|
|
| Line 1: |
Line 1: |
| ###############################################################
| | hgf |
| # Authelia configuration #
| |
| ###############################################################
| |
| | |
| # The host and port to listen on
| |
| host: 192.168.88.9
| |
| port: 9091
| |
| tls_key: /etc/letsencrypt/live/flowerhouse.at/privkey.pem
| |
| tls_cert: /etc/letsencrypt/live/flowerhouse.at/fullchain.pem
| |
| | |
| # The theme to display: light, dark, grey
| |
| theme: light
| |
| | |
| # Configuration options specific to the internal http server
| |
| server:
| |
| # Buffers usually should be configured to be the same value.
| |
| # Explanation at https://docs.authelia.com/configuration/server.html
| |
| # Read buffer size configures the http server's maximum incoming request size in bytes.
| |
| read_buffer_size: 4096
| |
| # Write buffer size configures the http server's maximum outgoing response size in bytes.
| |
| write_buffer_size: 4096
| |
| # Set the single level path Authelia listens on, must be alphanumeric chars and should not contain any slashes.
| |
| path: ""
| |
| | |
| # Level of verbosity for logs: info, debug, trace
| |
| log_level: debug
| |
| # Format the logs are written as: json, text
| |
| # log_format: json
| |
| # File path where the logs will be written. If not set logs are written to stdout.
| |
| # log_file_path: /config/authelia.log
| |
| | |
| # The secret used to generate JWT tokens when validating user identity by
| |
| # email confirmation.
| |
| # JWT Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
| |
| jwt_secret: a_very_important_secret
| |
| | |
| # Default redirection URL
| |
| #
| |
| # If user tries to authenticate without any referer, Authelia
| |
| # does not know where to redirect the user to at the end of the
| |
| # authentication process.
| |
| # This parameter allows you to specify the default redirection
| |
| # URL Authelia will use in such a case.
| |
| #
| |
| # Note: this parameter is optional. If not provided, user won't
| |
| # be redirected upon successful authentication.
| |
| default_redirection_url: https://home.example.com:8080/
| |
| | |
| # TOTP Settings
| |
| #
| |
| # Parameters used for TOTP generation
| |
| totp:
| |
| # The issuer name displayed in the Authenticator application of your choice
| |
| # See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
| |
| issuer: authelia.com
| |
| # The period in seconds a one-time password is current for. Changing this will require all users to register
| |
| # their TOTP applications again.
| |
| # Warning: before changing period read the docs link below.
| |
| period: 30
| |
| # The skew controls number of one-time passwords either side of the current one that are valid.
| |
| # Warning: before changing skew read the docs link below.
| |
| skew: 1
| |
| # See: https://docs.authelia.com/configuration/one-time-password.html#period-and-skew to read the documentation.
| |
| | |
| # Duo Push API
| |
| #
| |
| # Parameters used to contact the Duo API. Those are generated when you protect an application
| |
| # of type "Partner Auth API" in the management panel.
| |
| duo_api:
| |
| hostname: api-123456789.example.com
| |
| integration_key: ABCDEF
| |
| # Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
| |
| secret_key: 1234567890abcdefghifjkl
| |
| | |
| # The authentication backend to use for verifying user passwords
| |
| # and retrieve information such as email address and groups
| |
| # users belong to.
| |
| #
| |
| # There are two supported backends: 'ldap' and 'file'.
| |
| authentication_backend:
| |
| # Disable both the HTML element and the API for reset password functionality
| |
| disable_reset_password: false
| |
| | |
| # File backend configuration.
| |
| #
| |
| # With this backend, the users database is stored in a file
| |
| # which is updated when users reset their passwords.
| |
| # Therefore, this backend is meant to be used in a dev environment
| |
| # and not in production since it prevents Authelia to be scaled to
| |
| # more than one instance. The options under 'password' have sane
| |
| # defaults, and as it has security implications it is highly recommended
| |
| # you leave the default values. Before considering changing these settings
| |
| # please read the docs page below:
| |
| # https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning
| |
| | |
| file:
| |
| path: /config/authelia_users_database.yml
| |
| password:
| |
| algorithm: argon2id
| |
| iterations: 1
| |
| salt_length: 16
| |
| parallelism: 8
| |
| memory: 1024
| |
| | |
| # Access Control
| |
| #
| |
| # Access control is a list of rules defining the authorizations applied for one
| |
| # resource to users or group of users.
