Overview
Authelia login portal
The Authelia single sign-on login portal, served over HTTPS through the nginx reverse proxy, prompting for the first-factor username and password.
Authelia login portal
Signing in to the portal
Protected page after login
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
Why This AMI Over Manual Deployment
Deploying Authelia from scratch requires installing the binary, configuring a reverse proxy integration, generating cryptographic secrets, setting up storage backends, and wiring forward-authentication headers - a process that can take hours and leaves room for insecure defaults. This AMI eliminates that effort: a complete forward-authentication gateway is running within minutes of launch, with unique credentials and secrets generated automatically. Unlike default installs that ship shared secrets or require manual key generation, every instance boots with fresh argon2id-hashed credentials and unique session, storage encryption, and identity validation tokens. Compared to container orchestration approaches, this AMI runs as native systemd services with no Docker dependency, simplifying operations on a single EC2 instance.
Application Stack
The Authelia server binary installed under /usr/local/bin and run by a dedicated unprivileged service account, bound to loopback so it is never exposed without the proxy. A local SQLite storage database and the file-based user database reside on a dedicated data disk so identity state is independently resizable. An nginx reverse proxy publishes the Authelia login portal over HTTPS and runs the standard forward-authentication integration. A demo protected location is guarded by Authelia, so you can see the full redirect-to-portal, log-in, return-to-application flow end to end out of the box.
Forward Authentication Flow
The nginx proxy asks Authelia to authorize every request to a protected resource. Unauthenticated requests are redirected to the Authelia portal, the user signs in once, and is returned to the application. The same single sign-on session then satisfies every other application behind the same proxy. Access is governed by a clear per-resource policy: bypass, one factor, or two factor.
Ecosystem Compatibility
Authelia integrates with multiple identity backends including OpenLDAP, Microsoft Active Directory, and FreeIPA, as well as its built-in file-based user database. For email notifications and password resets, configure SMTP with Amazon SES, Gmail SMTP, SendGrid, or any standards-compliant mail relay. While this AMI ships with nginx, Authelia also supports forward-authentication with Traefik, HAProxy, and Caddy. For DNS and TLS, pair with AWS Route 53 for domain management and AWS Certificate Manager for automated certificate provisioning.
Secure First Boot
On the first boot of your instance, a one-shot service generates a fresh administrator password unique to that instance, along with fresh cryptographic secrets for the session, the storage encryption key, and the identity validation tokens. The password is argon2id-hashed into the user database and written to a root-only file. No shared or default credentials and no shared secrets ship in the image.
Use Case: Internal DevOps Tooling
A small DevOps team protecting internal dashboards such as Grafana, Jenkins, and Kibana behind a single login portal. Rather than configuring authentication individually on each tool, place them behind the nginx-Authelia gateway and define one-factor or two-factor policies per resource. New services are added with a single nginx location block and one access control rule - no application-level auth code required.
Additional Use Cases
- A single sign-on and two-factor gateway in front of internal web applications
- Protecting admin panels and home lab services that have no authentication of their own
- A self-hosted alternative to commercial identity-aware proxies like Cloudflare Access
- A reference forward-authentication deployment to build your own access-controlled stack on
Getting Started
Launch the AMI, retrieve the generated admin password from the root-only file, and visit the HTTPS endpoint to see the Authelia login portal. Sign in with the administrator credentials to reach the demo protected page. To bring your own applications under single sign-on, point them at the proxy and add an access control rule - a simple one-line change swaps the bundled demo domain for your own.
cloudimg Support
24/7 technical support by email and live chat. Our engineers help with deployment, reverse proxy and forward-authentication configuration, access control rules, two-factor enrolment, LDAP or file user backends, SMTP notifications, TLS setup, and bringing your own applications under single sign-on.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Highlights
- Production-ready in minutes: Authelia SSO and MFA server pre-configured as a systemd service behind nginx with a working demo app. No manual installation, no reverse proxy wiring, no secret generation required. Launch the AMI and the full forward-authentication gateway is operational, saving hours compared to manual deployment or container orchestration setups.
