mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
e041143f87
* feat(session): add redis sentinel provider * refactor(session): use int for ports as per go standards * refactor(configuration): adjust tests and validation * refactor(configuration): add err format consts * refactor(configuration): explicitly map redis structs * refactor(session): merge redis/redis sentinel providers * refactor(session): add additional checks to redis providers * feat(session): add redis cluster provider * fix: update config for new values * fix: provide nil certpool to affected tests/mocks * test: add additional tests to cover uncovered code * docs: expand explanation of host and nodes relation for redis * ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum * fix(session): sentinel password * test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config * test: make entrypoint.sh executable, fix entrypoint.sh if/elif * test: add redis failover tests * test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging * test: add sentinel integration test * test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep * feat: use sentinel failover cluster * fix: renamed addrs to sentineladdrs upstream * test(session): sentinel failover * test: add redis standard back into testing * test: move redis standalone test to traefik2 * fix/docs: apply suggestions from code review
131 lines
4.9 KiB
Markdown
131 lines
4.9 KiB
Markdown
---
|
|
layout: default
|
|
title: Session
|
|
parent: Configuration
|
|
nav_order: 8
|
|
---
|
|
|
|
# Session
|
|
|
|
**Authelia** relies on session cookies to authenticate users. When the user visits
|
|
a website of the protected domain `example.com` for the first time, Authelia detects
|
|
that there is no cookie for that user. Consequently, Authelia redirects the user
|
|
to the login portal through which the user should authenticate to get a cookie which
|
|
is valid for `*.example.com`, meaning all websites of the domain.
|
|
At the next request, Authelia receives the cookie associated to the authenticated user
|
|
and can then order the reverse proxy to let the request pass through to the application.
|
|
|
|
## Configuration
|
|
|
|
```yaml
|
|
session:
|
|
# The name of the session cookie. (default: authelia_session).
|
|
name: authelia_session
|
|
|
|
# The secret to encrypt the session data. This is only used with Redis.
|
|
# Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
|
|
secret: unsecure_session_secret
|
|
|
|
# The time in seconds before the cookie expires and session is reset.
|
|
expiration: 1h
|
|
|
|
# The inactivity time in seconds before the session is reset.
|
|
inactivity: 5m
|
|
|
|
# The remember me duration.
|
|
# Value of 0 disables remember me.
|
|
# Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
|
|
# Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
|
|
# or attack. Currently the default is 1M or 1 month.
|
|
remember_me_duration: 1M
|
|
|
|
# The domain to protect.
|
|
# Note: the login portal must also be a subdomain of that domain.
|
|
domain: example.com
|
|
|
|
# The redis connection details (optional)
|
|
# If not provided, sessions will be stored in memory
|
|
redis:
|
|
host: 127.0.0.1
|
|
port: 6379
|
|
## Use a unix socket instead
|
|
# host: /var/run/redis/redis.sock
|
|
|
|
## Optional username to be used with authentication.
|
|
username: authelia
|
|
|
|
## Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
|
|
password: authelia
|
|
|
|
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
|
|
database_index: 0
|
|
|
|
## The maximum number of concurrent active connections to Redis.
|
|
maximum_active_connections: 8
|
|
|
|
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
|
|
minimum_idle_connections: 0
|
|
|
|
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
|
tls:
|
|
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
|
server_name: myredis.example.com
|
|
|
|
## Skip verifying the server certificate (to allow a self-signed certificate).
|
|
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
|
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
|
skip_verify: false
|
|
|
|
## Minimum TLS version for the connection.
|
|
minimum_version: TLS1.2
|
|
|
|
## The Redis HA configuration options.
|
|
## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
|
|
high_availability:
|
|
## Sentinel Name / Master Name
|
|
sentinel_name: mysentinel
|
|
|
|
## Specific password for Redis Sentinel. The node username and password is configured above.
|
|
sentinel_password: sentinel_specific_pass
|
|
|
|
## The additional nodes to pre-seed the redis provider with (for sentinel).
|
|
## If the host in the above section is defined, it will be combined with this list to connect to sentinel.
|
|
## For high availability to be used you must have either defined; the host above or at least one node below.
|
|
nodes:
|
|
- host: sentinel-node1
|
|
port: 6379
|
|
- host: sentinel-node2
|
|
port: 6379
|
|
|
|
## Choose the host with the lowest latency.
|
|
route_by_latency: false
|
|
|
|
## Choose the host randomly.
|
|
route_randomly: false
|
|
```
|
|
|
|
### Security
|
|
|
|
Configuration of this section has an impact on security. You should read notes in
|
|
[security measures](../security/measures.md#session-security) for more information.
|
|
|
|
### Duration Notation
|
|
|
|
The configuration parameters expiration, inactivity, and remember_me_duration use duration notation. See the documentation
|
|
for [duration notation format](index.md#duration-notation-format) for more information.
|
|
|
|
## IPv6 Addresses
|
|
|
|
If utilising an IPv6 literal address it must be enclosed by square brackets and quoted:
|
|
```yaml
|
|
host: "[fd00:1111:2222:3333::1]"
|
|
```
|
|
|
|
## Loading a password from a secret instead of inside the configuration
|
|
|
|
Password can also be defined using a [secret](../secrets.md).
|
|
|
|
## Redis Sentinel
|
|
|
|
When using Redis Sentinel, the host specified in the main redis section is added (it will be the first node) to the
|
|
nodes in the high availability section. This however is optional. |