diff --git a/docs/configuration/access-control.md b/docs/configuration/access-control.md index fac13d5b..a0bb97d8 100644 --- a/docs/configuration/access-control.md +++ b/docs/configuration/access-control.md @@ -92,40 +92,41 @@ configure Authelia accordingly. Here is a complete example of complex access control list that can be defined in Authelia. - access_control: - default_policy: deny +```yaml +access_control: + default_policy: deny + rules: + - domain: public.example.com + policy: bypass - rules: - - domain: public.example.com - policy: bypass + - domain: secure.example.com + policy: one_factor + networks: + - 192.168.1.0/24 - - domain: secure.example.com - policy: one_factor - networks: - - 192.168.1.0/24 - - - domain: secure.example.com - policy: two_factor + - domain: secure.example.com + policy: two_factor - - domain: singlefactor.example.com - policy: one_factor + - domain: singlefactor.example.com + policy: one_factor - - domain: "mx2.mail.example.com" - subject: "group:admins" - policy: deny - - - domain: "*.example.com" - subject: "group:admins" - policy: two_factor + - domain: "mx2.mail.example.com" + subject: "group:admins" + policy: deny - - domain: dev.example.com - resources: - - "^/groups/dev/.*$" - subject: "group:dev" - policy: two_factor + - domain: "*.example.com" + subject: "group:admins" + policy: two_factor - - domain: dev.example.com - resources: - - "^/users/john/.*$" - subject: "user:john" - policy: two_factor \ No newline at end of file + - domain: dev.example.com + resources: + - "^/groups/dev/.*$" + subject: "group:dev" + policy: two_factor + + - domain: dev.example.com + resources: + - "^/users/john/.*$" + subject: "user:john" + policy: two_factor +``` \ No newline at end of file diff --git a/docs/configuration/authentication/file.md b/docs/configuration/authentication/file.md index 388e70be..c50cd4c1 100644 --- a/docs/configuration/authentication/file.md +++ b/docs/configuration/authentication/file.md @@ -15,44 +15,46 @@ nav_order: 1 Configuring Authelia to use a file is done by specifying the path to the file in the configuration file. - authentication_backend: - disable_reset_password: false - file: - path: /var/lib/authelia/users.yml - password: - algorithm: argon2id - iterations: 1 - salt_length: 16 - parallelism: 8 - memory: 1024 +```yaml +authentication_backend: + disable_reset_password: false + file: + path: /var/lib/authelia/users.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 1024 +``` + ## Format The format of the users file is as follows. - users: - john: - password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" - email: john.doe@authelia.com - groups: - - admins - - dev - - harry: - password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" - email: harry.potter@authelia.com - groups: [] - - bob: - password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" - email: bob.dylan@authelia.com - groups: - - dev - - james: - password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" - email: james.dean@authelia.com +```yaml +users: + john: + password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" + email: john.doe@authelia.com + groups: + - admins + - dev + harry: + password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" + email: harry.potter@authelia.com + groups: [] + bob: + password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" + email: bob.dylan@authelia.com + groups: + - dev + james: + password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM" + email: james.dean@authelia.com +``` This file should be set with read/write permissions as it could be updated by users @@ -73,7 +75,7 @@ always be valid for base64 decoding (characters a through z, A through Z, 0 thro For instance to generate a hash with the docker image just run: $ docker run authelia/authelia:latest authelia hash-password yourpassword - $ Password hash: $argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs + Password hash: $argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs Full CLI Help Documentation: @@ -116,8 +118,10 @@ to creating the hash. This is due to how [Go](https://golang.org/) allocates mem generating an argon2id hash. Go periodically garbage collects the heap, however this doesn't remove the memory allocation, it keeps it allocated even though it's technically unused. Under memory pressure the unused allocated memory will be reclaimed by the operating system, you can test -this on linux with -`stress-ng --vm-bytes $(awk '/MemFree/{printf "%d\n", $2 * 0.9;}' < /proc/meminfo)k --vm-keep -m 1`. +this on linux with: + + $ stress-ng --vm-bytes $(awk '/MemFree/{printf "%d\n", $2 * 0.9;}' < /proc/meminfo)k --vm-keep -m 1 + If this is not desirable we recommend investigating the following options in order of most to least secure: 1. using the [LDAP authentication provider](./ldap.md) 2. adjusting the [memory](#memory) parameter diff --git a/docs/configuration/authentication/ldap.md b/docs/configuration/authentication/ldap.md index 56049f0a..b28a8c78 100644 --- a/docs/configuration/authentication/ldap.md +++ b/docs/configuration/authentication/ldap.md @@ -16,66 +16,66 @@ Configuration of the LDAP backend is done as follows ```yaml authentication_backend: - disable_reset_password: false - ldap: - # The url to the ldap server. Scheme can be ldap:// or ldaps:// - url: ldap://127.0.0.1 + disable_reset_password: false + ldap: + # The url to the ldap server. Scheme can be ldap:// or ldaps:// + url: ldap://127.0.0.1 - # Skip verifying the server certificate (to allow self-signed certificate). - skip_verify: false + # Skip verifying the server certificate (to allow self-signed certificate). + skip_verify: false - # The base dn for every entries - base_dn: dc=example,dc=com + # The base dn for every entries + base_dn: dc=example,dc=com - # The attribute holding the username of the user. This attribute is used to populate - # the username in the session information. It was introduced due to #561 to handle case - # insensitive search queries. - # For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP - # usually uses 'uid' - username_attribute: uid - - # An additional dn to define the scope to all users - additional_users_dn: ou=users - - # The users filter used in search queries to find the user profile based on input filled in login form. - # Various placeholders are available to represent the user input and back reference other options of the configuration: - # - {input} is a placeholder replaced by what the user inputs in the login form. - # - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. - # - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - # - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later versions, so please don't use it. - # - # Recommended settings are as follows: - # - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) - # - OpenLDAP: (&({username_attribute}={input})(objectClass=person))' or '(&({username_attribute}={input})(objectClass=inetOrgPerson)) - # - # To allow sign in both with username and email, one can use a filter like - # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) - users_filter: (&({username_attribute}={input})(objectClass=person)) - - # An additional dn to define the scope of groups - additional_groups_dn: ou=groups - - # The groups filter used in search queries to find the groups of the user. - # - {input} is a placeholder replaced by what the user inputs in the login form. - # - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). - # - {dn} is a matcher replaced by the user distinguished name, aka, user DN. - # - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. - # - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - # - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later versions, so please don't use it. - # - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in later version, so please don't use it. - groups_filter: (&(member={dn})(objectclass=groupOfNames)) - - # The attribute holding the name of the group - group_name_attribute: cn - - # The attribute holding the mail address of the user - mail_attribute: mail - - # The username and password of the admin user. - user: cn=admin,dc=example,dc=com - - # This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD - password: password + # The attribute holding the username of the user. This attribute is used to populate + # the username in the session information. It was introduced due to #561 to handle case + # insensitive search queries. + # For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP + # usually uses 'uid' + username_attribute: uid + + # An additional dn to define the scope to all users + additional_users_dn: ou=users + + # The users filter used in search queries to find the user profile based on input filled in login form. + # Various placeholders are available to represent the user input and back reference other options of the