Security Azure

Rauthy on Ubuntu 24.04 on Azure User Guide

| Product: Rauthy on Ubuntu 24.04 LTS on Azure

Overview

This guide covers the deployment and configuration of Rauthy on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Rauthy is an open source, self hosted OpenID Connect (OIDC) provider and identity and access management server. It lets you run your own single sign on for your applications: it issues signed OIDC and OAuth2 tokens, manages users, clients, roles, scopes and sessions, and supports passwords and passkeys, all from a clean admin console and an account self service interface.

The image installs the latest stable Rauthy release, taken directly from the official upstream container image and recorded with its digest in /opt/rauthy/VERSION. Rauthy runs as a single self contained Rust binary under systemd as the unprivileged rauthy system user and binds to loopback only (127.0.0.1:8080), backed by an embedded Hiqlite (SQLite and Raft) store that needs no external database. nginx is the sole network facing surface and terminates TLS on port 443, reverse proxying to Rauthy so the OIDC issuer is served over HTTPS.

The image ships with no known login. Rauthy applies its bootstrap admin password only while initialising an empty database, and the captured image ships an empty database with no baked secrets. On the first boot of every instance, a one shot service generates a unique admin password, unique encryption keys and unique internal secrets for that specific instance, boots Rauthy against the empty database so it creates the admin@localhost user with that per instance password, and writes it to a file that only the root user can read. No credentials and no key material are ever shared between instances.

What is included:

  • The latest stable Rauthy release (the official upstream binary, with its full admin and account web UI embedded), run under systemd as the unprivileged rauthy system user

  • Rauthy and its internal Raft ports bound to loopback only (127.0.0.1:8080, 127.0.0.1:8100, 127.0.0.1:8200) — none are network exposed

  • An embedded Hiqlite (SQLite and Raft) store, so a full identity provider runs with no separate database to operate

  • nginx terminating TLS on :443 and reverse proxying to Rauthy, with HSTS and sensible security headers

  • Port :80 returns a 301 redirect to HTTPS for every path except an unauthenticated /healthz endpoint (HTTP 200) for load balancer probes

  • A self signed TLS certificate regenerated per VM on first boot (SAN includes the VM public IP, hostname and 127.0.0.1) — replace it with your own CA signed certificate for production

  • A per instance admin password generated on first boot into /root/rauthy-credentials.txt (readable by root only) — no default or shared credential is ever baked in

  • A built in self test at /opt/rauthy/rauthy-selftest.sh that proves the admin login round trip end to end over TLS

  • Ubuntu 24.04 LTS base with latest security patches applied at build time

  • Azure Linux Agent for seamless cloud integration and SSH key injection

  • 24/7 cloudimg support with guaranteed 24 hour response SLA

Prerequisites

  • An Azure subscription with permission to deploy virtual machines

  • An SSH key pair for administrative access to the VM as the azureuser account

  • A Network Security Group allowing inbound TCP 443 (HTTPS) and 80 (redirect) from the networks that should reach the service, and 22 (SSH) from your management network only

  • A recommended size of Standard_B2s or larger

Step 1: Deploy from the Azure Portal

  1. Locate the Rauthy on Ubuntu 24.04 LTS by cloudimg image in the Azure Marketplace and select Create.

  2. Choose your subscription, resource group and region.

  3. Select a VM size (Standard_B2s or larger) and provide your SSH public key for the azureuser account.

  4. On the Networking tab, allow inbound 443 and 80 from the clients and applications that will use single sign on, and restrict 22 to your management network.

