID provider we are using the
proxy provider so we're giving it a name
engine X evaluation one the
authentication flow is explicit and
we're using the forbo authentication for
a single application the external host
is the URL of the web server of course
and that's it for the provider settings
so now we need to go into the
application create an application for it
just like with all of the other
providers select the provider in our
case proy provider and let's click on
create one more thing to do we have to
go to Outpost and go to the authentic
embedded Outpost click on edit and
select our enginex evaluation
application to be picked up by the
embedded Outpost click on update okay so
now let us open a new private window
where I'm not logged into authentic and
do another web request to the engine X
web server as you can see this
automatically redirects us to the login
page of authentic so we first of all
need to successfully authenticate to
authentic and log in with our one-time
password to get access to the actual
website of engine X so this is so
amazing and with this way you can really
protect any form of website or web page
with a secure login prompt no matter if
it has a user Authentication service or
not I really like this so much okay guys
so this is everything I wanted to show
you today this is how you can simplify
and centralize the authentication
process in your entire home lab of
course there are so many other open
questions I have for example what about
elop and how can I authenticate other
elop services like tress or my softw XG
firewall using authentic or how do I
deploy authentic to kubernetes and
connect my other traffic deployments all
these questions I'm currently trying to
figure out out and of course you can be
sure I'm making a follow-up video on
this and please don't forget to hit the
like button and subscribe if you're up
for future episodes about authentic or
about HB or any other Tech topics for it
professionals a big Thanks goes out to
all my supporters on patreon you guys
are really amazing and thanks everyone
for watching I'll catch you in the next
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
