Source && Doc#

https://github.com/steveiliop56/tinyauth?tab=readme-ov-file https://tinyauth.app/docs/about.html 强烈建议阅读，此文章只是个推荐，重复造轮子

介绍#

首先说一下需求，在Selfhost 缺少身份验证或者是类似PHP等这种很容易存在漏洞应用，需要多一层验证（当然最佳实践应该是直接使用VPN内部访问，不公开到公网，但是有些应用还是存在这种使用场景）。本身其实有大量的身份验证应用比如Authelia/Authentik/Keycloack之类。

原因1#

大部分这些工具为了企业级生产力需求会十分复杂。比如之前使用的Authentik，他的compose需要简简单单147行（

1
services:
2
  authentik-postgresql:
3
    image: docker.io/library/postgres:16-alpine
4
    restart: unless-stopped
5
    healthcheck:
6
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
7
      start_period: 20s
8
      interval: 30s
9
      retries: 5
10
      timeout: 5s
11
    volumes:
12
      - ./database:/var/lib/postgresql/data
13
    environment:
14
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
15
      POSTGRES_USER: ${PG_USER:-authentik}
16
      POSTGRES_DB: ${PG_DB:-authentik}
17
    env_file:
18
      - .env
19
    networks:
20
      - default
21

22
  authentik-redis:
23
    image: docker.io/library/redis:alpine
24
    command: --save 60 1 --loglevel warning
25
    restart: unless-stopped
26
    healthcheck:
27
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
28
      start_period: 20s
29
      interval: 30s
30
      retries: 5
31
      timeout: 3s
32
    volumes:
33
      - redis_authentik:/data
34
    networks:
35
      - default
36
  authentik-server:
37
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
38
    restart: unless-stopped
39
    command: server
40
    environment:
41
      AUTHENTIK_REDIS__HOST: authentik-redis
42
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
43
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
44
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
45
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
46
    volumes:
47
      - ./authentik/media:/media
48
      - ./authentik/custom-templates:/templates
49
      # - /var/run/docker.sock:/var/run/docker.sock
50
    env_file:
51
      - .env
52
    # ports:
53
    #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
54
    #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
55
    networks:
56
      - public_web
57
      - default
58
    depends_on:
59
      authentik-postgresql:
60
        condition: service_healthy
61
      authentik-redis:
62
        condition: service_healthy
63
    labels:
64
      homepage.group: Networking
65
      homepage.name: Authentik
66
      homepage.icon: authentik
67
      homepage.href: "https://auth.CHANGEME.com"
68
      traefik.enable: true
69
      traefik.http.routers.authentik.rule: Host(`auth.CHANGEME.com`)
70
      traefik.http.services.authentik.loadbalancer.server.port: 9000
71
      traefik.docker.network: public_web
72
      traefik.public: true
73
  authentik-proxy:
74
    image: ghcr.io/goauthentik/proxy:${AUTHENTIK_TAG:-2024.10.5}
75
    # ports:
76
    #     - 9000:9000
77
    #     - 9443:9443
78
    networks:
79
      - public_web
80
      - default
81
    environment:
82
        AUTHENTIK_REDIS__HOST: authentik-redis
83
        AUTHENTIK_HOST: http://authentik-server:9000
84
        AUTHENTIK_INSECURE: "true"
85
        AUTHENTIK_TOKEN: ${AUTHENTIK_TRAEFIK_EXT_OUTPOST_TOKEN}
86
        # Starting with 2021.9, you can optionally set this too
87
        # when authentik_host for internal communication doesn't match the public URL
88
        AUTHENTIK_HOST_BROWSER: https://auth.CHANGEME.com
89
        # for logging edit log_level in outpost config from ui
90
    labels:
91
        traefik.enable: true
92
        traefik.port: 9000
93
        traefik.http.routers.authentik-proxy.rule: Host(`CHANGEME.com`) && PathPrefix(`/outpost.goauthentik.io/`)
94
        # `authentik-proxy` refers to the service name in the compose file.
95
        traefik.http.middlewares.authentik-proxy.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
96
        traefik.http.middlewares.authentik-proxy.forwardauth.trustForwardHeader: true
97
        traefik.http.middlewares.authentik-proxy.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
98
        traefik.public: true
99
        kop.namespace: none
100