- Zero default credentials: every instance generates its own unique admin password and fresh cryptographic secrets (session, storage encryption, identity validation) on first boot. Credentials are argon2id-hashed and stored in root-only files. No shared secrets ship in the image, eliminating the credential-sharing risk common in default installations.
- Flexible ecosystem integration with 24/7 cloudimg support: Authelia works with OpenLDAP, Microsoft Active Directory, and FreeIPA for identity backends, plus Amazon SES, Gmail SMTP, or SendGrid for notifications. Per-resource access policies (bypass, one-factor, two-factor) protect any number of applications. Identity state lives on a dedicated resizable data disk. Expert support covers deployment, configuration, and troubleshooting.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
- ...
Dimension | Description | Cost/hour |
|---|---|---|
t3.small Recommended | t3.small | $0.04 |
t3.micro | t3.micro instance type | $0.04 |
t2.micro | t2.micro instance type | $0.04 |
m8i.8xlarge | m8i.8xlarge instance type | $0.24 |
m5dn.metal | m5dn.metal instance type | $0.24 |
i4i.large | i4i.large instance type | $0.08 |
i4i.8xlarge | i4i.8xlarge instance type | $0.24 |
r5ad.xlarge | r5ad.xlarge instance type | $0.12 |
m5ad.16xlarge | m5ad.16xlarge instance type | $0.24 |
r5n.16xlarge | r5n.16xlarge instance type | $0.24 |
Vendor refund policy
Refunds available on request.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Initial release of Authelia 4.39.20 single sign-on and multi-factor authentication server with an nginx forward-authentication reverse proxy and a demo protected application.
Additional details
Usage instructions
Connect via SSH on port 22 as the default login user for your operating system variant (the user guide lists it per variant). Retrieve the generated credentials with: sudo cat /root/authelia-credentials.txt. The Authelia login portal and a demo protected page are served over HTTPS (port 443) through nginx; port 80 redirects to HTTPS. Because Authelia requires a real domain for its session cookies (an IP address cannot be used) and a secure https scheme for its session URLs, the image ships a self-contained demo domain authelia.local served with a self-signed certificate. To try the demo flow from your workstation, add a line mapping authelia.local and secure.authelia.local to the instance public IP in your workstation hosts file, then browse to https://secure.authelia.local/secure and accept the self-signed certificate warning: you are redirected to the Authelia portal, sign in with user admin and the generated password, and are returned to the protected page. For production, edit /etc/authelia/configuration.yml to set your own domain (https) under session.cookies and access_control, replace the self-signed certificate in /etc/nginx/tls/ with a real certificate for your domain, point your applications at the nginx proxy and add an access control rule per application; the user guide walks through it plus two factor authentication. Authelia data (the SQLite database, secrets and notifications) lives on a dedicated data disk mounted at /var/lib/authelia.
Resources
Vendor resources
Support
Vendor support
cloudimg Support
cloudimg provides 24/7 technical support for this product by email and live chat. Critical issues receive a one-hour average response time.
What We Help With:
- Deployment and initial configuration
- Reverse proxy and forward-authentication setup
- Access control rule configuration (bypass, one-factor, two-factor policies)
- Two-factor authentication enrolment
- LDAP and file-based user backend configuration (OpenLDAP, Active Directory, FreeIPA)
- SMTP notification setup (Amazon SES, Gmail, SendGrid)
- TLS certificate configuration
- Bringing your own applications under single sign-on
- Domain swap from demo to production
- Performance tuning and troubleshooting
- Updates and security patching guidance
Getting Started After Launch:
- Ensure your security group allows inbound traffic on ports 443 (HTTPS) and 22 (SSH)
- SSH into the instance and retrieve the generated admin password from the root-only credential file
- Visit the instance HTTPS endpoint to access the Authelia login portal
- Sign in with the admin credentials to verify the demo protected application works
- Swap the demo domain for your own with a single configuration line change
Contact: support@cloudimg.co.uk
For refund requests, troubleshooting, or any product issues, contact us via email or live chat and our engineers will respond promptly.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.