01Why Every Self-Hoster Needs SSO
When you're running 15+ services, managing separate logins for each one becomes a nightmare. Some services have great built-in auth. Others have basic HTTP auth or none at all. And remembering which services are publicly accessible versus which ones assume they're behind a VPN is a recipe for accidentally exposing an admin panel.
Authelia solves this by acting as an authentication portal that sits in front of your reverse proxy. Any request to a protected service gets redirected to the Authelia login page first. After authentication (with optional 2FA), the user is redirected back to the original service. One login protects everything.
I added Authelia to my home lab after discovering that my Prometheus dashboard had been publicly accessible for three months. Nothing bad happened, but it was a wake-up call. Now every service is behind Authelia unless I explicitly exclude it.
02How Authelia Works with Traefik
The flow is straightforward:
1. User requests service.yourdomain.com
2. Traefik intercepts the request and asks Authelia: "Is this user authenticated?"
3. If not, Authelia redirects the user to auth.yourdomain.com for login
4. User logs in (with optional 2FA via TOTP, WebAuthn, or push notification)
5. Authelia sets an encrypted session cookie and redirects back to the original service
6. Subsequent requests use the session cookie — no re-login needed
Authelia supports multiple authentication backends: a simple YAML file for small setups, LDAP for larger organizations, and various 2FA methods. For a home lab, the file-based backend is perfect.
03Docker Compose Setup
Here's the core Authelia setup with Traefik integration:
[docker-compose.yml]
1services: 2 authelia: 3 image: authelia/authelia:latest4 container_name: authelia5 restart: unless-stopped6 volumes: 7 - ./config:/config8 environment: 9 - TZ=America/New_York10 labels: 11 - "traefik.enable=true"12 - "traefik.http.routers.authelia.rule=Host(`auth.yourdomain.com`)"13 - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"14 - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"15 - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"16 - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups"17 networks: 18 - proxy1920 redis: 21 image: redis:7-alpine22 container_name: authelia-redis23 restart: unless-stopped24 volumes: 25 - redis_data:/data26 networks: 27 - proxy2829volumes: 30 redis_data: 3132networks: 33 proxy: 34 external: true04Protecting Your Services
Once Authelia is running, protecting any service is a single Traefik label:
[docker-compose.yml]
1services: 2 grafana: 3 image: grafana/grafana:latest4 labels: 5 - "traefik.enable=true"6 - "traefik.http.routers.grafana.rule=Host(`grafana.yourdomain.com`)"7 - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"8 # This one line adds Authelia protection:9 - "traefik.http.routers.grafana.middlewares=authelia@docker"Authelia's access control policies let you set different protection levels per service. Public services get bypassed, internal tools require one-factor auth, and admin panels require two-factor auth.
05Access Control Policies
Authelia's configuration file lets you define granular access policies. You can set different authentication requirements based on the domain, path, or user group:
For example: your public website bypasses authentication entirely. Your media server requires a simple password. Your admin panels and infrastructure dashboards require 2FA. And certain services are restricted to specific users only.
This tiered approach balances security with convenience. You don't want to enter a TOTP code every time you open Jellyfin, but you definitely want it for your Traefik dashboard.
Check out our security category for Authelia configurations along with other authentication solutions like Keycloak and Authentik. Each includes complete Traefik integration examples.