configuration: + # - {input} is a placeholder replaced by what the user inputs in the login form. + # - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. + # - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + # - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later versions, so please don't use it. + # + # Recommended settings are as follows: + # - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + # - OpenLDAP: (&({username_attribute}={input})(objectClass=person))' or '(&({username_attribute}={input})(objectClass=inetOrgPerson)) + # + # To allow sign in both with username and email, one can use a filter like + # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + users_filter: (&({username_attribute}={input})(objectClass=person)) + + # An additional dn to define the scope of groups + additional_groups_dn: ou=groups + + # The groups filter used in search queries to find the groups of the user. + # - {input} is a placeholder replaced by what the user inputs in the login form. + # - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). + # - {dn} is a matcher replaced by the user distinguished name, aka, user DN. + # - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. + # - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + # - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later versions, so please don't use it. + # - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in later version, so please don't use it. + groups_filter: (&(member={dn})(objectclass=groupOfNames)) + + # The attribute holding the name of the group + group_name_attribute: cn + + # The attribute holding the mail address of the user + mail_attribute: mail + + # The username and password of the admin user. + user: cn=admin,dc=example,dc=com + + # This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD + password: password ``` The user must have an email address in order for Authelia to perform diff --git a/docs/configuration/duo-push-notifications.md b/docs/configuration/duo-push-notifications.md index acbbb298..207c3fee 100644 --- a/docs/configuration/duo-push-notifications.md +++ b/docs/configuration/duo-push-notifications.md @@ -15,11 +15,13 @@ to know how to set up push notifications in Authelia. ## Configuration The configuration is as follows: +```yaml +duo_api: + hostname: api-123456789.example.com + integration_key: ABCDEF + secret_key: 1234567890abcdefghifjkl +``` - duo_api: - hostname: api-123456789.example.com - integration_key: ABCDEF - secret_key: 1234567890abcdefghifjkl The secret key is shown as an example, you also have the option to set it using an environment variable as described [here](./secrets.md). diff --git a/docs/configuration/google-analytics.md b/docs/configuration/google-analytics.md index 0e90be71..f3b9e364 100644 --- a/docs/configuration/google-analytics.md +++ b/docs/configuration/google-analytics.md @@ -10,4 +10,6 @@ nav_order: 4 It is possible to provide a Google Analytics ID to Authelia in order to monitor the usage of the Sign-In portal. - google_analytics: UA-00000-01 \ No newline at end of file +```yaml +google_analytics: UA-00000-01 +``` \ No newline at end of file diff --git a/docs/configuration/miscellaneous.md b/docs/configuration/miscellaneous.md index fb61c3e4..157c5935 100644 --- a/docs/configuration/miscellaneous.md +++ b/docs/configuration/miscellaneous.md @@ -15,8 +15,10 @@ Here are the main customizable options in Authelia. Defines the address and port to listen on. - host: 0.0.0.0 - port: 9091 +```yaml +host: 0.0.0.0 +port: 9091 +``` ## TLS @@ -25,9 +27,10 @@ Defines the address and port to listen on. Authelia can use TLS. Provide the certificate and the key with the following configuration options: - tls_key: /var/lib/authelia/ssl/key.pem - tls_cert: /var/lib/authelia/ssl/cert.pem - +```yaml +tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /var/lib/authelia/ssl/cert.pem +``` ## Log @@ -38,7 +41,9 @@ following configuration options: Defines the level of logs used by Authelia. This level can be set to `trace`, `debug` or `info`. - log_level: debug +```yaml +log_level: debug +``` ### Log file path @@ -47,7 +52,9 @@ Defines the level of logs used by Authelia. This level can be set to Logs can be stored in a file when file path is provided. Otherwise logs are written to standard output. - log_file_path: /var/log/authelia.log +```yaml +log_file_path: /var/log/authelia.log +``` ## JWT Secret @@ -57,7 +64,9 @@ are written