Authelia

Authelia is a lightweight, open-source authentication and authorization server that sits in front of your applications as a reverse proxy companion. It adds multi-factor authentication and SSO to any service you expose without those services needing to implement auth themselves.

The setup involves placing Authelia alongside your existing reverse proxy (Traefik, Nginx, or Caddy) and configuring access control policies per domain or subdomain. When a user hits a protected resource, Authelia intercepts the request, enforces the policy, and either passes them through or challenges them for a second factor. Supported second factors include TOTP, WebAuthn/passkeys, and mobile push notifications.

Access control is granular: you can require 2FA only from outside your home network, allow certain paths with single-factor auth, and block others entirely. This makes it practical for home labs, small teams, and organizations that expose self-hosted services to the internet and want something more than a password in front of them.

The container image is under 20MB and idle resource consumption is negligible, which matters when running many services on shared hardware. Authelia does not attempt to be a full identity provider with user federation or SAML brokering. For those requirements, Keycloak is the right tool. Authelia’s value is in being the simplest possible security layer you can drop in front of any application.