Add two factor authentifcation (2FA) to paperless-ngx
Okko -
It's a queasy feeling when you finally have your documents digitized, but access to them is still secured with the old username and password method. However, this can be upgraded with the help of the free application authelia and a NGINX reverse proxy.
Before you start
This guide does not describe how to install paperless-ngx. I assume that paperless-ngx runs behind NGINX as a reverse proxy. For Authelia you need a subdomain like authelia.example.org. This subdomain must be secured with https, e.g. via letsencrypt. Authelia also requires an email address to send the device registration mail.
Install authelia
The installation of authelia is not exactly straight forward. Authelia installs as a Docker application, but uncharacteristically for container applications, expects a lot of upfront work from the user before you can even use it.
Overview and prequisites: We install Authelia as a Docker swarm service. For the configuration of Authelia, we create two folders "config" and ".secrets" in the same directory as. In the secrets directory we store passwords and keys for encryption. In the config directory is our sqlite3 database (authelia.db), our user database (users_database.yml) and our actual configuration (configuration.yml).
The createSecrets.sh file is a bash script I wrote to simplify the creation of the keys.
For randomization openssl is used. Install this via:
Since we are currently only protecting one application, sqlite is more than sufficient as a database. Install this with the following command:
Redis is installed via docker compose.
Docker Create a folder authelia and open it.
Now create the necessary folders and enter the config folder:
Create the SQlite database as follows:
Copy the user database template from the Authelia repo or create your own:
The structure of the yml file is easy to understand. You can get the password hash directly from the Authelia Docker container:
Create main configuration Copy and paste the following configuration.yml file and adjust the settings with pointed brackets.
Create secrets Just copy and paste the following script:
Run the script by:
chmod +x createSecrets.sh
./createSecrets.sh
In order to avoid that you start the script by mistake, I recommend to delete it after successful execution.
Docker compose file
Go back to your authelia root folder and create your docker-compose.yml. Just copy and paste the following configuration:
Start the stack with the following command:
NGINX reverse proxy
Send auth_requests to authelia Go to your NGINX configuration directory in /etc/nginx/ and create a directory authelia.
cd /etc/nginx/
mkdir authelia
cd authelia
Create the configuration file auth.conf and add the following lines via copy and paste:
You need to adjust the line with your own authelia subdomain:
Create another config file authelia.conf in the same directory and copy and paste the following lines:
Paperless-ngx NGINX modification
Add the following line to your paperless NGINX server config:
server{
...
include authelia/authelia.conf;
# Authelia auth endpoint
location / {
...
include authelia/auth.conf;
# Protect this endpoint
}
}
Restart nginx
systemctl restart nginx
First Authelia setup
Go to the subdomain you have set up specifically for authelia and log in with the username and password you have configured in the authelia user database (users_database.yml)
Register your device
Authelia will now send an email to your configured user email address from the database. After clicking on the link in the email, the device registration will be released. You can now scan the QR code for TOTP.