Deploy a production-ready single sign-on and multi-factor authentication gateway in minutes. Authelia pre-configured with nginx forward-auth, secure first boot, and 24/7 cloudimg support.
Real screenshots of this software running on the cloudimg image, taken while testing the deployment guide.
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
## Why This AMI Over Manual Deployment
Deploying Authelia from scratch requires installing the binary, configuring a reverse proxy integration, generating cryptographic secrets, setting up storage backends, and wiring forward-authentication headers - a process that can take hours and leaves room for insecure defaults. This AMI eliminates that effort: a complete forward-authentication gateway is running within minutes of launch, with unique credentials and secrets generated automatically. Unlike default installs that ship shared secrets or require manual key generation, every instance boots with fresh argon2id-hashed credentials and unique session, storage encryption, and identity validation tokens. Compared to container orchestration approaches, this AMI runs as native systemd services with no Docker dependency, simplifying operations on a single EC2 instance.
## Application Stack
The Authelia server binary installed under /usr/local/bin and run by a dedicated unprivileged service account, bound to loopback so it is never exposed without the proxy. A local SQLite storage database and the file-based user database reside on a dedicated data disk so identity state is independently resizable. An nginx reverse proxy publishes the Authelia login portal over HTTPS and runs the standard forward-authentication integration. A demo protected location is guarded by Authelia, so you can see the full redirect-to-portal, log-in, return-to-application flow end to end out of the box.
## Forward Authentication Flow
The nginx proxy asks Authelia to authorize every request to a protected resource. Unauthenticated requests are redirected to the Authelia portal, the user signs in once, and is returned to the application. The same single sign-on session then satisfies every other application behind the same proxy. Access is governed by a clear per-resource policy: bypass, one factor, or two factor.
## Ecosystem Compatibility
Authelia integrates with multiple identity backends including OpenLDAP, Microsoft Active Directory, and FreeIPA, as well as its built-in file-based user database. For email notifications and password resets, configure SMTP with Amazon SES, Gmail SMTP, SendGrid, or any standards-compliant mail relay. While this AMI ships with nginx, Authelia also supports forward-authentication with Traefik, HAProxy, and Caddy. For DNS and TLS, pair with AWS Route 53 for domain management and AWS Certificate Manager for automated certificate provisioning.
## Secure First Boot
On the first boot of your instance, a one-shot service generates a fresh administrator password unique to that instance, along with fresh cryptographic secrets for the session, the storage encryption key, and the identity validation tokens. The password is argon2id-hashed into the user database and written to a root-only file. No shared or default credentials and no shared secrets ship in the image.
## Use Case: Internal DevOps Tooling
A small DevOps team protecting internal dashboards such as Grafana, Jenkins, and Kibana behind a single login portal. Rather than configuring authentication individually on each tool, place them behind the nginx-Authelia gateway and define one-factor or two-factor policies per resource. New services are added with a single nginx location block and one access control rule - no application-level auth code required.
## Additional Use Cases
## Getting Started
Launch the AMI, retrieve the generated admin password from the root-only file, and visit the HTTPS endpoint to see the Authelia login portal. Sign in with the administrator credentials to reach the demo protected page. To bring your own applications under single sign-on, point them at the proxy and add an access control rule - a simple one-line change swaps the bundled demo domain for your own.
## cloudimg Support
24/7 technical support by email and live chat. Our engineers help with deployment, reverse proxy and forward-authentication configuration, access control rules, two-factor enrolment, LDAP or file user backends, SMTP notifications, TLS setup, and bringing your own applications under single sign-on.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.