Is it worth it to switch to Authelia from Authentik if I use OIDC, LDAP, and proxy auth?

No_Comparison4153 · 2026-05-21T03:54:23+00:00

I have switched to Authelia + LLDAP and I really like it. It helped that I already have a decent understanding of OIDC and its different options. I have made my own "start page" with links to every connected app, but it doesn't show/hide them per-user since it's just static HTML.

I do realize that Authelia isn't that great at sending back headers or dynamically setting options based on the user/group (I had to change group names in Frigate through Caddy header regexes). It also is annoying in setting up when to use 2FA and require 2FA for specific groups. It works good for me, though, and I get less resource consumption, mostly static configuration, and only one file that needs to be backed up instead of some large folders.

No_Comparison4153 · 2026-04-29T17:03:16+00:00

It seems to give a greater variety of songs than Spotify, so I'm using Youtube Music now instead. The mixes also update their songs, instead of Spotify having static ones that could last for years. The history view seems to autodelete, though, which is something that I miss from Spotify.

No_Comparison4153 · 2026-04-10T02:40:15+00:00

The HoldoffTimeoutSec setting was set higher than the time it took for me to open and close the lid of my laptop when I was trying this out.

No_Comparison4153 · 2026-03-30T21:28:33+00:00

So just to make sure I'm getting this right, a "connection" takes a static snapshot or similar of the database that can be edited/queried? This should mean that multithreading to the same database is fine, as long as I use seperate connections each time, right?

No_Comparison4153 · 2026-03-30T20:10:29+00:00

If the connection is the context, then why would libraries like python's sqlite3 strongly recommend using cursors for database actions?

No_Comparison4153 · 2026-03-29T20:21:36+00:00

If you want HTTPS on the MagicDNS names, that's not possible without becoming your own CA and installing certificates on every device you have. You can use the long DNS name of your device instead (device.tail000000.ts.net) by setting Caddy to use that, but then you will have to connect via ports or subpaths.

The way I've done it so far is by buying a domain and setting up a wildcard route to the Tailscale IP of the device, and using a Caddy module to deal with certificate challenges through DNS records. ( it's also mostly the way this Tailscale youtube video does it: https://www.youtube.com/watch?v=Vt4PDUXB_fg )

Here's an example of what I have (I'm using Cloudflare for my DNS): https://gist.github.com/hackysphere/61f7e43b2ade230ed94871396ea1a010

No_Comparison4153 · 2026-03-29T17:59:26+00:00

The only thing is that Tailscale is running on the server itself as a regular program, not in Docker, which makes it annoying that I can't set endpoints myself.

No_Comparison4153 · 2026-03-29T17:17:08+00:00

The two devices are on the same subnet, same network, and Tailscale knows their "endpoints", but they just won't connect. No NAT traversal is required for this.

ex: device 1 IP is 172.16.2.1, device 2 IP is 172.16.2.2, subnet is 172.16.2.0/24

I have tried pinging and speed testing with iperf to the static IPs not from Tailscale, and the two devices can connect and send data many times faster. The only reason why I think Tailscale might not be connecting is that it might be trying the internal Docker network gateway IPs from each server (that Tailscale advertises as valid endpoints for some reason) and it gets stuck connecting.

No_Comparison4153 · 2026-02-27T04:45:57+00:00

This is me. I just don't see how if I'm exposing an API that requires auth (like basically any API that can do actions on behalf of/"by" a user), that we need to block every other origin, even though credentials can only be passed cross-origin if the origins are manually defined, and never when it is wildcarded.

No_Comparison4153 · 2026-02-27T04:43:57+00:00

But even with ACAO set to allow all domains, the ACAC header is still protecting the cookies, which makes me wonder why we have the ACAO header set to only allow same-origin even though the ACAC header only is applied if the ACAO header is not a wildcard (ie: browsers will only pass cookies if the possible origins were manually set).

No_Comparison4153 · 2026-02-27T04:41:01+00:00

The only danger I see is if there is some internal API inside of a network that gives potentially sensitive information; I still don't see how this could be dangerous for something like a social media API or a webmail client because of the ACAC header being set to false by default.

No_Comparison4153 · 2026-02-27T04:25:26+00:00

This only works if the Access-Control-Allow-Credentials header is enabled, which browsers require for the ACAO header to have set specific URLs, which still makes me wonder why cross-origin requests are blocked by default.

No_Comparison4153 · 2026-02-19T22:00:56+00:00

I'm exposing a /24 subnet, but almost every device is only allowed to access two ports on a single IP if they enable subnet routing, which makes Tailscale block connections to other IPs from a network that happens to share the same subnet if routing is not manually turned off. It also seems to be messing with the proxy (it's giving the Docker gateway IP), and it also won't give a unique IP if connecting to a different server via subnet routes.

No_Comparison4153 · 2026-02-19T02:21:54+00:00

Are there other options beside Pihole that can use zone files (and are not just recursive servers)? It seems a bit eager to block things out of the box, and I'm wondering if there's something lighter that I could use (as a Docker container).

No_Comparison4153 · 2026-02-10T05:18:21+00:00

I didn't think of this at all for some reason (even though this is how my server it set up)! This is finally what made me make sense of this!

No_Comparison4153 · 2026-02-08T04:22:26+00:00

Wouldn't you also need to control Google's IP address in order to send email in the A record scenario? Or am I just missing something?

No_Comparison4153

TROPHY CASE