101
    restart: unless-stopped
102
  worker:
103
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
104
    restart: unless-stopped
105
    command: worker
106
    environment:
107
      AUTHENTIK_REDIS__HOST: authentik-redis
108
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
109
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
110
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
111
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
112
    # `user: root` and the docker socket volume are optional.
113
    # See more for the docker socket integration here:
114
    # https://goauthentik.io/docs/outposts/integrations/docker
115
    # Removing `user: root` also prevents the worker from fixing the permissions
116
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
117
    # (1000:1000 by default)
118
    user: root
119
    volumes:
120
      - /var/run/docker.sock:/var/run/docker.sock
121
      - ./authentik/media:/media
122
      - ./authentik/certs:/certs
123
      - ./authentik/custom-templates:/templates
124
    env_file:
125
      - .env
126
    depends_on:
127
      authentik-postgresql:
128
        condition: service_healthy
129
      authentik-redis:
130
        condition: service_healthy
131
    networks:
132
      - default
133

134
networks:
135
  default:
136
    internal: true
137
  public_web:
138
    external: true
139

140
volumes:
141
  redis_authentik:
142
    driver: local

原因2#

最近把家里的架构由Nginx手动创建变成了Compose + Traefik，现在我创建一个服务的反向代理，只需要向下面这样，在docker compose，反向代理将自动化生成。所以支持通过labels描述，并且自动加载

1
    labels:
2
      traefik.enable: true
3
      traefik.public: true
4
      traefik.docker.network: traefik_external_public_web
5
      #-----
6
      traefik.http.routers.hlpj-alist.rule: Host(`alist.homelabproject.cc`)||Host(`file.homelabproject.cc`)
7
      traefik.http.routers.hlpj-alist.entrypoints: cf
8
      traefik.http.services.hlpj-alist.loadbalancer.server.port: 5244
9
      traefik.http.routers.hlpj-alist.service: hlpj-alist
10
      #---cloudflared---
11
      cloudflare.tunnel.enable: "true"
12
      cloudflare.tunnel.0.hostname: alist.homelabproject.cc
13
      cloudflare.tunnel.0.service: http://traefik:808
14
      cloudflare.tunnel.0.zonename: homelabproject.cc
15
      cloudflare.tunnel.1.hostname: file.homelabproject.cc
16
      cloudflare.tunnel.1.service: http://traefik:808
17
      cloudflare.tunnel.1.zonename: homelabproject.cc

配置#

基础容器#

首先你需要最基础3个条件

SECERT变量直接在命令行行随机生成一个32字节的随机密钥

1
openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32

USERS 你的用户名密码，命令行输入下面，会进入交互，记得在问你是否使用docker的时候选择yes

1
docker run -i -t --rm ghcr.io/steveiliop56/tinyauth:v3 user create --interactive

你就会得到转换完用于登陆的账号密码的bcrypt 哈希。如果你有多个账号密码用,隔开

用于验证的域名 tinyauth的访问流程：当你访问需要身份验证的域名，他会转条到tinyauth.你的域名.com验证账号密码，然后你再回到你服务的域名就能正常访问了。 所以需要提前配置好你的域名

最后，配置你下面的环境变量，启动即可

1
tinyauth:
2
  image: ghcr.io/steveiliop56/tinyauth:v3
3
  container_name: tinyauth
4
  restart: unless-stopped
5
  environment:
6
    - SECRET=some-random-32-chars-string
7
    - APP_URL=https://tinyauth.你的域名.com
8
    - USERS=your-username-password-hash
9
  labels:
10
    traefik.enable: true
11
    traefik.http.routers.tinyauth.rule: Host(`tinyauth.你的域名.com`)
12
    traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik

配置需要验证的应用#

你只需要附带Label，添加Router的中间件，即可访问

1
labels:
2
  traefik.http.routers.[你的服务].middlewares: tinyauth@docker

总结#

tinyauth的目的本身就不是为了生产力，对于Homelab来说就是简洁高效，个人觉得还是挺好用。