| |
| #
| |
| # If 'access_control' is not defined, ACL rules are disabled and the 'bypass'
| |
| # rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
| |
| # the rules defined.
| |
| #
| |
| # Note: One can use the wildcard * to match any subdomain.
| |
| # It must stand at the beginning of the pattern. (example: *.mydomain.com)
| |
| #
| |
| # Note: You must put patterns containing wildcards between simple quotes for the YAML
| |
| # to be syntactically correct.
| |
| #
| |
| # Definition: A 'rule' is an object with the following keys: 'domain', 'subject',
| |
| # 'policy' and 'resources'.
| |
| #
| |
| # - 'domain' defines which domain or set of domains the rule applies to.
| |
| #
| |
| # - 'subject' defines the subject to apply authorizations to. This parameter is
| |
| # optional and matching any user if not provided. If provided, the parameter
| |
| # represents either a user or a group. It should be of the form 'user:<username>'
| |
| # or 'group:<groupname>'.
| |
| #
| |
| # - 'policy' is the policy to apply to resources. It must be either 'bypass',
| |
| # 'one_factor', 'two_factor' or 'deny'.
| |
| #
| |
| # - 'resources' is a list of regular expressions that matches a set of resources to
| |
| # apply the policy to. This parameter is optional and matches any resource if not
| |
| # provided.
| |
| #
| |
| # Note: the order of the rules is important. The first policy matching
| |
| # (domain, resource, subject) applies.
| |
| access_control:
| |
| # Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
| |
| # It is the policy applied to any resource if there is no policy to be applied
| |
| # to the user.
| |
| default_policy: deny
| |
| | |
| networks:
| |
| - name: internal
| |
| networks:
| |
| - 10.10.0.0/16
| |
| - 192.168.2.0/24
| |
| - name: VPN
| |
| networks: 10.9.0.0/16
| |
| | |
| rules:
| |
| # Rules applied to everyone
| |
| - domain: public.example.com
| |
| policy: bypass
| |
| | |
| - domain: secure.example.com
| |
| policy: one_factor
| |
| # Network based rule, if not provided any network matches.
| |
| networks:
| |
| - internal
| |
| - VPN
| |
| - 192.168.1.0/24
| |
| - 10.0.0.1
| |
| | |
| - domain:
| |
| - secure.example.com
| |
| - private.example.com
| |
| policy: two_factor
| |
| | |
| - domain: singlefactor.example.com
| |
| policy: one_factor
| |
| | |
| # Rules applied to 'admins' group
| |
| - domain: "mx2.mail.example.com"
| |
| subject: "group:admins"
| |
| policy: deny
| |
| | |
| - domain: "*.example.com"
| |
| subject:
| |
| - "group:admins"
| |
| - "group:moderators"
| |
| policy: two_factor
| |
| | |
| # Rules applied to 'dev' group
| |
| - domain: dev.example.com
| |
| resources:
| |
| - "^/groups/dev/.*$"
| |
| subject: "group:dev"
| |
| policy: two_factor
| |
| | |
| # Rules applied to user 'john'
| |
| - domain: dev.example.com
| |
| resources:
| |
| - "^/users/john/.*$"
| |
| subject: "user:john"
| |
| policy: two_factor
| |
| | |
| # Rules applied to user 'harry'
| |
| - domain: dev.example.com
| |
| resources:
| |
| - "^/users/harry/.*$"
| |
| subject: "user:harry"
| |
| policy: two_factor
| |
| | |
| # Rules applied to user 'bob'
| |
| - domain: "*.mail.example.com"
| |
| subject: "user:bob"
| |
| policy: two_factor
| |
| - domain: "dev.example.com"
| |
| resources:
| |
| - "^/users/bob/.*$"
| |
| subject: "user:bob"
| |
| policy: two_factor
| |
| | |
| # Configuration of session cookies
| |
| #
| |
| # The session cookies identify the user once logged in.
| |
| session:
| |
| # The name of the session cookie. (default: authelia_session).
| |
| name: flowerhouse_session
| |
| | |
| # The secret to encrypt the session data. This is only used with Redis.
