mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
docs: fix regex examples (#3094)
This commit is contained in:
parent
86dcb54e4a
commit
4d7f930e74
|
@ -363,22 +363,22 @@ access_control:
|
|||
|
||||
rules:
|
||||
## Rules applied to everyone
|
||||
- domain: public.example.com
|
||||
- domain: 'public.example.com'
|
||||
policy: bypass
|
||||
|
||||
## Domain Regex examples. Generally we recommend just using a standard domain.
|
||||
# - domain_regex: "^(?P<User>\w+)\\.example\\.com$"
|
||||
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
||||
# policy: one_factor
|
||||
# - domain_regex: "^(?P<Group>\w+)\\.example\\.com$"
|
||||
# - domain_regex: '^(?P<Group>\w+)\.example\.com$'
|
||||
# policy: one_factor
|
||||
# - domain_regex:
|
||||
# - "^appgroup-.*\\.example\\.com$"
|
||||
# - "^appgroup2-.*\\.example\\.com$"
|
||||
# - '^appgroup-.*\.example\.com$'
|
||||
# - '^appgroup2-.*\.example\.com$'
|
||||
# policy: one_factor
|
||||
# - domain_regex: "^.*\\.example.com$"
|
||||
# - domain_regex: '^.*\.example\.com$'
|
||||
# policy: two_factor
|
||||
|
||||
- domain: secure.example.com
|
||||
- domain: 'secure.example.com'
|
||||
policy: one_factor
|
||||
## Network based rule, if not provided any network matches.
|
||||
networks:
|
||||
|
@ -388,53 +388,53 @@ access_control:
|
|||
- 10.0.0.1
|
||||
|
||||
- domain:
|
||||
- secure.example.com
|
||||
- private.example.com
|
||||
- 'secure.example.com'
|
||||
- 'private.example.com'
|
||||
policy: two_factor
|
||||
|
||||
- domain: singlefactor.example.com
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: one_factor
|
||||
|
||||
## Rules applied to 'admins' group
|
||||
- domain: "mx2.mail.example.com"
|
||||
subject: "group:admins"
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: deny
|
||||
|
||||
- domain: "*.example.com"
|
||||
- domain: '*.example.com'
|
||||
subject:
|
||||
- "group:admins"
|
||||
- "group:moderators"
|
||||
- 'group:admins'
|
||||
- 'group:moderators'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to 'dev' group
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/groups/dev/.*$'
|
||||
subject: "group:dev"
|
||||
subject: 'group:dev'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to user 'john'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/john/.*$'
|
||||
subject: "user:john"
|
||||
subject: 'user:john'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to user 'harry'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/harry/.*$'
|
||||
subject: "user:harry"
|
||||
subject: 'user:harry'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to user 'bob'
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: two_factor
|
||||
- domain: "dev.example.com"
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/bob/.*$'
|
||||
subject: "user:bob"
|
||||
subject: 'user:bob'
|
||||
policy: two_factor
|
||||
|
||||
##
|
||||
|
|
|
@ -22,16 +22,16 @@ access_control:
|
|||
- 192.168.0.0/18
|
||||
|
||||
rules:
|
||||
- domain: public.example.com
|
||||
domain_regex: "^\d+\\.public.example.com$"
|
||||
- domain: 'public.example.com'
|
||||
domain_regex: '^\d+\.public.example.com$'
|
||||
policy: one_factor
|
||||
networks:
|
||||
- internal
|
||||
- 1.1.1.1
|
||||
subject:
|
||||
- ["user:adam"]
|
||||
- ["user:fred"]
|
||||
- ["group:admins"]
|
||||
- ['user:adam']
|
||||
- ['user:fred']
|
||||
- ['group:admins']
|
||||
methods:
|
||||
- GET
|
||||
- HEAD
|
||||
|
@ -156,10 +156,10 @@ different ways.*
|
|||
```yaml
|
||||
access_control:
|
||||
rules:
|
||||
- domain: "*.example.com"
|
||||
- domain: '*.example.com'
|
||||
policy: bypass
|
||||
- domain:
|
||||
- "*.example.com"
|
||||
- '*.example.com'
|
||||
policy: bypass
|
||||
```
|
||||
|
||||
|
@ -169,7 +169,7 @@ list are effectively the same rule just expressed in different ways.*
|
|||
```yaml
|
||||
access_control:
|
||||
rules:
|
||||
- domain: ["apple.example.com", "banana.example.com"]
|
||||
- domain: ['apple.example.com', 'banana.example.com']
|
||||
policy: bypass
|
||||
- domain:
|
||||
- apple.example.com
|
||||
|
@ -190,14 +190,13 @@ _**Required:** This criteria OR the [domain](#domain) criteria are required._
|
|||
_**Important Note:** If you intend to use this criteria with a bypass rule please read
|
||||
[bypass and subjects](#bypass-and-user-identity) before doing so._
|
||||
|
||||
_**Important Note:** to utilize regex you must escape it properly. See [regex](./index.md#regex) for more information._
|
||||
|
||||
This criteria matches the domain name and has two methods of configuration, either as a single string or as a list of
|
||||
strings. When it's a list of strings the rule matches when **any** of the domains in the list match the request domain.
