mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
40574bc8ec
Before this fix an anonymous user was not able to access a resource that were configured with a bypass policy. This was due to a useless check of the userid in the auth session. Moreover, in the case of an anonymous user, we should not check the inactivity period since there is no session. Also refactor /verify endpoint for better testability and add tests in a new suite.
114 lines
2.9 KiB
YAML
114 lines
2.9 KiB
YAML
###############################################################
|
|
# Authelia minimal configuration #
|
|
###############################################################
|
|
|
|
port: 9091
|
|
|
|
logs_level: debug
|
|
|
|
default_redirection_url: https://home.example.com:8080/
|
|
|
|
authentication_backend:
|
|
file:
|
|
path: ./test/suites/basic/users_database.test.yml
|
|
|
|
session:
|
|
secret: unsecure_session_secret
|
|
domain: example.com
|
|
expiration: 3600000 # 1 hour
|
|
inactivity: 300000 # 5 minutes
|
|
|
|
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
|
storage:
|
|
local:
|
|
path: /tmp/authelia/db
|
|
|
|
# TOTP Issuer Name
|
|
#
|
|
# This will be the issuer name displayed in Google Authenticator
|
|
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
|
totp:
|
|
issuer: example.com
|
|
|
|
# Access Control
|
|
#
|
|
# Access control is a set of rules you can use to restrict user access to certain
|
|
# resources.
|
|
access_control:
|
|
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
|
default_policy: deny
|
|
|
|
rules:
|
|
- domain: singlefactor.example.com
|
|
policy: one_factor
|
|
|
|
- domain: public.example.com
|
|
policy: bypass
|
|
|
|
- domain: '*.example.com'
|
|
subject: "group:admins"
|
|
policy: two_factor
|
|
|
|
- domain: dev.example.com
|
|
resources:
|
|
- '^/users/john/.*$'
|
|
subject: "user:john"
|
|
policy: two_factor
|
|
|
|
- domain: dev.example.com
|
|
resources:
|
|
- '^/users/harry/.*$'
|
|
subject: "user:harry"
|
|
policy: two_factor
|
|
|
|
- domain: '*.mail.example.com'
|
|
subject: "user:bob"
|
|
policy: two_factor
|
|
|
|
- domain: dev.example.com
|
|
resources:
|
|
- '^/users/bob/.*$'
|
|
subject: "user:bob"
|
|
policy: two_factor
|
|
|
|
|
|
# Configuration of the authentication regulation mechanism.
|
|
regulation:
|
|
# Set it to 0 to disable max_retries.
|
|
max_retries: 3
|
|
|
|
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
|
find_time: 300
|
|
|
|
# The length of time before a banned user can login again.
|
|
ban_time: 900
|
|
|
|
# Default redirection URL
|
|
#
|
|
# Note: this parameter is optional. If not provided, user won't
|
|
# be redirected upon successful authentication.
|
|
#default_redirection_url: https://authelia.example.domain
|
|
|
|
notifier:
|
|
# For testing purpose, notifications can be sent in a file
|
|
# filesystem:
|
|
# filename: /tmp/authelia/notification.txt
|
|
|
|
# Use your email account to send the notifications. You can use an app password.
|
|
# List of valid services can be found here: https://nodemailer.com/smtp/well-known/
|
|
## email:
|
|
## username: user@example.com
|
|
## password: yourpassword
|
|
## sender: admin@example.com
|
|
## service: gmail
|
|
|
|
# Use a SMTP server for sending notifications
|
|
smtp:
|
|
username: test
|
|
password: password
|
|
secure: false
|
|
host: 127.0.0.1
|
|
port: 1025
|
|
sender: admin@example.com
|
|
|