authelia/internal/configuration/test_resources/config_domain_regex.yml

---
default_redirection_url: https://home.example.com:8080/

server:
  host: 127.0.0.1
  port: 9091

log:
  level: debug

totp:
  issuer: authelia.com

duo_api:
  hostname: api-123456789.example.com
  integration_key: ABCDEF

authentication_backend:
  ldap:
    url: ldap://127.0.0.1
    base_dn: dc=example,dc=com
    username_attribute: uid
    additional_users_dn: ou=users
    users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
    additional_groups_dn: ou=groups
    groups_filter: (&(member={dn})(objectClass=groupOfNames))
    group_name_attribute: cn
    mail_attribute: mail
    user: cn=admin,dc=example,dc=com

access_control:
  default_policy: deny

  rules:
    # Rules applied to everyone
    - domain_regex: ^(public|public2).example.com$
      policy: bypass

    - domain_regex: ^portfolio-(?P<User>[a-zA-Z0-9]+).example.com$
      policy: one_factor

    - domain_regex: ^portfolio-(?P<User>[a-zA-Z0-9]+)-(?P<Group>[a-zA-Z0-9]+).example.com$
      policy: one_factor

    - domain: secure.example.com
      policy: one_factor
      # Network based rule, if not provided any network matches.
      networks:
        - 192.168.1.0/24
    - domain: secure.example.com
      policy: two_factor

    - domain: [singlefactor.example.com, onefactor.example.com]
      policy: one_factor

    # Rules applied to 'admins' group
    - domain: "mx2.mail.example.com"
      subject: "group:admins"
      policy: deny
    - domain: "*.example.com"
      subject: "group:admins"
      policy: two_factor

    # Rules applied to 'dev' group
    - domain: dev.example.com
      resources:
        - "^/groups/dev/.*$"
      subject: "group:dev"
      policy: two_factor

    # Rules applied to user 'john'
    - domain: dev.example.com
      resources:
        - "^/users/john/.*$"
      subject: "user:john"
      policy: two_factor

    # Rules applied to 'dev' group and user 'john'
    - domain: dev.example.com
      resources:
        - "^/deny-all.*$"
      subject: ["group:dev", "user:john"]
      policy: deny

    # Rules applied to user 'harry'
    - domain: dev.example.com
      resources:
        - "^/users/harry/.*$"
      subject: "user:harry"
      policy: two_factor

    # Rules applied to user 'bob'
    - domain: "*.mail.example.com"
      subject: "user:bob"
      policy: two_factor
    - domain: "dev.example.com"
      resources:
        - "^/users/bob/.*$"
      subject: "user:bob"
      policy: two_factor

session:
  name: authelia_session
  expiration: 3600000  # 1 hour
  inactivity: 300000  # 5 minutes
  domain: example.com
  redis:
    host: 127.0.0.1
    port: 6379
    high_availability:
      sentinel_name: test

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300

storage:
  mysql:
    host: 127.0.0.1
    port: 3306
    database: authelia
    username: authelia

notifier:
  smtp:
    username: test
    host: 127.0.0.1
    port: 1025
    sender: admin@example.com
    disable_require_tls: true
...
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`---`
			`default_redirection_url: https://home.example.com:8080/`

			`server:`
			`host: 127.0.0.1`
			`port: 9091`

			`log:`
			`level: debug`

			`totp:`
			`issuer: authelia.com`

			`duo_api:`
			`hostname: api-123456789.example.com`
			`integration_key: ABCDEF`

			`authentication_backend:`
			`ldap:`
			`url: ldap://127.0.0.1`
			`base_dn: dc=example,dc=com`
			`username_attribute: uid`
			`additional_users_dn: ou=users`
			`users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))`
			`additional_groups_dn: ou=groups`
			`groups_filter: (&(member={dn})(objectClass=groupOfNames))`
			`group_name_attribute: cn`
			`mail_attribute: mail`
			`user: cn=admin,dc=example,dc=com`

			`access_control:`
			`default_policy: deny`

			`rules:`
			`# Rules applied to everyone`
			`- domain_regex: ^(public\|public2).example.com$`
			`policy: bypass`

			`- domain_regex: ^portfolio-(?P<User>[a-zA-Z0-9]+).example.com$`
			`policy: one_factor`

			`- domain_regex: ^portfolio-(?P<User>[a-zA-Z0-9]+)-(?P<Group>[a-zA-Z0-9]+).example.com$`
			`policy: one_factor`

			`- domain: secure.example.com`
			`policy: one_factor`
			`# Network based rule, if not provided any network matches.`
			`networks:`
			`- 192.168.1.0/24`
			`- domain: secure.example.com`
			`policy: two_factor`

			`- domain: [singlefactor.example.com, onefactor.example.com]`
			`policy: one_factor`

			`# Rules applied to 'admins' group`
			`- domain: "mx2.mail.example.com"`
			`subject: "group:admins"`
			`policy: deny`
			`- domain: "*.example.com"`
			`subject: "group:admins"`
			`policy: two_factor`

			`# Rules applied to 'dev' group`
			`- domain: dev.example.com`
			`resources:`
			`- "^/groups/dev/.*$"`
			`subject: "group:dev"`
			`policy: two_factor`

			`# Rules applied to user 'john'`
			`- domain: dev.example.com`
			`resources:`
			`- "^/users/john/.*$"`
			`subject: "user:john"`
			`policy: two_factor`

			`# Rules applied to 'dev' group and user 'john'`
			`- domain: dev.example.com`
			`resources:`
			`- "^/deny-all.*$"`
			`subject: ["group:dev", "user:john"]`
			`policy: deny`

			`# Rules applied to user 'harry'`
			`- domain: dev.example.com`
			`resources:`
			`- "^/users/harry/.*$"`
			`subject: "user:harry"`
			`policy: two_factor`

			`# Rules applied to user 'bob'`
			`- domain: "*.mail.example.com"`
			`subject: "user:bob"`
			`policy: two_factor`
			`- domain: "dev.example.com"`
			`resources:`
			`- "^/users/bob/.*$"`
			`subject: "user:bob"`
			`policy: two_factor`

			`session:`
			`name: authelia_session`
			`expiration: 3600000 # 1 hour`
			`inactivity: 300000 # 5 minutes`
			`domain: example.com`
			`redis:`
			`host: 127.0.0.1`
			`port: 6379`
			`high_availability:`
			`sentinel_name: test`

			`regulation:`
			`max_retries: 3`
			`find_time: 120`
			`ban_time: 300`

			`storage:`
			`mysql:`
			`host: 127.0.0.1`
			`port: 3306`
			`database: authelia`
			`username: authelia`

			`notifier:`
			`smtp:`
			`username: test`
			`host: 127.0.0.1`
			`port: 1025`
			`sender: admin@example.com`
			`disable_require_tls: true`
			`...`