authelia/internal/suites/HighAvailability/configuration.yml

---
###############################################################
#                   Authelia configuration                    #
###############################################################

jwt_secret: unsecure_secret

server:
  port: 9091
  tls:
    certificate: /pki/public.backend.crt
    key: /pki/private.backend.pem

log:
  level: debug

totp:
  issuer: authelia.com

authentication_backend:
  ldap:
    url: ldap://openldap
    base_dn: dc=example,dc=com
    username_attribute: uid
    additional_users_dn: ou=users
    users_filter: (&({username_attribute}={input})(objectClass=person))
    additional_groups_dn: ou=groups
    groups_filter: (&(member={dn})(objectClass=groupOfNames))
    group_name_attribute: cn
    mail_attribute: mail
    display_name_attribute: displayName
    user: cn=admin,dc=example,dc=com
    password: password

access_control:
  default_policy: deny

  rules:
    # Rules applied to everyone
    - domain: public.example.com
      policy: bypass
    - domain: secure.example.com
      policy: two_factor
    - domain: singlefactor.example.com
      policy: one_factor

    # Rules applied to 'admins' group
    - domain: mx2.mail.example.com
      subject: "group:admins"
      policy: deny

    # Rules applied to user 'john'
    - domain: "*.example.com"
      subject: "user:john"
      policy: two_factor

    - domain: "*.example.com"
      subject: "group:admins"
      policy: two_factor

    # Rules applied to 'dev' group
    - domain: dev.example.com
      resources:
        - "^/groups/dev/.*$"
      subject: "group:dev"
      policy: two_factor

    # Rules applied to user 'harry'
    - domain: dev.example.com
      resources:
        - "^/users/harry/.*$"
      subject: "user:harry"
      policy: two_factor

    # Rules applied to user 'bob'
    - domain: "*.mail.example.com"
      subject: "user:bob"
      policy: two_factor
    - domain: "dev.example.com"
      resources:
        - "^/users/bob/.*$"
      subject: "user:bob"
      policy: two_factor

session:
  name: authelia_session
  secret: unsecure_session_secret
  expiration: 3600  # 1 hour
  inactivity: 300  # 5 minutes
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://login.example.com:8080'
  redis:
    username: authelia
    password: redis-user-password
    high_availability:
      sentinel_name: authelia
      sentinel_password: sentinel-server-password
      nodes:
        - host: redis-sentinel-0
          port: 26379
        - host: redis-sentinel-1
          port: 26379
        - host: redis-sentinel-2
          port: 26379

  remember_me: 1y

regulation:
  max_retries: 3
  find_time: 8
  ban_time: 10

storage:
  encryption_key: a_not_so_secure_encryption_key
  mysql:
    host: mariadb
    port: 3306
    database: authelia
    username: admin
    password: password

notifier:
  smtp:
    host: smtp
    port: 1025
    sender: admin@example.com
    disable_require_tls: true
...
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`---`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`###############################################################`
			`# Authelia configuration #`
			`###############################################################`

feat(configuration): replace several configuration options (#2209) This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration. BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0 2021-08-02 11:55:30 +00:00			`jwt_secret: unsecure_secret`

			`server:`
			`port: 9091`
			`tls:`
refactor(suites): use pki for oidc (#4913) 2023-02-11 04:37:54 +00:00			`certificate: /pki/public.backend.crt`
			`key: /pki/private.backend.pem`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00
refactor(configuration): use key log instead of logging (#2072) * refactor: logging config key to log This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging). * docs: add step to getting started to get the latest tagged commit This is so we avoid issues with changes on master having differences that don't work on the latest docker tag. * test: adjust tests * docs: adjust doc strings 2021-06-08 13:15:43 +00:00			`log:`
feat(configuration): add error and warn log levels (#2050) This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level. 2021-06-01 04:09:50 +00:00			`level: debug`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00
			`totp:`
			`issuer: authelia.com`

			`authentication_backend:`
			`ldap:`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`url: ldap://openldap`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`base_dn: dc=example,dc=com`
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples 2020-03-15 07:10:25 +00:00			`username_attribute: uid`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`additional_users_dn: ou=users`
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-03-30 22:36:04 +00:00			`users_filter: (&({username_attribute}={input})(objectClass=person))`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`additional_groups_dn: ou=groups`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`groups_filter: (&(member={dn})(objectClass=groupOfNames))`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`group_name_attribute: cn`
			`mail_attribute: mail`
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 11:38:08 +00:00			`display_name_attribute: displayName`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`user: cn=admin,dc=example,dc=com`
			`password: password`