|
||||
When used in conjunction with [domain](#domain) the rule will match when either the [domain](#domain) or the
|
||||
[domain_regex](#domain_regex) criteria matches.
|
||||
|
||||
As this is a regex string you will either need to use single quotes or need to double-escape certain portions of the
|
||||
regex in order make this work.
|
||||
|
||||
This criteria takes any standard go regex pattern to match the requests. We additionally utilize two special named match
|
||||
groups which match attributes of the user:
|
||||
|
||||
|
@ -221,8 +220,8 @@ access_control:
|
|||
- banana.example.com
|
||||
policy: bypass
|
||||
- domain_regex:
|
||||
- "^user-(?P<User>\w+)\\.example\\.com$"
|
||||
- "^group-(?P<Group>\w+)\\.example\\.com$"
|
||||
- '^user-(?P<User>\w+)\.example\.com$'
|
||||
- '^group-(?P<Group>\w+)\.example\.com$'
|
||||
policy: one_factor
|
||||
```
|
||||
|
||||
|
@ -407,17 +406,15 @@ required: no
|
|||
{: .label .label-config .label-green }
|
||||
</div>
|
||||
|
||||
_**Important Note:** to utilize regex you must escape it properly. See [regex](./index.md#regex) for more information._
|
||||
|
||||
This criteria matches the path and query of the request using regular expressions. The rule is expressed as a list of
|
||||
strings. If any one of the regular expressions in the list matches the request it's considered a match. A useful tool
|
||||
for debugging these regular expressions is called [Rego](https://regoio.herokuapp.com/).
|
||||
|
||||
***Note:** Prior to 4.27.0 the regular expressions only matched the path excluding the query parameters. After 4.27.0
|
||||
_**Note:** Prior to 4.27.0 the regular expressions only matched the path excluding the query parameters. After 4.27.0
|
||||
they match the entire path including the query parameters. When upgrading you may be required to alter some of your
|
||||
resource rules to get them to operate as they previously did.*
|
||||
|
||||
As this is a regex string you will either need to use single quotes or need to double-escape certain portions of the
|
||||
regex in order make this work. If you don't do either of these things either the regex may not be parsed, or it may not
|
||||
be parsed correctly. It's technically optional but will likely save you a lot of time if you do it for all resource rules.
|
||||
resource rules to get them to operate as they previously did._
|
||||
|
||||
Examples:
|
||||
|
||||
|
@ -487,15 +484,15 @@ access_control:
|
|||
- name: VPN
|
||||
networks: 10.9.0.0/16
|
||||
rules:
|
||||
- domain: public.example.com
|
||||
- domain: 'public.example.com'
|
||||
policy: bypass
|
||||
|
||||
- domain: "*.example.com"
|
||||
- domain: '*.example.com'
|
||||
policy: bypass
|
||||
methods:
|
||||
- OPTIONS
|
||||
|
||||
- domain: secure.example.com
|
||||
- domain: 'secure.example.com'
|
||||
policy: one_factor
|
||||
networks:
|
||||
- internal
|
||||
|
@ -504,37 +501,37 @@ access_control:
|
|||
- 10.0.0.1
|
||||
|
||||
- domain:
|
||||
- secure.example.com
|
||||
- private.example.com
|
||||
- 'secure.example.com'
|
||||
- 'private.example.com'
|
||||
policy: two_factor
|
||||
|
||||
- domain: singlefactor.example.com
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: one_factor
|
||||
|
||||
- domain: "mx2.mail.example.com"
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: "group:admins"
|
||||
policy: deny
|
||||
|
||||
- domain: "*.example.com"
|
||||
- domain: '*.example.com'
|
||||
subject:
|
||||
- "group:admins"
|
||||
- "group:moderators"
|
||||
- 'group:admins'
|
||||
- 'group:moderators'
|
||||
policy: two_factor
|
||||
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- '^/groups/dev/.*$'
|
||||
subject: "group:dev"
|
||||
subject: 'group:dev'
|
||||
policy: two_factor
|
||||
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- '^/users/john/.*$'
|
||||
subject:
|
||||
- ["group:dev", "user:john"]
|
||||
- "group:admins"
|
||||
- ['group:dev', 'user:john']
|
||||
- 'group:admins'
|
||||
policy: two_factor
|
||||
|
||||
- domain: "{user}.example.com"
|
||||
- domain: '{user}.example.com'
|
||||
policy: bypass
|
||||
```
|
||||
|
|
|
@ -98,6 +98,27 @@ integrations, it only checks that your configuration syntax is valid.