  5. Review and create. When the VM is running, browse to https://<your-public-ip>/auth/v1/account.

Step 2: Deploy from the Azure CLI

You can deploy the same image from the Azure CLI. Replace the resource group, location and image URN as needed:

az vm create \
  --resource-group my-rauthy-rg \
  --name rauthy \
  --image <cloudimg-rauthy-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard
# then open the required ports
az vm open-port --resource-group my-rauthy-rg --name rauthy --port 443 --priority 1001
az vm open-port --resource-group my-rauthy-rg --name rauthy --port 80 --priority 1002

Step 3: Verify the Rauthy and nginx services

SSH in as azureuser and confirm the services are active and that Rauthy and its internal Raft ports are bound to loopback only, with nginx the only public listener:

sudo systemctl is-active rauthy nginx rauthy-firstboot
ss -tln | grep -E ':8080|:8100|:8200|:80 |:443 '

You should see Rauthy on 127.0.0.1:8080 and its Raft ports on 127.0.0.1:8100 and 127.0.0.1:8200 (all loopback only), while nginx listens on 0.0.0.0:80 and 0.0.0.0:443.

systemctl reports rauthy, nginx and rauthy-firstboot all active, and ss shows Rauthy bound to 127.0.0.1:8080 with its Raft ports on 127.0.0.1:8100 and 127.0.0.1:8200 loopback only, while nginx listens publicly on port 80 and port 443

Step 4: Inspect the OIDC discovery document

Rauthy publishes its OpenID Connect configuration at the standard discovery URL. Confirm it answers over TLS and shows the issuer and the core OIDC endpoints your applications will use:

curl -sk https://127.0.0.1/auth/v1/.well-known/openid-configuration | python3 -m json.tool

The issuer is the public URL of this instance, and the document advertises the authorization, token, userinfo, introspection, revocation and JWKS endpoints under /auth/v1/oidc/.

The OpenID Connect discovery document served over TLS, listing the issuer plus the authorization, device, token, introspection, revocation, userinfo, end session and JWKS endpoints under the auth v1 oidc path

Step 5: Retrieve the per instance admin login

The unique admin password generated for this specific VM on first boot is written to a root only file. Read it to get the admin email and password:

sudo cat /root/rauthy-credentials.txt

The default admin user is admin@localhost. Note the rauthy.admin_password value — you will use it to log in in the next step, and you should change it immediately afterwards.

Step 6: Sign in to the Rauthy web interface

Browse to https://<your-public-ip>/auth/v1/account. Because the certificate is self signed and generated per VM, your browser will warn about the certificate the first time. Accept it (or install your own certificate, see Step 12). You are presented with the Rauthy sign in form. Enter the admin email admin@localhost and select Login, then enter the per instance password from Step 5.

The Rauthy sign in form showing the Rauthy logo, an E-Mail field pre filled with admin@localhost and a Login button

Step 7: Review the account dashboard

After signing in you land on the account page. It shows the admin user's details: email, given and family name, the rauthy_admin and admin roles, whether MFA is activated, and login and password metadata. From here you can manage MFA keys, devices, profile details and your password.

The Rauthy account dashboard for admin@localhost showing the account type of password, the rauthy_admin and admin roles, MFA not yet activated, the user enabled and email verified, and the MFA, Devices, Edit, Password and Other tabs

Step 8: Change the admin password

Open the Password tab. Rauthy shows the active password policy (minimum length, character classes and password history) and lets you set a new password, or generate a strong one. Change the per instance admin password to one you control as your first action after signing in.

The Password tab of the Rauthy account page showing the password policy requirements and the current, new and confirm password fields with a Generate Randomly button and a Save button

Step 9: Edit the admin profile

The Edit tab lets you maintain the admin user's profile details, including email, name, timezone and an optional preferred username. Rauthy exposes these standard OIDC claims to your connected applications.

The Edit tab of the Rauthy account page showing editable profile fields for email, given name, family name, birthdate, timezone, preferred username, and address and phone details, with a Save button

Step 10: Prove the admin login from the command line

The image ships a self test that proves the per instance admin credential authenticates end to end over TLS. It performs the real OIDC login flow: it rejects a wrong password with 401, then accepts the correct per instance password with 202 and an issued authorization code:

sudo /opt/rauthy/rauthy-selftest.sh

The expected output reports round-trip OK, confirming the wrong password was rejected and the correct password was accepted over TLS.

