[{"data":1,"prerenderedAt":114},["ShallowReactive",2],{"seo-verification":3,"marketplace-app-fr-authelia":6},{"google":4,"bing":5},"EycwPY2XMyTkVzas3n1ygeNJFGAH513qrMjfDljzsMQ","",{"slug":7,"name":8,"description":9,"phase":10,"docsUrl":11,"logo":12,"github":13,"tagline":14,"longDescription":15,"features":16,"useCases":23,"steps":33,"faq":49,"specs":68,"compatibleOs":77,"relatedApps":79,"relatedPosts":107,"category":111},"authelia","Authelia","Open-source authentication and authorization gateway — add MFA, SSO and fine-grained access control in front of any app without touching its code.",1,"https:\u002F\u002Fservorbit.com\u002Fblog\u002Fself-host-authelia-vps","https:\u002F\u002Fcdn.simpleicons.org\u002Fauthelia","https:\u002F\u002Fgithub.com\u002Fauthelia\u002Fauthelia","Add MFA, SSO and fine-grained access control in front of any app — no code changes required.","Authelia is an open-source authentication and authorization server that acts as a reverse-proxy companion. It intercepts every request to your apps and enforces your policy: one-factor login, two-factor (TOTP, WebAuthn\u002FPasskeys), or bypass — based on domain, path, user group or network. Authelia itself handles the login portal; your app never needs to know it exists.\n\nDeployed on a ServOrbit VPS, Authelia runs as a lightweight Go binary (~25 MB RAM) alongside a Redis session store. It integrates with Nginx, Caddy, Traefik and HAProxy as a forward-auth endpoint, and doubles as a full OpenID Connect (OIDC) provider, letting you add Single Sign-On across your entire self-hosted stack from a single configuration file. Apache 2.0 licensed, ~28 k GitHub stars.",[17,18,19,20,21,22],"MFA out of the box: TOTP, WebAuthn\u002FPasskeys and Duo push — one config line per user or group","OpenID Connect (OIDC) certified provider: add SSO to any OIDC-compatible app in your stack","Fine-grained access control: allow, deny or require 2FA by domain, subdomain, path, IP network or user group","Reverse-proxy agnostic: native forward-auth support for Nginx, Caddy, Traefik, HAProxy and Envoy","Under 30 MB RAM at idle — runs comfortably alongside other services on a 1 GB VPS","File-based or LDAP user backend — start with a local users file, migrate to LDAP later without downtime",[24,27,30],{"title":25,"body":26},"Protect internal tools","Put Authelia in front of Grafana, Dockge, Gitea or any admin UI. Users authenticate once at your auth portal and are forwarded to any protected app without re-entering credentials.",{"title":28,"body":29},"Add MFA to apps that don't support it","Many self-hosted apps have basic password auth or none at all. Authelia adds TOTP or passkey authentication at the proxy layer — zero changes to the app, zero code to write.",{"title":31,"body":32},"Self-hosted SSO across your stack","Configure Authelia as an OIDC provider and connect Nextcloud, Gitea, Mattermost and more. One login session, all your apps — on infrastructure you own.",[34,37,40,43,46],{"title":35,"body":36},"Create the VPS","Order a ServOrbit VPS with at least 1 vCPU and 512 MB RAM (1 GB recommended). Ubuntu 22.04 LTS is the recommended OS. A domain name pointing to this VPS is required — Authelia's session cookies and OIDC callbacks require HTTPS with a valid FQDN.",{"title":38,"body":39},"Point your subdomain","Create an A record for your auth subdomain, for example `auth.yourdomain.com`, pointing to the VPS IP. SSL is handled automatically by the ServOrbit reverse proxy using Let's Encrypt.",{"title":41,"body":42},"Deploy Authelia","Select the Authelia template in the ServOrbit Marketplace. The provisioning job deploys the Compose stack (Authelia + Redis), generates all secrets, writes the initial configuration and creates the admin user. The portal is accessible at `https:\u002F\u002Fauth.yourdomain.com` within minutes.",{"title":44,"body":45},"Configure your reverse proxy","Add a `forward_auth` directive to the Nginx, Caddy or Traefik configuration of each app you want to protect. Authelia's documentation has copy-paste snippets for every major proxy. ServOrbit VPS instances