this post was submitted on 07 Jul 2026
56 points (93.8% liked)

Selfhosted

60589 readers
1413 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

SbTEwwlrjN5y7jq.webp

How Authelia Performs Multi-Factor Authentication

Authelia sits between your reverse proxy and the apps behind it, intercepting requests and performing auth checks before forwarding traffic, giving you true MFA that can be integrated with something like Google Authenticator, or Yubikey/Titan key, etc...

Stop exposing unsecured apps. Learn how to deploy Authelia in Docker with a KeyDB backend and SWAG to enforce centralized Multi-Factor Authentication.

Setting up Authelia can be a bit intensive at first, but very worth the payoff / time and effort!

Disclaimers: I'm the author & run this exact setup, in production for myself. It's a "battle tested" setup, which has been in use for a few years now. Written & verified by a human! The header image is a composite of my Authelia MFA token page & AI generated infographic. NO ADS or affiliate marketing on page!

Happy to chat in the comments!

you are viewing a single comment's thread
view the rest of the comments
[โ€“] gajahmada@awful.systems 2 points 3 days ago* (last edited 3 days ago) (1 children)

Oh, you're actually that corelab. I use your Vaulwarden guide as reference when I rebuild a while ago. Thanks for the write up !

Though, I wish you have something for Traefik and I know you wrote about why you chose SWAG but mine's all docker anyway that's why I go with Traefik.

There's not many articles talking about TF with multiple host without going full Kubernetes. Looking up forward auth (for something without native OIDC) is confusing af.

[โ€“] CoreLabJoe@piefed.ca 2 points 3 days ago* (last edited 3 days ago)

Well hello there!

Yes, the one and only Core Lab Joe, in the digital flesh (packets, tcp-stream!). Thanks for reading and I'm glad it helped you!

I'm picky when writing tech guides and generally will only write (and recommend!) what I run, and what I have experience with, so that would not be traefik.

My entire system/setup is all dockerized as well. I run 50+ dockers, and anything publicly exposed goes through my SWAG instance. It doesn't matter what reverse proxy you use, or even if the apps are containers or not really, it's all networking.

That said I've got a good Traefik resource for you, FoxxMD Blog and his migrating from SWAG to Traefik post!

One of the things I need to tackle fully myself, understand, break, troubleshoot and then fix is OIDC for myself, so I can write a good guide on it. A lot of apps do natively do it now, but from what I understand for those that do not, you can use Authelia and the like to slap that authentication into (over top) of it.