authelia/docs/configuration/server.md
James Elliott c5c6bda8b0
refactor: configuration agnostic healthcheck (#2231)
This makes the healthcheck simple and configured directly by Authelia's configuration on startup.
2021-08-05 14:02:07 +10:00

4.9 KiB

layout title parent nav_order
default Server Configuration 11

Server

The server section configures and tunes the http server module Authelia uses.

Configuration

server:
  host: 0.0.0.0
  port: 9091
  path: ""
  read_buffer_size: 4096
  write_buffer_size: 4096
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""

Options

host

type: string {: .label .label-config .label-purple } default: 0.0.0.0 {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Defines the address to listen on. See also port. Should typically be 0.0.0.0 or 127.0.0.1, the former for containerized environments and the later for daemonized environments like init.d and systemd.

Note: If utilising an IPv6 literal address it must be enclosed by square brackets and quoted:

host: "[fd00:1111:2222:3333::1]"

port

type: integer {: .label .label-config .label-purple } default: 9091 {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Defines the port to listen on. See also host.

path

type: string {: .label .label-config .label-purple } default: "" {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Authelia by default is served from the root / location, either via its own domain or subdomain.

Modifying this setting will allow you to serve Authelia out from a specified base path. Please note that currently only a single level path is supported meaning slashes are not allowed, and only alphanumeric characters are supported.

Example: https://auth.example.com/, https://example.com/

server:
  path: ""

Example: https://auth.example.com/authelia/, https://example.com/authelia/

server:
  path: authelia

read_buffer_size

type: integer {: .label .label-config .label-purple } default: 4096 {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Configures the maximum request size. The default of 4096 is generally sufficient for most use cases.

write_buffer_size

type: integer {: .label .label-config .label-purple } default: 4096 {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Configures the maximum response size. The default of 4096 is generally sufficient for most use cases.

enable_pprof

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Enables the go pprof endpoints.

enable_expvars

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Enables the go expvars endpoints.

disable_healthcheck

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

On startup Authelia checks for the existence of /app/healthcheck.sh and /app/.healthcheck.env and if both of these exist it writes the configuration vars for the healthcheck to the /app/.healthcheck.env file. In instances where this is not desirable it's possible to disable these interactions entirely.

An example situation where this is the case is in Kubernetes when set security policies that prevent writing to the ephemeral storage of a container or just don't want to enable the internal health check.

tls

Authelia typically listens for plain unencrypted connections. This is by design as most environments allow to security on lower areas of the OSI model. However it required, if you specify both the tls key and tls certificate options, Authelia will listen for TLS connections.

key

type: string (path) {: .label .label-config .label-purple } default: "" {: .label .label-config .label-blue } required: situational {: .label .label-config .label-yellow }

The path to the private key for TLS connections. Must be in DER base64/PEM format.

certificate

type: string (path) {: .label .label-config .label-purple } default: "" {: .label .label-config .label-blue } required: situational {: .label .label-config .label-yellow }

The path to the public certificate for TLS connections. Must be in DER base64/PEM format.

Additional Notes

Buffer Sizes

The read and write buffer sizes generally should be the same. This is because when Authelia verifies if the user is authorized to visit a URL, it also sends back nearly the same size response as the request. However you're able to tune these individually depending on your needs.