Application Development Azure

Authelia on Ubuntu 24.04 on Azure User Guide

| Product: Authelia on Ubuntu 24.04 LTS on Azure

Overview

Authelia is the open-source authentication and authorization server that provides single sign-on and multi-factor authentication through a beautiful login portal. Used as a forward-auth provider in front of nginx or Traefik, it protects your web applications with first-factor (password) and second-factor (TOTP, WebAuthn, Duo) authentication, access-control rules, and brute-force regulation. The cloudimg image installs Authelia 4.39.20, runs it as a systemd service bound to loopback behind an nginx reverse proxy on port 80, persists its database on a dedicated Azure data disk, and generates unique secrets and an admin user on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • Authelia 4.39.20 (binary /usr/bin/authelia) with a file user backend and SQLite storage
  • nginx on :80 as a reverse proxy to the loopback Authelia portal (Authelia is the auth - no extra wall)
  • Per-VM secrets (JWT, session, storage encryption) and an argon2id-hashed admin user generated on first boot
  • A dedicated Azure data disk at /var/lib/authelia for the database and notifications
  • authelia.service + nginx.service as systemd units, enabled and active
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2ms (2 vCPU / 8 GiB RAM) is a good starting point. NSG inbound: allow 22/tcp from your management network and 80/tcp. Authelia is domain-based - you will need a DNS name and (for production) TLS termination in front of it.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Authelia by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name authelia \
  --image <marketplace-image-urn> \
  --size Standard_B2ms \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name authelia --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active authelia.service nginx.service

Both report active. On first boot Authelia generates its secrets and an admin user.

Step 5 - Retrieve your admin password

The admin password is generated uniquely on the first boot of your VM and written to a root-only file:

sudo cat /root/authelia-credentials.txt

This file contains AUTHELIA_ADMIN_USER (admin) and AUTHELIA_ADMIN_PASSWORD. Store the password somewhere safe.

Step 6 - Set your domain (required)

Authelia is domain-based. The image ships with a placeholder domain (example.com). Edit /etc/authelia/configuration.yml and set your domain in session.cookies[].domain and session.cookies[].authelia_url (the public HTTPS URL of the portal, e.g. https://auth.yourdomain.com), then restart:

sudo nano /etc/authelia/configuration.yml
sudo systemctl restart authelia

For production, terminate TLS in front of Authelia (the cookies require HTTPS) - see Protecting your apps.

Step 7 - Open the login portal

Browse to your Authelia URL and sign in as admin with the password from Step 5. The portal also offers a password reset flow and, once you enable it, second-factor registration (TOTP, WebAuthn).

Authelia login portal

Authelia password reset

Step 8 - Confirm the health endpoint

nginx serves an unauthenticated health endpoint for load balancers and probes:

curl -s http://localhost/health

It returns ok.

Step 9 - Verify authentication from the command line

Authelia's first-factor API rejects a wrong password and accepts the per-VM admin password:

curl -s -X POST -H 'Content-Type: application/json' -H 'Host: auth.example.com' -H 'X-Forwarded-Proto: https' -d '{"username":"admin","password":"<AUTHELIA_ADMIN_PASSWORD>","keepMeLoggedIn":false}' http://localhost/api/firstfactor; echo

It returns {"status":"OK"}. (Replace auth.example.com with your configured domain.)

Step 10 - Confirm state lives on the dedicated disk

The Authelia database is stored on the dedicated Azure data disk so it survives OS changes and can be resized independently:

findmnt /var/lib/authelia

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Protecting your apps

Authelia is a forward-auth provider. Put it behind your TLS-terminating reverse proxy (nginx or Traefik) and add an auth_request (nginx) or forwardAuth middleware (Traefik) that sends requests to Authelia's /api/authz/forward-auth endpoint. Authelia then enforces your access_control rules - redirecting unauthenticated users to the portal and adding identity headers for your apps. Add users to /etc/authelia/users_database.yml (hash passwords with authelia crypto hash generate argon2), and enable TOTP or WebAuthn for second-factor protection.

Maintenance

  • Users: edit /etc/authelia/users_database.yml; hash passwords with authelia crypto hash generate argon2.
  • Backups: snapshot the /var/lib/authelia data disk to back up the database.
  • Config: all settings are in /etc/authelia/configuration.yml; sudo systemctl restart authelia after changes.
  • Upgrades: install a newer Authelia .deb and restart the service.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.