			`access_control:`
			`default_policy: deny`

			`rules:`
			`# Rules applied to everyone`
			`- domain: public.example.com`
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal. 2019-03-03 22:51:52 +00:00			`policy: bypass`
			`- domain: secure.example.com`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: two_factor`
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal. 2019-03-03 22:51:52 +00:00			`- domain: singlefactor.example.com`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: one_factor`

Fix and parallelize integration tests. 2019-11-30 16:49:52 +00:00			`# Rules applied to 'admins' group`
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal. 2019-03-03 22:51:52 +00:00			`- domain: mx2.mail.example.com`
Fix and parallelize integration tests. 2019-11-30 16:49:52 +00:00			`subject: "group:admins"`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: deny`
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal. 2019-03-03 22:51:52 +00:00
			`# Rules applied to user 'john'`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`- domain: "*.example.com"`
			`subject: "user:john"`
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal. 2019-03-03 22:51:52 +00:00			`policy: two_factor`

Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`- domain: "*.example.com"`
Fix and parallelize integration tests. 2019-11-30 16:49:52 +00:00			`subject: "group:admins"`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: two_factor`

			`# Rules applied to 'dev' group`
			`- domain: dev.example.com`
			`resources:`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`- "^/groups/dev/.*$"`
			`subject: "group:dev"`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: two_factor`

			`# Rules applied to user 'harry'`
			`- domain: dev.example.com`
			`resources:`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`- "^/users/harry/.*$"`
			`subject: "user:harry"`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: two_factor`

			`# Rules applied to user 'bob'`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`- domain: "*.mail.example.com"`
			`subject: "user:bob"`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: two_factor`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`- domain: "dev.example.com"`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`resources:`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`- "^/users/bob/.*$"`
			`subject: "user:bob"`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`policy: two_factor`

			`session:`
			`name: authelia_session`
			`secret: unsecure_session_secret`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`expiration: 3600 # 1 hour`
			`inactivity: 300 # 5 minutes`
feat(handlers): authz authrequest authelia url (#5181) This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-08 04:48:55 +00:00			`cookies:`
			`- domain: 'example.com'`
			`authelia_url: 'https://login.example.com:8080'`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`redis:`
feat(session): add redis sentinel provider (#1768) * feat(session): add redis sentinel provider * refactor(session): use int for ports as per go standards * refactor(configuration): adjust tests and validation * refactor(configuration): add err format consts * refactor(configuration): explicitly map redis structs * refactor(session): merge redis/redis sentinel providers * refactor(session): add additional checks to redis providers * feat(session): add redis cluster provider * fix: update config for new values * fix: provide nil certpool to affected tests/mocks * test: add additional tests to cover uncovered code * docs: expand explanation of host and nodes relation for redis * ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum * fix(session): sentinel password * test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config * test: make entrypoint.sh executable, fix entrypoint.sh if/elif * test: add redis failover tests * test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging * test: add sentinel integration test * test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep * feat: use sentinel failover cluster * fix: renamed addrs to sentineladdrs upstream * test(session): sentinel failover * test: add redis standard back into testing * test: move redis standalone test to traefik2 * fix/docs: apply suggestions from code review 2021-03-09 23:03:05 +00:00			`username: authelia`
			`password: redis-user-password`
			`high_availability:`
			`sentinel_name: authelia`
			`sentinel_password: sentinel-server-password`
			`nodes:`
			`- host: redis-sentinel-0`
			`port: 26379`
			`- host: redis-sentinel-1`
			`port: 26379`
			`- host: redis-sentinel-2`
			`port: 26379`

feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-12 10:57:44 +00:00			`remember_me: 1y`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00
			`regulation:`
			`max_retries: 3`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`find_time: 8`
			`ban_time: 10`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00
			`storage:`
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682 2021-11-25 01:56:58 +00:00			`encryption_key: a_not_so_secure_encryption_key`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`mysql:`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`host: mariadb`
Fix and parallelize integration tests. 2019-11-30 16:49:52 +00:00			`port: 3306`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`database: authelia`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`username: admin`
			`password: password`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00
			`notifier:`
			`smtp:`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`host: smtp`
Add config file in complete suite and remove useless files. 2019-01-30 22:36:58 +00:00			`port: 1025`
			`sender: admin@example.com`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`disable_require_tls: true`
			`...`