to standard output. Defines the secret used to craft JWT tokens leveraged by the identity verification process - jwt_secret: v3ry_important_s3cr3t +```yaml +jwt_secret: v3ry_important_s3cr3t +``` ## Default redirection URL diff --git a/docs/configuration/notifier/filesystem.md b/docs/configuration/notifier/filesystem.md index 4ffca6c9..38835eb9 100644 --- a/docs/configuration/notifier/filesystem.md +++ b/docs/configuration/notifier/filesystem.md @@ -13,6 +13,6 @@ should only be used for testing purposes. ```yaml notifier: - filesystem: - filename: /tmp/authelia/notification.txt + filesystem: + filename: /tmp/authelia/notification.txt ``` \ No newline at end of file diff --git a/docs/configuration/notifier/smtp.md b/docs/configuration/notifier/smtp.md index 1fe17008..5800df1c 100644 --- a/docs/configuration/notifier/smtp.md +++ b/docs/configuration/notifier/smtp.md @@ -55,11 +55,11 @@ described [here](https://support.google.com/accounts/answer/185833?hl=en) ```yaml notifier: - smtp: - username: myaccount@gmail.com - # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD - password: yourapppassword - sender: admin@example.com - host: smtp.gmail.com - port: 587 + smtp: + username: myaccount@gmail.com + # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD + password: yourapppassword + sender: admin@example.com + host: smtp.gmail.com + port: 587 ``` diff --git a/docs/configuration/one-time-password.md b/docs/configuration/one-time-password.md index 9aa38379..75b46059 100644 --- a/docs/configuration/one-time-password.md +++ b/docs/configuration/one-time-password.md @@ -11,10 +11,13 @@ Authelia uses time based one-time passwords as the OTP method. You have the option to tune the settings of the TOTP generation and you can see a full example of TOTP configuration below, as well as sections describing them. - totp: - issuer: authelia.com - period: 30 - skew: 1 +```yaml +totp: + issuer: authelia.com + period: 30 + skew: 1 +``` + ## Issuer diff --git a/docs/configuration/regulation.md b/docs/configuration/regulation.md index 5dac36bd..1d0a7fd2 100644 --- a/docs/configuration/regulation.md +++ b/docs/configuration/regulation.md @@ -14,18 +14,18 @@ authentication attempts. This helps prevent brute-force attacks. ```yaml regulation: - # The number of failed login attempts before user is banned. - # Set it to 0 to disable regulation. - max_retries: 3 + # The number of failed login attempts before user is banned. + # Set it to 0 to disable regulation. + max_retries: 3 - # The time range during which the user can attempt login before being banned. - # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. - # Find Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format - find_time: 2m + # The time range during which the user can attempt login before being banned. + # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. + # Find Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format + find_time: 2m - # The length of time before a banned user can sign in again. - # Find Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format - ban_time: 5m + # The length of time before a banned user can sign in again. + # Find Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format + ban_time: 5m ``` ### Duration Notation diff --git a/docs/configuration/storage/mariadb.md b/docs/configuration/storage/mariadb.md index cfa5216c..ff7f85bc 100644 --- a/docs/configuration/storage/mariadb.md +++ b/docs/configuration/storage/mariadb.md @@ -10,11 +10,11 @@ nav_order: 1 ```yaml storage: - mysql: - host: 127.0.0.1 - port: 3306 - database: authelia - username: authelia - # This secret can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD - password: mypassword + mysql: + host: 127.0.0.1 + port: 3306 + database: authelia + username: authelia + # This secret can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD + password: mypassword ``` diff --git a/docs/configuration/storage/mysql.md b/docs/configuration/storage/mysql.md index 092a269b..486b17eb 100644 --- a/docs/configuration/storage/mysql.md +++ b/docs/configuration/storage/mysql.md @@ -10,11 +10,11 @@ nav_order: 2 ```yaml storage: - mysql: - host: 127.0.0.1 - port: 3306 - database: authelia - username: authelia - # This secret can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD - password: mypassword + mysql: + host: 127.0.0.1 + port: 3306 + database: authelia + username: authelia + # This secret can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD + password: mypassword ``` diff --git a/docs/configuration/storage/postgres.md b/docs/configuration/storage/postgres.md index 8b1fd37e..acff43da 100644 --- a/docs/configuration/storage/postgres.md +++ b/docs/configuration/storage/postgres.md @@ -10,11 +10,11 @@ nav_order: 3 ```yaml storage: - postgres: - host: 127.0.0.1 - port: 5432 - database: authelia - username: authelia - # This secret can also be set using the env variables AUTHELIA_STORAGE_POSTGRES_PASSWORD - password: mypassword + postgres: + host: 127.0.0.1 + port: 5432 + database: authelia + username: authelia + # This secret can also be set using the env variables AUTHELIA_STORAGE_POSTGRES_PASSWORD + password: mypassword ``` diff --git a/docs/configuration/storage/sqlite.md b/docs/configuration/storage/sqlite.md index d299e350..dda23b63 100644 --- a/docs/configuration/storage/sqlite.md +++ b/docs/configuration/storage/sqlite.md @@ -18,6 +18,6 @@ Just give the path to the sqlite database. It will be created if the file does n ```yaml storage: - local: - path: /var/lib/authelia/db.sqlite3 + local: + path: /var/lib/authelia/db.sqlite3 ``` diff --git a/docs/contributing/authelia-scripts.md b/docs/contributing/authelia-scripts.md index 44db9f80..3bb5e893 100644 --- a/docs/contributing/authelia-scripts.md +++ b/docs/contributing/authelia-scripts.md @@ -12,22 +12,22 @@ testing the code, etc... Those scripts becomes available after sourcing the bootstrap.sh script with - source bootstrap.sh + $ source bootstrap.sh Then, you can access the scripts usage by running the following command: - authelia-scripts --help + $ authelia-scripts --help For instance, you can build Authelia (Go binary and frontend) with: - authelia-scripts build + $ authelia-scripts build Or build the official Docker image with: - authelia-scripts docker build + $ authelia-scripts docker build Or start the *Standalone* suite with: - authelia-scripts suites setup Standalone + $ authelia-scripts suites setup Standalone You will find more information in the scripts usage helpers. \ No newline at end of file diff --git a/docs/contributing/suites.md b/docs/contributing/suites.md index 3058f0e7..59a868aa 100644 --- a/docs/contributing/suites.md +++ b/docs/contributing/suites.md @@ -46,7 +46,7 @@ specific suite like *HighAvailability*, you can do so with the next command: Running all tests is easy. Make sure that no suite is already running and run: - authelia-scripts suites test + $ authelia-scripts suites test ### Run tests in headless mode diff --git a/docs/features/password-reset.md b/docs/features/password-reset.md index f6872db3..0628637c 100644 --- a/docs/features/password-reset.md +++ b/docs/features/password-reset.md @@ -7,9 +7,10 @@ nav_order: 4 # Password Reset -**Authelia** provides workflow to let users reset their password when they lose it. +**Authelia** provides a workflow to let users reset their password when they lose it. +To disable reset password functionality please see the [configuration docs](../configuration/authentication/index.md#disabling-reset-password). -A simple click on `Forgot password?` for starting the process. Note that resetting a +A simple click on `Reset password?` for starting the process. Note that resetting a password requires a new identity verification using the e-mail of the user.

@@ -22,7 +23,7 @@ Give your username and receive an e-mail to verify your identity.

-Once your identity is verified, fill in the form to reset your password. +Once your identity has been verified, fill in the form to reset your password.

diff --git a/docs/security/index.md b/docs/security/index.md index d051bf0e..d8f00054 100644 --- a/docs/security/index.md +++ b/docs/security/index.md @@ -7,9 +7,11 @@ has_children: true # Security -Security is taken very seriously here, therefore we follow the rule of -responsible disclosure and we encourage you to do so. +Authelia takes security very seriously. We follow the rule of +[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we +encourage the community to as well. -Would you like to report any vulnerability discovered in Authelia, please -first contact **clems4ever** on [Matrix](https://riot.im/app/#/room/#authelia:matrix.org) -or by [email](mailto:clement.michaud34@gmail.com). + +If you discover a vulnerability in Authelia, please first contact **clems4ever** on +[Matrix](https://riot.im/app/#/room/#authelia:matrix.org) or by +[email](mailto:clement.michaud34@gmail.com).