mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
b9fa786df6
This refactoring aims to ease testability and clean up a lot of soft touchy typings in test code. This is the first step of this refactoring introducing the concept and implementing missing interfaces and stubs. At the end of the day, ServerVariablesHandler should completely disappear and every variable should be injected in the endpoint handler builder itself.
197 lines
5.6 KiB
YAML
197 lines
5.6 KiB
YAML
###############################################################
|
||
# Authelia configuration #
|
||
###############################################################
|
||
|
||
# The port to listen on
|
||
port: 80
|
||
|
||
# Log level
|
||
#
|
||
# Level of verbosity for logs
|
||
logs_level: debug
|
||
|
||
# LDAP configuration
|
||
#
|
||
# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com
|
||
ldap:
|
||
# The url of the ldap server
|
||
url: ldap://openldap
|
||
|
||
# The base dn for every entries
|
||
base_dn: dc=example,dc=com
|
||
|
||
# An additional dn to define the scope to all users
|
||
additional_users_dn: ou=users
|
||
|
||
# The users filter.
|
||
# {0} is the matcher replaced by username.
|
||
# 'cn={0}' by default.
|
||
users_filter: cn={0}
|
||
|
||
# An additional dn to define the scope of groups
|
||
additional_groups_dn: ou=groups
|
||
|
||
# The groups filter used for retrieving groups of a given user.
|
||
# {0} is a matcher replaced by username.
|
||
# {dn} is a matcher replaced by user DN.
|
||
# 'member={dn}' by default.
|
||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||
|
||
# The attribute holding the name of the group
|
||
group_name_attribute: cn
|
||
|
||
# The attribute holding the mail address of the user
|
||
mail_attribute: mail
|
||
|
||
# The username and password of the admin user.
|
||
user: cn=admin,dc=example,dc=com
|
||
password: password
|
||
|
||
# Authentication methods
|
||
#
|
||
# Authentication methods can be defined per subdomain.
|
||
# There are currently two available methods: "basic_auth" and "two_factor"
|
||
#
|
||
# Note: by default a domain uses "two_factor" method.
|
||
#
|
||
# Note: 'per_subdomain_methods' is a dictionary where keys must be subdomains and
|
||
# values must be one of the two possible methods.
|
||
#
|
||
# Note: 'per_subdomain_methods' is optional.
|
||
authentication_methods:
|
||
default_method: two_factor
|
||
per_subdomain_methods:
|
||
basicauth.test.local: basic_auth
|
||
|
||
# Access Control
|
||
#
|
||
# Access control is a set of rules you can use to restrict the user access.
|
||
# Default (anyone), per-user or per-group rules can be defined.
|
||
#
|
||
# If 'access_control' is not defined, ACL rules are disabled and a default policy
|
||
# is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
|
||
# the rules defined below.
|
||
# If no rule is provided, all domains are denied.
|
||
#
|
||
# One can use the wildcard * to match any subdomain.
|
||
# Note 1: It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
||
# Note 2: You must put the pattern in simple quotes when using the wildcard.
|
||
access_control:
|
||
# Default policy can either be `allow` or `deny`.
|
||
# It is the policy applied to any resource if it has not been overriden
|
||
# in the `any`, `groups` or `users` category.
|
||
default_policy: deny
|
||
|
||
# The rules that apply to anyone.
|
||
# The value is a list of rules.
|
||
any:
|
||
- domain: public.test.local
|
||
policy: allow
|
||
|
||
# Group-based rules. The key is a group name and the value
|
||
# is a list of rules.
|
||
groups:
|
||
admin:
|
||
# All resources in all domains
|
||
- domain: '*.test.local'
|
||
policy: allow
|
||
# Except mx2.mail.test.local (it restricts the first rule)
|
||
- domain: 'mx2.mail.test.local'
|
||
policy: deny
|
||
dev:
|
||
- domain: dev.test.local
|
||
policy: allow
|
||
resources:
|
||
- '^/groups/dev/.*$'
|
||
|
||
# User-based rules. The key is a user name and the value
|
||
# is a list of rules.
|
||
users:
|
||
john:
|
||
- domain: dev.test.local
|
||
policy: allow
|
||
resources:
|
||
- '^/users/john/.*$'
|
||
harry:
|
||
- domain: dev.test.local
|
||
policy: allow
|
||
resources:
|
||
- '^/users/harry/.*$'
|
||
bob:
|
||
- domain: '*.mail.test.local'
|
||
policy: allow
|
||
- domain: 'dev.test.local'
|
||
policy: allow
|
||
resources:
|
||
- '^/users/bob/.*$'
|
||
|
||
# Configuration of session cookies
|
||
#
|
||
# The session cookies identify the user once logged in.
|
||
session:
|
||
# The secret to encrypt the session cookie.
|
||
secret: unsecure_secret
|
||
|
||
# The time before the cookie expires.
|
||
expiration: 10000
|
||
|
||
# The domain to protect.
|
||
# Note: the authenticator must also be in that domain. If empty, the cookie
|
||
# is restricted to the subdomain of the issuer.
|
||
domain: test.local
|
||
|
||
# The redis connection details
|
||
redis:
|
||
host: redis
|
||
port: 6379
|
||
|
||
# Configuration of the authentication regulation mechanism.
|
||
#
|
||
# This mechanism prevents attackers from brute forcing the first factor.
|
||
# It bans the user if too many attempts are done in a short period of
|
||
# time.
|
||
regulation:
|
||
# The number of failed login attempts before user is banned.
|
||
# Set it to 0 for disabling regulation.
|
||
max_retries: 3
|
||
|
||
# The length of time between login attempts before user is banned.
|
||
find_time: 15
|
||
|
||
# The length of time before a banned user can login again.
|
||
ban_time: 4
|
||
|
||
# Configuration of the storage backend used to store data and secrets.
|
||
#
|
||
# You must use only an available configuration: local, mongo
|
||
storage:
|
||
# The directory where the DB files will be saved
|
||
# local: /var/lib/authelia/store
|
||
|
||
# Settings to connect to mongo server
|
||
mongo:
|
||
url: mongodb://mongo/authelia
|
||
|
||
# Configuration of the notification system.
|
||
#
|
||
# Notifications are sent to users when they require a password reset, a u2f
|
||
# registration or a TOTP registration.
|
||
# Use only an available configuration: filesystem, gmail
|
||
notifier:
|
||
# Use your email account to send the notifications. You can use an app password.
|
||
# List of valid services can be found here: https://nodemailer.com/smtp/well-known/
|
||
# email:
|
||
# username: user@example.com
|
||
# password: yourpassword
|
||
# sender: admin@example.com
|
||
# service: gmail
|
||
|
||
# Use a SMTP server for sending notifications
|
||
smtp:
|
||
username: test
|
||
password: test
|
||
secure: false
|
||
host: 'smtp'
|
||
port: 1025
|
||
sender: admin@example.com
|