| |
| # Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
| |
| secret: insecure_session_secret
| |
| | |
| # The time in seconds before the cookie expires and session is reset.
| |
| expiration: 1h
| |
| | |
| # The inactivity time in seconds before the session is reset.
| |
| inactivity: 5m
| |
| | |
| # The remember me duration.
| |
| # Value of 0 disables remember me.
| |
| # Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
| |
| # Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
| |
| # or attack. Currently the default is 1M or 1 month.
| |
| remember_me_duration: 1M
| |
| | |
| # The domain to protect.
| |
| # Note: the authenticator must also be in that domain. If empty, the cookie
| |
| # is restricted to the subdomain of the issuer.
| |
| domain: example.com
| |
| | |
| # The redis connection details
| |
| redis:
| |
| host: 127.0.0.1
| |
| port: 6379
| |
| # Use a unix socket instead
| |
| # host: /var/run/redis/redis.sock
| |
| | |
| # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
| |
| password: authelia
| |
| # This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
| |
| database_index: 0
| |
| | |
| # Configuration of the authentication regulation mechanism.
| |
| #
| |
| # This mechanism prevents attackers from brute forcing the first factor.
| |
| # It bans the user if too many attempts are done in a short period of
| |
| # time.
| |
| regulation:
| |
| # The number of failed login attempts before user is banned.
| |
| # Set it to 0 to disable regulation.
| |
| max_retries: 3
| |
| | |
| # The time range during which the user can attempt login before being banned.
| |
| # The user is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
| |
| # Find Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
| |
| find_time: 2m
| |
| | |
| # The length of time before a banned user can login again.
| |
| # Ban Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
| |
| ban_time: 5m
| |
| | |
| # Configuration of the storage backend used to store data and secrets.
| |
| # You must use only an available configuration: local, mysql, postgres
| |
| storage:
| |
| # Settings to connect to MySQL server
| |
| mysql:
| |
| host: 192.168.88.13
| |
| port: 3306
| |
| database: authelia
| |
| username: authelia
| |
| # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
| |
| password: JTurmmdVJrMsmNrc
| |
| | |
| # Configuration of the notification system.
| |
| #
| |
| # Notifications are sent to users when they require a password reset, a u2f
| |
| # registration or a TOTP registration.
| |
| # Use only an available configuration: filesystem, smtp.
| |
| notifier:
| |
| # You can disable the notifier startup check by setting this to true.
| |
| disable_startup_check: false
| |
| | |
| # For testing purpose, notifications can be sent in a file
| |
| ## filesystem:
| |
| ## filename: /config/notification.txt
| |
| | |
| # Use a SMTP server for sending notifications. Authelia uses PLAIN or LOGIN method to authenticate.
| |
| # [Security] By default Authelia will:
| |
| # - force all SMTP connections over TLS including unauthenticated connections
| |
| # - use the disable_require_tls boolean value to disable this requirement (only works for unauthenticated connections)
| |
| # - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates (configure in tls section)
| |
| smtp:
| |
| username: test
| |
| # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
| |
| password: password
| |
| host: 127.0.0.1
| |
| port: 25
| |
| sender: admin@example.com
| |
| # HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
| |
| identifier: localhost
| |
| # Subject configuration of the emails sent.
| |
| # {title} is replaced by the text from the notifier
| |
| subject: "[Authelia] {title}"
| |
| # This address is used during the startup check to verify the email configuration is correct. It's not important what it is except if your email server only allows local delivery.
| |
| startup_check_address: test@authelia.com
| |
| disable_require_tls: false
| |
| disable_html_emails: false
| |
| | |
| tls:
| |
| # Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
| |
| # server_name: smtp.example.com
| |
| | |
| # Skip verifying the server certificate (to allow a self-signed certificate).
| |
| skip_verify: false
| |
| | |
| # Minimum TLS version for either StartTLS or SMTPS.
| |
| minimum_version: TLS1.2
| |
| | |
| # Sending an email using a Gmail account is as simple as the next section.
| |
| # You need to create an app password by following: https://support.google.com/accounts/answer/185833?hl=en
| |
| ## smtp:
| |
| ## username: myaccount@gmail.com
| |
| ## # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
| |
| ## password: yourapppassword
| |
| ## sender: admin@example.com
| |
| ## host: smtp.gmail.com
| |
| ## port: 587
| |
