Stephen O'Toole

freelance dubbing mixer

VoidAuth for authentication of services (SSO)

I’ve been using Authelia as a SSO (Single Sign On) service for my hosted services for a while. This allows me to not be too worried about the login of services, and in some cases, remove the login and rely solely on the SSO (which is the point of it).

Getting Authelia working on Unraid was OK. It took me an afternoon of tinkering with it, following a guide I found somewhere online, and that was it. It had a 60 day duration on the login, so once signed in, my devices would take me straight to the required service and Authelia became invisible in a way.

However as it took me a bit of work to get it going, and I wasn’t sure how easy it would be to replicate, I looked for an alternative and stumbled across a new solution in VoidAuth.

This wasn’t in the Community Apps on Unraid at the time of my install, so I went down the Docker Compose route.

Just following the Docker Compose sample on VoidAuth GitHub page got me up and running in about 2mins.

services:

  voidauth: 
    image: voidauth/voidauth:latest
    volumes:
      - /mnt/user/appdata/voidauth/config:/app/config
    ports:
      - "3000:3000"
    environment:
      APP_URL: https://auth.domain.com
      STORAGE_KEY: 12387hUYt&5rv&UYN78gygyB75r6vrt
      DB_PASSWORD: 12345buy&R&^CrvBUyGVdccv
      DB_HOST: voidauth-db
    depends_on:
      - voidauth-db

  voidauth-db:
    image: postgres:17
    environment:
      POSTGRES_PASSWORD: 12345buy&R&^CrvBUyGVdccv
    volumes:
      - /mnt/user/appdata/voidauth/db:/var/lib/postgresql/data

volumes:
  config:
  db:

Obviously those are random keys/passwords in the environment section, but make something up and off you go.

The log of the container will show you the auth_admin password which you should reset/change on first login.

To add users, it needs to be done by invite, which is best done via email. Set the SMTP parameters for your email in the compose file, and that’s all. I assume VoidAuth is querying the SMTP connection in the background; my settings were slightly off and I got a warning when trying to send an invite that the ’email settings couldn’t be verified’. This is a nice touch.

For my Caddy reverse proxy, it’s a case of adding a block at the top of the Caddyfile that you can then call for your required domains:

(voidauth) {
	forward_auth 192.168.100.4:3000 {
		uri /api/authz/forward-auth
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
}

Then for the auth, and each domain you want the auth on:

auth.domain.com {
	reverse_proxy 192.168.100.4:3000
}

service.domain.com {
	import voidauth
	reverse_proxy 192.168.1.1:8080
}

And that’s all. Setting up an SSO and having it running in less than 5mins is very satisfying. Well done VoidAuth!

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *