mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
a991379a74
Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own.
248 lines
7.5 KiB
YAML
248 lines
7.5 KiB
YAML
###############################################################
|
|
# Authelia configuration #
|
|
###############################################################
|
|
|
|
# The port to listen on
|
|
port: 9091
|
|
|
|
# Log level
|
|
#
|
|
# Level of verbosity for logs
|
|
logs_level: debug
|
|
|
|
jwt_secret: unsecure_secret
|
|
|
|
# Default redirection URL
|
|
#
|
|
# If user tries to authenticate without any referer, Authelia
|
|
# does not know where to redirect the user to at the end of the
|
|
# authentication process.
|
|
# This parameter allows you to specify the default redirection
|
|
# URL Authelia will use in such a case.
|
|
#
|
|
# Note: this parameter is optional. If not provided, user won't
|
|
# be redirected upon successful authentication.
|
|
default_redirection_url: https://home.example.com:8080/
|
|
|
|
# TOTP Issuer Name
|
|
#
|
|
# This will be the issuer name displayed in Google Authenticator
|
|
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
|
totp:
|
|
issuer: authelia.com
|
|
|
|
# The authentication backend to use for verifying user passwords
|
|
# and retrieve information such as email address and groups
|
|
# users belong to.
|
|
#
|
|
# There are two supported backends: `ldap` and `file`.
|
|
authentication_backend:
|
|
# LDAP backend configuration.
|
|
#
|
|
# This backend allows Authelia to be scaled to more
|
|
# than one instance and therefore is recommended for
|
|
# production.
|
|
ldap:
|
|
# The url of the ldap server
|
|
url: ldap://openldap
|
|
|
|
# The base dn for every entries
|
|
base_dn: dc=example,dc=com
|
|
|
|
# An additional dn to define the scope to all users
|
|
additional_users_dn: ou=users
|
|
|
|
# The users filter used to find the user DN
|
|
# {0} is a matcher replaced by username.
|
|
# 'cn={0}' by default.
|
|
users_filter: (cn={0})
