一键部署Authelia SSO与Traefik反向代理的Docker Compose实战指南在当今复杂的网络环境中管理多个Web应用的认证流程往往成为开发者的痛点。手动配置hosts文件、逐个设置访问权限不仅耗时耗力还容易出错。本文将介绍如何利用Docker Compose快速搭建Authelia单点登录系统并集成Traefik作为反向代理实现开箱即用的安全访问控制方案。1. 技术栈概述与准备工作Authelia是一款开源的单点登录(SSO)和双因素认证(2FA)系统专为自托管应用设计。它支持多种认证方式能与反向代理无缝集成为内部应用提供统一的认证入口。Traefik则是现代化的反向代理和负载均衡工具支持自动服务发现和Lets Encrypt证书管理。部署前准备已安装Docker和Docker Compose的Linux服务器推荐Ubuntu 20.04有效的域名用于SSL证书申请基础命令行操作知识提示虽然本文使用.example.com作为演示域名实际部署时请替换为您自己的域名。2. Docker Compose编排文件解析以下是经过优化的docker-compose.yml文件集成了Authelia、Redis、Traefik和演示站点version: 3.8 networks: sso-network: driver: bridge services: authelia: image: authelia/authelia:latest container_name: authelia volumes: - ./authelia/config:/config networks: - sso-network environment: - TZAsia/Shanghai labels: - traefik.enabletrue - traefik.http.routers.authelia.ruleHost(auth.yourdomain.com) - traefik.http.routers.authelia.entrypointswebsecure - traefik.http.routers.authelia.tls.certresolverletsencrypt - traefik.http.services.authelia.loadbalancer.server.port9091 redis: image: redis:alpine container_name: redis volumes: - ./redis/data:/data networks: - sso-network restart: unless-stopped traefik: image: traefik:v2.6 container_name: traefik ports: - 80:80 - 443:443 volumes: - ./traefik/config:/etc/traefik - /var/run/docker.sock:/var/run/docker.sock networks: - sso-network command: - --api.insecuretrue - --providers.dockertrue - --providers.docker.exposedbydefaultfalse - --entrypoints.web.address:80 - --entrypoints.websecure.address:443 - --certificatesresolvers.letsencrypt.acme.emailyouremail.com - --certificatesresolvers.letsencrypt.acme.storage/etc/traefik/acme.json - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypointweb whoami: image: containous/whoami container_name: whoami networks: - sso-network labels: - traefik.enabletrue - traefik.http.routers.whoami.ruleHost(app.yourdomain.com) - traefik.http.routers.whoami.entrypointswebsecure - traefik.http.routers.whoami.tls.certresolverletsencrypt - traefik.http.routers.whoami.middlewaresautheliadocker关键配置说明使用独立的Docker网络sso-network确保服务间隔离Authelia配置挂载到本地./authelia/config目录Traefik配置自动SSL证书申请Whoami服务作为演示应用受Authelia保护3. Authelia详细配置在./authelia/config目录下创建两个关键配置文件configuration.ymltheme: light jwt_secret: your_secure_jwt_secret_here default_redirection_url: https://app.yourdomain.com server: host: 0.0.0.0 port: 9091 authentication_backend: file: path: /config/users_database.yml password: algorithm: argon2id iterations: 3 memory: 65536 parallelism: 4 access_control: default_policy: deny rules: - domain: auth.yourdomain.com policy: bypass - domain: app.yourdomain.com policy: two_factor session: name: authelia_session secret: your_session_secret_here expiration: 1h inactivity: 5m domain: yourdomain.com storage: encryption_key: your_encryption_key_here local: path: /config/db.sqlite3 notifier: filesystem: filename: /config/notifications.txtusers_database.ymlusers: admin: displayname: Admin User password: $argon2id$v19$m65536,t3,p4$dGhlc2FsdHlzdHJpbmc$thehashedpassword email: adminyourdomain.com groups: - admins developer: displayname: Developer password: $argon2id$v19$m65536,t3,p4$YW5vdGhlcnNhbHQ$anotherhashedpassword email: devyourdomain.com生成密码哈希的命令docker run --rm authelia/authelia:latest authelia hash-password yourpassword4. Traefik配置优化在./traefik/config目录下创建traefik.ymlapi: dashboard: true insecure: true entryPoints: web: address: :80 http: redirections: entryPoint: to: websecure scheme: https websecure: address: :443 providers: docker: endpoint: unix:///var/run/docker.sock exposedByDefault: false certificatesResolvers: letsencrypt: acme: email: youremail.com storage: /etc/traefik/acme.json httpChallenge: entryPoint: web性能优化参数serversTransport: maxIdleConnsPerHost: 200 forwardingTimeouts: dialTimeout: 30s responseHeaderTimeout: 0s log: level: INFO format: json5. 部署与测试流程启动服务栈docker-compose up -d验证服务状态docker-compose ps测试访问流程直接访问https://app.yourdomain.com应跳转到Authelia登录页使用users_database.yml中的凭证登录成功认证后应返回Whoami服务页面管理界面Traefik仪表板:https://traefik.yourdomain.comAuthelia管理API:https://auth.yourdomain.com/api/常见问题排查# 查看Authelia日志 docker logs authelia # 检查Redis连接 docker exec -it redis redis-cli ping # 验证Traefik配置 docker exec traefik traefik check-config6. 生产环境增强建议安全加固措施替换所有示例中的密钥和密码启用数据库存储替代SQLite配置SMTP通知服务设置适当的备份策略性能扩展方案# 在docker-compose.yml中添加 authelia: deploy: resources: limits: cpus: 1 memory: 512M reservations: memory: 256M healthcheck: test: [CMD, authelia, healthcheck] interval: 30s timeout: 5s retries: 3监控集成Prometheus指标端点日志收集到ELK或Loki健康检查报警实际部署中发现合理配置会话超时和密码策略能显著提升安全性。对于团队协作场景建议结合LDAP或Active Directory进行用户管理而非文件存储方式。
