别再手动改hosts了!用Docker Compose一键部署Authelia SSO,顺便搞定Traefik反向代理
一键部署Authelia SSO与Traefik反向代理的Docker Compose实战指南
在当今复杂的网络环境中,管理多个Web应用的认证流程往往成为开发者的痛点。手动配置hosts文件、逐个设置访问权限不仅耗时耗力,还容易出错。本文将介绍如何利用Docker Compose快速搭建Authelia单点登录系统,并集成Traefik作为反向代理,实现开箱即用的安全访问控制方案。
1. 技术栈概述与准备工作
Authelia是一款开源的单点登录(SSO)和双因素认证(2FA)系统,专为自托管应用设计。它支持多种认证方式,能与反向代理无缝集成,为内部应用提供统一的认证入口。Traefik则是现代化的反向代理和负载均衡工具,支持自动服务发现和Let's Encrypt证书管理。
部署前准备:
- 已安装Docker和Docker Compose的Linux服务器(推荐Ubuntu 20.04+)
- 有效的域名(用于SSL证书申请)
- 基础命令行操作知识
提示:虽然本文使用
.example.com作为演示域名,实际部署时请替换为您自己的域名。
2. Docker Compose编排文件解析
以下是经过优化的docker-compose.yml文件,集成了Authelia、Redis、Traefik和演示站点:
version: '3.8' networks: sso-network: driver: bridge services: authelia: image: authelia/authelia:latest container_name: authelia volumes: - ./authelia/config:/config networks: - sso-network environment: - TZ=Asia/Shanghai labels: - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`auth.yourdomain.com`)" - "traefik.http.routers.authelia.entrypoints=websecure" - "traefik.http.routers.authelia.tls.certresolver=letsencrypt" - "traefik.http.services.authelia.loadbalancer.server.port=9091" redis: image: redis:alpine container_name: redis volumes: - ./redis/data:/data networks: - sso-network restart: unless-stopped traefik: image: traefik:v2.6 container_name: traefik ports: - "80:80" - "443:443" volumes: - ./traefik/config:/etc/traefik - /var/run/docker.sock:/var/run/docker.sock networks: - sso-network command: - "--api.insecure=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--certificatesresolvers.letsencrypt.acme.email=your@email.com" - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme.json" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" whoami: image: containous/whoami container_name: whoami networks: - sso-network labels: - "traefik.enable=true" - "traefik.http.routers.whoami.rule=Host(`app.yourdomain.com`)" - "traefik.http.routers.whoami.entrypoints=websecure" - "traefik.http.routers.whoami.tls.certresolver=letsencrypt" - "traefik.http.routers.whoami.middlewares=authelia@docker"关键配置说明:
- 使用独立的Docker网络
sso-network确保服务间隔离 - Authelia配置挂载到本地
./authelia/config目录 - Traefik配置自动SSL证书申请
- Whoami服务作为演示应用,受Authelia保护
3. Authelia详细配置
在./authelia/config目录下创建两个关键配置文件:
configuration.yml
theme: light jwt_secret: your_secure_jwt_secret_here default_redirection_url: https://app.yourdomain.com server: host: 0.0.0.0 port: 9091 authentication_backend: file: path: /config/users_database.yml password: algorithm: argon2id iterations: 3 memory: 65536 parallelism: 4 access_control: default_policy: deny rules: - domain: "auth.yourdomain.com" policy: bypass - domain: "app.yourdomain.com" policy: two_factor session: name: authelia_session secret: your_session_secret_here expiration: 1h inactivity: 5m domain: yourdomain.com storage: encryption_key: your_encryption_key_here local: path: /config/db.sqlite3 notifier: filesystem: filename: /config/notifications.txtusers_database.yml
users: admin: displayname: "Admin User" password: "$argon2id$v=19$m=65536,t=3,p=4$dGhlc2FsdHlzdHJpbmc$thehashedpassword" email: admin@yourdomain.com groups: - admins developer: displayname: "Developer" password: "$argon2id$v=19$m=65536,t=3,p=4$YW5vdGhlcnNhbHQ$anotherhashedpassword" email: dev@yourdomain.com生成密码哈希的命令:
docker run --rm authelia/authelia:latest authelia hash-password 'yourpassword'4. Traefik配置优化
在./traefik/config目录下创建traefik.yml:
api: dashboard: true insecure: true entryPoints: web: address: ":80" http: redirections: entryPoint: to: websecure scheme: https websecure: address: ":443" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false certificatesResolvers: letsencrypt: acme: email: "your@email.com" storage: "/etc/traefik/acme.json" httpChallenge: entryPoint: "web"性能优化参数:
serversTransport: maxIdleConnsPerHost: 200 forwardingTimeouts: dialTimeout: 30s responseHeaderTimeout: 0s log: level: INFO format: json5. 部署与测试流程
- 启动服务栈
docker-compose up -d- 验证服务状态
docker-compose ps- 测试访问流程
- 直接访问
https://app.yourdomain.com应跳转到Authelia登录页 - 使用
users_database.yml中的凭证登录 - 成功认证后应返回Whoami服务页面
- 管理界面
- Traefik仪表板:
https://traefik.yourdomain.com - Authelia管理API:
https://auth.yourdomain.com/api/
常见问题排查:
# 查看Authelia日志 docker logs authelia # 检查Redis连接 docker exec -it redis redis-cli ping # 验证Traefik配置 docker exec traefik traefik check-config6. 生产环境增强建议
安全加固措施:
- 替换所有示例中的密钥和密码
- 启用数据库存储替代SQLite
- 配置SMTP通知服务
- 设置适当的备份策略
性能扩展方案:
# 在docker-compose.yml中添加 authelia: deploy: resources: limits: cpus: '1' memory: 512M reservations: memory: 256M healthcheck: test: ["CMD", "authelia", "healthcheck"] interval: 30s timeout: 5s retries: 3监控集成:
- Prometheus指标端点
- 日志收集到ELK或Loki
- 健康检查报警
实际部署中发现,合理配置会话超时和密码策略能显著提升安全性。对于团队协作场景,建议结合LDAP或Active Directory进行用户管理,而非文件存储方式。