|
|
|
|
# An additional dn to define the scope of groups
|
|
additional_groups_dn: ou=groups
|
|
|
|
# The groups filter used for retrieving groups of a given user.
|
|
# {0} is a matcher replaced by username.
|
|
# {dn} is a matcher replaced by user DN.
|
|
# 'member={dn}' by default.
|
|
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
|
|
|
# The attribute holding the name of the group
|
|
group_name_attribute: cn
|
|
|
|
# The attribute holding the mail address of the user
|
|
mail_attribute: mail
|
|
|
|
# The username and password of the admin user.
|
|
user: cn=admin,dc=example,dc=com
|
|
password: password
|
|
|
|
# File backend configuration.
|
|
#
|
|
# With this backend, the users database is stored in a file
|
|
# which is updated when users reset their passwords.
|
|
# Therefore, this backend is meant to be used in a dev environment
|
|
# and not in production since it prevents Authelia to be scaled to
|
|
# more than one instance.
|
|
#
|
|
## file:
|
|
## path: ./users_database.yml
|
|
|
|
# Access Control
|
|
#
|
|
# Access control is a list of rules defining the authorizations applied for one
|
|
# resource to users or group of users.
|
|
#
|
|
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
|
|
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
|
|
# the rules defined.
|
|
#
|
|
# Note: One can use the wildcard * to match any subdomain.
|
|
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
|
#
|
|
# Note: You must put patterns containing wildcards between simple quotes for the YAML
|
|
# to be syntaxically correct.
|
|
#
|
|
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
|
|
# `policy` and `resources`.
|
|
#
|
|
# - `domain` defines which domain or set of domains the rule applies to.
|
|
#
|
|
# - `subject` defines the subject to apply authorizations to. This parameter is
|
|
# optional and matching any user if not provided. If provided, the parameter
|
|
# represents either a user or a group. It should be of the form 'user:<username>'
|
|
# or 'group:<groupname>'.
|
|
#
|
|
# - `policy` is the policy to apply to resources. It must be either `bypass`,
|
|
# `one_factor`, `two_factor` or `deny`.
|
|
#
|
|
# - `resources` is a list of regular expressions that matches a set of resources to
|
|
# apply the policy to. This parameter is optional and matches any resource if not
|
|
# provided.
|
|
#
|
|
# Note: the order of the rules is important. The first policy matching
|
|
# (domain, resource, subject) applies.
|
|
access_control:
|
|
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
|
# It is the policy applied to any resource if there is no policy to be applied
|
|
# to the user.
|
|
default_policy: deny
|
|
|
|
rules:
|
|
# Rules applied to everyone
|
|
- domain: public.example.com
|
|
policy: bypass
|
|
- domain: secure.example.com
|
|
policy: two_factor
|
|
- domain: singlefactor.example.com
|
|
policy: one_factor
|
|
|
|
# Rules applied to 'admin' group
|
|
- domain: mx2.mail.example.com
|
|
subject: "group:admin"
|
|
policy: deny
|
|
|
|
# Rules applied to user 'john'
|
|
- domain: "*.example.com"
|
|
subject: "user:john"
|
|
policy: two_factor
|
|
|
|
- domain: "*.example.com"
|
|
subject: "group:admin"
|
|
policy: two_factor
|
|
|
|
# Rules applied to 'dev' group
|
|
- domain: dev.example.com
|
|
resources:
|
|
- "^/groups/dev/.*$"
|
|
subject: "group:dev"
|
|
policy: two_factor
|
|
|
|
# Rules applied to user 'harry'
|
|
- domain: dev.example.com
|
|
resources:
|
|
- "^/users/harry/.*$"
|
|
subject: "user:harry"
|
|
policy: two_factor
|
|
|
|
# Rules applied to user 'bob'
|
|
- domain: "*.mail.example.com"
|
|
subject: "user:bob"
|
|
policy: two_factor
|
|
- domain: "dev.example.com"
|
|
resources:
|
|
- "^/users/bob/.*$"
|
|
subject: "user:bob"
|
|
policy: two_factor
|
|
|
|
# Configuration of session cookies
|
|
#
|
|
# The session cookies identify the user once logged in.
|
|
session:
|
|
# The name of the session cookie. (default: authelia_session).
|
|
name: authelia_session
|
|
|
|
# The secret to encrypt the session cookie.
|
|
secret: unsecure_session_secret
|
|
|
|
# The time in ms before the cookie expires and session is reset.
|
|
expiration: 3600000 # 1 hour
|
|
|
|
# The inactivity time in ms before the session is reset.
|
|
inactivity: 300000 # 5 minutes
|
|
|
|
# The domain to protect.
|
|
# Note: the authenticator must also be in that domain. If empty, the cookie
|
|
# is restricted to the subdomain of the issuer.
|
|
domain: example.com
|
|
|
|
# The redis connection details
|
|
redis:
|
|
host: redis
|
|
port: 6379
|
|
password: authelia
|
|
|
|
# Configuration of the authentication regulation mechanism.
|
|
#
|
|
# This mechanism prevents attackers from brute forcing the first factor.
|
|
# It bans the user if too many attempts are done in a short period of
|
|
# time.
|
|
regulation:
|
|
# The number of failed login attempts before user is banned.
|
|
# Set it to 0 to disable regulation.
|
|
max_retries: 3
|
|
|
|
# The time range during which the user can attempt login before being banned.
|
|
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
|
find_time: 8
|
|
|
|
# The length of time before a banned user can login again.
|
|
ban_time: 10
|
|
|
|
# Configuration of the storage backend used to store data and secrets.
|
|
#
|
|
# You must use only an available configuration: local, mongo
|
|
storage:
|
|
# The directory where the DB files will be saved
|
|
## local:
|
|
## path: /var/lib/authelia/store
|
|
|
|
# Settings to connect to mongo server
|
|
mongo:
|
|
url: mongodb://mongo
|
|
database: authelia
|
|
auth:
|
|
username: authelia
|
|
password: authelia
|
|
|
|
# Configuration of the notification system.
|
|
#
|
|
# Notifications are sent to users when they require a password reset, a u2f
|
|
# registration or a TOTP registration.
|
|
# Use only an available configuration: filesystem, gmail
|
|
notifier:
|
|
# Use a SMTP server for sending notifications
|
|
smtp:
|
|
host: smtp
|
|
port: 1025
|
|
sender: admin@example.com
|