The rauthy-selftest.sh output reporting round-trip OK with the issuer, a wrong password returning 401 and the correct per instance password returning 202 plus an authorization code, proving the admin credential end to end over TLS

Step 11: Check the baked version and appliance info

The exact Rauthy version and the official source image digest baked into the image, along with the per VM appliance details, are recorded on the VM:

cat /opt/rauthy/VERSION
sudo cat /root/rauthy-credentials.txt

The /opt/rauthy/VERSION file showing the baked Rauthy version, tag, the official source image reference and digest and the binary checksum, alongside the per VM rauthy-credentials.txt with the host, admin user and the admin password masked

Step 12: Enable the admin console

Rauthy's full admin console, at /auth/v1/admin, lets you manage users, OIDC and OAuth2 clients, roles, scopes, groups, sessions and events. As a security measure, Rauthy requires the admin account to have multi factor authentication (a passkey) enabled before it will open the admin console. From the account page (Step 7), open the MFA tab, choose Register New Key to enrol a passkey, then log out and log back in. Passkeys require a real domain name, so enrol your passkey after you have pointed a DNS name at the instance and set the public URL (Step 13).

Step 13: Use your own domain and a trusted certificate (production)

The image ships a self signed certificate and is served on the instance's IP address, so it is secure out of the box but browsers will warn on the certificate and passkeys cannot be enrolled against a bare IP. For production, point a DNS name at the VM, set the public URL, and install a CA signed certificate.

First set the public URL and WebAuthn settings so the OIDC issuer and passkeys use your domain. Edit /etc/rauthy/firstboot.env and set PUB_URL, RP_ID and RP_ORIGIN to your domain, then restart Rauthy:

sudo sed -i \
  -e 's#^PUB_URL=.*#PUB_URL=<your-domain>#' \
  -e 's#^RP_ID=.*#RP_ID=<your-domain>#' \
  -e 's#^RP_ORIGIN=.*#RP_ORIGIN=https://<your-domain>:443#' \
  /etc/rauthy/firstboot.env
sudo systemctl restart rauthy

Then obtain a free CA signed certificate for your domain with Let's Encrypt:

sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>

Certbot installs the certificate into nginx and sets up automatic renewal.

Step 14: Managing the Rauthy service

sudo systemctl restart rauthy
sudo journalctl -u rauthy.service --no-pager | tail -20

Rauthy's configuration lives in /etc/rauthy/config.toml (static settings) and /etc/rauthy/firstboot.env (the per instance secrets and public URL). After editing either, run sudo systemctl restart rauthy.

Step 15: Security recommendations

  • Change the admin password immediately. The per instance password in /root/rauthy-credentials.txt is for first sign in only; change it from the account page (Step 8) as your first action.

  • Restrict SSH. Allow inbound 22 only from your management network; keep 443 (and 80 for the redirect) open to the applications and users that need single sign on.

  • Install a trusted certificate and a real domain. Replace the self signed certificate with a CA signed one (Step 13) so users are not trained to click through warnings, and so passkeys can be enrolled.

  • Enable MFA on the admin account. Rauthy already requires a passkey for the admin console; enrol one as soon as you are on your own domain.

  • Keep the image updated. Unattended security upgrades remain enabled so the OS keeps receiving patches.

Step 16: Support and Licensing

Rauthy is open source software distributed under the Apache License 2.0. This image bundles the upstream Rauthy release unmodified; the licence is retained on the image. cloudimg packaging, hardening and support are provided by cloudimg.

Deploy on Azure

Find this image on the Azure Marketplace and deploy it in minutes. See www.cloudimg.co.uk for the full catalogue.

Need Help?

cloudimg provides 24/7 support with a guaranteed 24 hour response SLA. Contact us through www.cloudimg.co.uk for deployment assistance, configuration help or any questions about this image.