ship with Caddy by default.",{"title":47,"body":48},"Add users and enable MFA","Log in to the Authelia portal with the default admin credentials, register your TOTP app (Google Authenticator, Ente Auth, Aegis…) or a passkey, then create additional users. Update access control rules in `configuration.yml` to enforce 2FA for sensitive apps and one-factor for others.",[50,53,56,59,62,65],{"q":51,"a":52},"What is Authelia?","Authelia is an open-source (Apache 2.0) authentication and authorization gateway. It sits in front of your apps as a forward-auth endpoint, enforcing MFA and fine-grained access control without any changes to the apps themselves.",{"q":54,"a":55},"Does Authelia replace each app's own login?","It depends on the app. For apps without authentication (internal dashboards, admin UIs), Authelia adds a login wall at the proxy layer. For OIDC-compatible apps like Gitea or Nextcloud, Authelia can become the identity provider and replace the app's own login entirely, giving you true SSO.",{"q":57,"a":58},"How much RAM does Authelia need?","Very little. Authelia itself idles under 30 MB RAM. Add ~20 MB for the Redis session store. A 512 MB VPS is sufficient for personal use; 1 GB is comfortable for a team of 10-20 users.",{"q":60,"a":61},"Does Authelia require a domain name?","Yes. Session cookies require a proper domain (`Domain=.yourdomain.com`), and OIDC callbacks and Let's Encrypt certificates require a publicly resolvable FQDN with HTTPS. Authelia cannot work correctly behind a plain IP address.",{"q":63,"a":64},"Which reverse proxies does Authelia support?","Authelia has first-class support for Nginx, Caddy, Traefik, HAProxy, Envoy and Skipper via its `forward_auth` \u002F `ext_authz` endpoint. The documentation provides copy-paste configuration snippets for each proxy.",{"q":66,"a":67},"Is Authelia compatible with passkeys and hardware security keys?","Yes. Authelia v4.38+ supports WebAuthn (FIDO2), which covers passkeys, Touch ID, Face ID, YubiKeys and any FIDO2-compliant hardware key. Users can register multiple second-factor methods and choose at login time.",{"ram":69,"cpu":70,"stack":71,"port":76},"512 Mo (1 Go recommandé)","1 vCPU",[72,73,74,75],"Docker","Go","SQLite","Redis 7","9091",[78],"ubuntu-24.04",[80,89,98],{"name":81,"slug":82,"categorySlug":83,"categoryName":84,"categoryColor":85,"logo":86,"tagline":87,"description":88},"Vaultwarden","vaultwarden","cybersecurity","Cybersecurity & Bastion","text-red-400 bg-red-500\u002F10","https:\u002F\u002Fcdn.simpleicons.org\u002Fbitwarden","Self-hosted Bitwarden in one Rust container — unlimited passwords, zero subscription, your data stays on your VPS.","Self-hosted Bitwarden-compatible password manager written in Rust. All Bitwarden clients work out of the box — browser extensions, mobile apps, desktop — under 50 MB RAM.",{"name":90,"slug":91,"categorySlug":92,"categoryName":93,"categoryColor":94,"logo":95,"tagline":96,"description":97},"WireGuard Server","wireguard-server","reseau","Réseau & VPN","text-sky-400 bg-sky-500\u002F10","https:\u002F\u002Fcdn.simpleicons.org\u002Fwireguard","VPN moderne et ultra-rapide — connexions sécurisées pour vos équipes avec latence minimale.","VPN moderne, performant et minimal. Connexions sécurisées pour vos équipes et vos infrastructures avec une latence proche de zéro.",{"name":99,"slug":100,"categorySlug":101,"categoryName":102,"categoryColor":103,"logo":104,"tagline":105,"description":106},"Caddy","caddy","deploiement","Déploiement Applicatif & DevOps","text-success bg-success\u002F10","https:\u002F\u002Fcdn.simpleicons.org\u002Fcaddy","SSL automatique pour vos applications — HTTPS sans effort, certificats auto-renouvelés.","Serveur web et reverse proxy moderne avec HTTPS automatique. Certificats SSL Let's Encrypt obtenus et renouvelés tout seuls, configuration minimale via Caddyfile.",[108,109,110],"self-host-authelia-vps","deploy-vaultwarden-vps","securiser-vps-crowdsec",{"key":112,"slug":83,"name":84,"objective":113,"icon":112,"color":85},"security","Renforcer la sécurité des infrastructures.",1784126256830]