|
|||
$ authelia validate-config --config configuration.yml
|
||||
```
|
||||
|
||||
# Regex
|
||||
|
||||
We have several sections of configuration that utilize regular expressions. It's recommended to validate your regex
|
||||
manually either via tools like [Rego](https://regoio.herokuapp.com/) or some other means.
|
||||
|
||||
It's important when attempting to utilize a backslash that it's utilized correctly. The YAML parser is likely to parse
|
||||
this as you trying to use YAML escape syntax instead of regex escape syntax. To avoid this use single quotes instead of
|
||||
no quotes or double quotes.
|
||||
|
||||
Good Example:
|
||||
|
||||
```yaml
|
||||
domain_regex: '^(admin|secure)\.example\.com$'
|
||||
```
|
||||
|
||||
Bad Example:
|
||||
|
||||
```yaml
|
||||
domain_regex: "^(admin|secure)\.example\.com$"
|
||||
```
|
||||
|
||||
# Duration Notation Format
|
||||
|
||||
We have implemented a string/integer based notation for configuration options that take a duration of time. This section
|
||||
|
|
|
@ -14,11 +14,14 @@ to the resource.
|
|||
|
||||
For instance a rule can look like this:
|
||||
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- "^/groups/dev/.*$"
|
||||
subject: "group:dev"
|
||||
policy: two_factor
|
||||
```yaml
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- '^/groups/dev/.*$'
|
||||
subject: 'group:dev'
|
||||
policy: two_factor
|
||||
```
|
||||
|
||||
|
||||
This rule matches when the request targets the domain `dev.example.com` and the path
|
||||
matches the regular expression `^/groups/dev/.*$`. In that case, a two-factor policy
|
||||
|
|
|
@ -363,22 +363,22 @@ access_control:
|
|||
|
||||
rules:
|
||||
## Rules applied to everyone
|
||||
- domain: public.example.com
|
||||
- domain: 'public.example.com'
|
||||
policy: bypass
|
||||
|
||||
## Domain Regex examples. Generally we recommend just using a standard domain.
|
||||
# - domain_regex: "^(?P<User>\w+)\\.example\\.com$"
|
||||
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
||||
# policy: one_factor
|
||||
# - domain_regex: "^(?P<Group>\w+)\\.example\\.com$"
|
||||
# - domain_regex: '^(?P<Group>\w+)\.example\.com$'
|
||||
# policy: one_factor
|
||||
# - domain_regex:
|
||||
# - "^appgroup-.*\\.example\\.com$"
|
||||
# - "^appgroup2-.*\\.example\\.com$"
|
||||
# - '^appgroup-.*\.example\.com$'
|
||||
# - '^appgroup2-.*\.example\.com$'
|
||||
# policy: one_factor
|
||||
# - domain_regex: "^.*\\.example.com$"
|
||||
# - domain_regex: '^.*\.example\.com$'
|
||||
# policy: two_factor
|
||||
|
||||
- domain: secure.example.com
|
||||
- domain: 'secure.example.com'
|
||||
policy: one_factor
|
||||
## Network based rule, if not provided any network matches.
|
||||
networks:
|
||||
|
@ -388,53 +388,53 @@ access_control:
|
|||
- 10.0.0.1
|
||||
|
||||
- domain:
|
||||
- secure.example.com
|
||||
- private.example.com
|
||||
- 'secure.example.com'
|
||||
- 'private.example.com'
|
||||
policy: two_factor
|
||||
|
||||
- domain: singlefactor.example.com
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: one_factor
|
||||
|
||||
## Rules applied to 'admins' group
|
||||
- domain: "mx2.mail.example.com"
|
||||
subject: "group:admins"
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: deny
|
||||
|
||||
- domain: "*.example.com"
|
||||
- domain: '*.example.com'
|
||||
subject:
|
||||
- "group:admins"
|
||||
- "group:moderators"
|
||||
- 'group:admins'
|
||||
- 'group:moderators'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to 'dev' group
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/groups/dev/.*$'
|
||||
subject: "group:dev"
|
||||
subject: 'group:dev'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to user 'john'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/john/.*$'
|
||||
subject: "user:john"
|
||||
subject: 'user:john'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to user 'harry'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/harry/.*$'
|
||||
subject: "user:harry"
|
||||
subject: 'user:harry'
|
||||
policy: two_factor
|
||||
|
||||
## Rules applied to user 'bob'
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: two_factor
|
||||
- domain: "dev.example.com"
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/bob/.*$'
|
||||
subject: "user:bob"
|
||||
subject: 'user:bob'
|
||||
policy: two_factor
|
||||
|
||||
##
|
||||
|
|
Loading…
Reference in New Issue
Block a user