mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
2c42464fc8
* refactor: logging config key to log This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging). * docs: add step to getting started to get the latest tagged commit This is so we avoid issues with changes on master having differences that don't work on the latest docker tag. * test: adjust tests * docs: adjust doc strings
105 lines
2.4 KiB
YAML
105 lines
2.4 KiB
YAML
---
|
|
###############################################################
|
|
# Authelia minimal configuration #
|
|
###############################################################
|
|
|
|
port: 9091
|
|
tls_cert: /config/ssl/cert.pem
|
|
tls_key: /config/ssl/key.pem
|
|
|
|
log:
|
|
level: trace
|
|
|
|
default_redirection_url: https://home.example.com:8080/
|
|
|
|
jwt_secret: very_important_secret
|
|
|
|
authentication_backend:
|
|
file:
|
|
path: /config/users.yml
|
|
|
|
session:
|
|
secret: unsecure_session_secret
|
|
domain: example.com
|
|
expiration: 3600 # 1 hour
|
|
inactivity: 300 # 5 minutes
|
|
remember_me_duration: 1y
|
|
|
|
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
|
storage:
|
|
local:
|
|
path: /config/db.sqlite
|
|
|
|
# TOTP Issuer Name
|
|
#
|
|
# This will be the issuer name displayed in Google Authenticator
|
|
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
|
totp:
|
|
issuer: example.com
|
|
|
|
# The Duo Push Notification API configuration
|
|
duo_api:
|
|
hostname: duo.example.com
|
|
integration_key: ABCDEFGHIJKL
|
|
secret_key: abcdefghijklmnopqrstuvwxyz123456789
|
|
|
|
# Access Control
|
|
#
|
|
# Access control is a set of rules you can use to restrict user access to certain
|
|
# resources.
|
|
access_control:
|
|
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
|
default_policy: two_factor
|
|
|
|
rules:
|
|
- domain: singlefactor.example.com
|
|
policy: one_factor
|
|
|
|
- domain: public.example.com
|
|
policy: bypass
|
|
|
|
- domain: secure.example.com
|
|
policy: two_factor
|
|
|
|
- domain: "*.example.com"
|
|
subject: "group:admins"
|
|
policy: two_factor
|
|
|
|
- domain: dev.example.com
|
|
resources:
|
|
- "^/users/john/.*$"
|
|
subject: "user:john"
|
|
policy: two_factor
|
|
|
|
- domain: dev.example.com
|
|
resources:
|
|
- "^/users/harry/.*$"
|
|
subject: "user:harry"
|
|
policy: two_factor
|
|
|
|
- domain: "*.mail.example.com"
|
|
subject: "user:bob"
|
|
policy: two_factor
|
|
|
|
- domain: dev.example.com
|
|
resources:
|
|
- "^/users/bob/.*$"
|
|
subject: "user:bob"
|
|
policy: two_factor
|
|
|
|
# Configuration of the authentication regulation mechanism.
|
|
regulation:
|
|
# Set it to 0 to disable max_retries.
|
|
max_retries: 3
|
|
|
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
|
find_time: 300
|
|
|
|
# The length of time before a banned user can login again.
|
|
ban_time: 900
|
|
|
|
notifier:
|
|
filesystem:
|
|
filename: /tmp/notifier.html
|
|
...
|