authelia/internal/suites/Standalone/configuration.yml

---
###############################################################
#                Authelia minimal configuration               #
###############################################################

theme: 'auto'

server:
  address: 'tcp://:9091'
  tls:
    certificate: '/pki/public.backend.crt'
    key: '/pki/private.backend.pem'

telemetry:
  metrics:
    enabled: true
    address: 'tcp://:9959'

log:
  level: 'debug'

authentication_backend:
  file:
    path: '/config/users.yml'

session:
  expiration: '1h'
  inactivity: '5m'
  remember_me: '1y'
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://login.example.com:8080'

storage:
  encryption_key: 'a_not_so_secure_encryption_key'
  local:
    path: '/tmp/db.sqlite3'

totp:
  issuer: 'example.com'

access_control:
  default_policy: 'deny'

  rules:
    - domain: 'singlefactor.example.com'
      policy: 'one_factor'

    - domain: 'public.example.com'
      policy: 'bypass'

    - domain: 'secure.example.com'
      policy: 'bypass'
      methods:
        - 'OPTIONS'

    - domain: 'secure.example.com'
      policy: 'two_factor'

    - domain: '*.example.com'
      subject: 'group:admins'
      policy: 'two_factor'

    - domain: 'dev.example.com'
      resources:
        - '^/users/john/.*$'
      subject: 'user:john'
      policy: 'two_factor'

    - domain: 'dev.example.com'
      resources:
        - '^/users/harry/.*$'
      subject: 'user:harry'
      policy: 'two_factor'

    - domain: '*.mail.example.com'
      subject: 'user:bob'
      policy: 'two_factor'

    - domain: 'dev.example.com'
      resources:
        - '^/users/bob/.*$'
      subject: 'user:bob'
      policy: 'two_factor'


regulation:
  # Set it to 0 to disable max_retries.
  max_retries: 3
  # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
  find_time: '5m'
  # The length of time before a banned user can login again.
  ban_time: '15m'

notifier:
  smtp:
    address: 'smtp://smtp:1025'
    sender: 'admin@example.com'
    disable_require_tls: true
ntp:
  ## NTP server address
  address: 'time.cloudflare.com:123'
  ## ntp version
  version: 4
  ## "maximum desynchronization" is the allowed offset time between the host and the ntp server
  max_desync: 3s
  ## You can enable or disable the NTP synchronization check on startup
  disable_startup_check: false

password_policy:
  standard:
    # Enables standard password Policy
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true
  zxcvbn:
    ##  zxcvbn: uses zxcvbn for password strength checking (see: https://github.com/dropbox/zxcvbn)
    ##    Note that the zxcvbn option does not prohibit the user from using a weak password,
    ##    it only offers feedback about the strength of the password they are entering.
    ##    if you need to enforce password rules, you should use `mode=classic`
    enabled: false
...
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`---`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`###############################################################`
			`# Authelia minimal configuration #`
			`###############################################################`

refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`theme: 'auto'`
test(web): integration test auto theme (#2096) Allows capturing of code coverage for the `auto` theme in the Standalone suite. 2021-06-18 07:15:58 +00:00
feat(configuration): replace several configuration options (#2209) This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration. BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0 2021-08-02 11:55:30 +00:00			`server:`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`address: 'tcp://:9091'`
feat(configuration): replace several configuration options (#2209) This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration. BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0 2021-08-02 11:55:30 +00:00			`tls:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`certificate: '/pki/public.backend.crt'`
			`key: '/pki/private.backend.pem'`
feat(configuration): replace several configuration options (#2209) This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration. BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0 2021-08-02 11:55:30 +00:00
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`telemetry:`
			`metrics:`
			`enabled: true`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`address: 'tcp://:9959'`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00
refactor(configuration): use key log instead of logging (#2072) * refactor: logging config key to log This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging). * docs: add step to getting started to get the latest tagged commit This is so we avoid issues with changes on master having differences that don't work on the latest docker tag. * test: adjust tests * docs: adjust doc strings 2021-06-08 13:15:43 +00:00			`log:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`level: 'debug'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`authentication_backend:`
			`file:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`path: '/config/users.yml'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`session:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`expiration: '1h'`
			`inactivity: '5m'`
			`remember_me: '1y'`
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`cookies:`
			`- domain: 'example.com'`
			`authelia_url: 'https://login.example.com:8080'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`storage:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`encryption_key: 'a_not_so_secure_encryption_key'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`local:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`path: '/tmp/db.sqlite3'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`totp:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`issuer: 'example.com'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`access_control:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`default_policy: 'deny'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`rules:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: 'singlefactor.example.com'`
			`policy: 'one_factor'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: 'public.example.com'`
			`policy: 'bypass'`
Fix the bypass strategy. Before this fix an anonymous user was not able to access a resource that were configured with a bypass policy. This was due to a useless check of the userid in the auth session. Moreover, in the case of an anonymous user, we should not check the inactivity period since there is no session. Also refactor /verify endpoint for better testability and add tests in a new suite. 2019-03-22 15:54:27 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: 'secure.example.com'`
			`policy: 'bypass'`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`methods:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- 'OPTIONS'`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: 'secure.example.com'`
			`policy: 'two_factor'`
Display only one 2FA option. Displaying only one option at 2FA stage will allow to add more options like DUO push or OAuth. The user can switch to other option and in this case the option is remembered so that next time, the user will see the same option. The latest option is considered as the prefered option by Authelia. 2019-03-23 14:44:46 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: '*.example.com'`
			`subject: 'group:admins'`
			`policy: 'two_factor'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: 'dev.example.com'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`resources:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- '^/users/john/.*$'`
			`subject: 'user:john'`
			`policy: 'two_factor'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: 'dev.example.com'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`resources:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- '^/users/harry/.*$'`
			`subject: 'user:harry'`
			`policy: 'two_factor'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: '*.mail.example.com'`
			`subject: 'user:bob'`
			`policy: 'two_factor'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- domain: 'dev.example.com'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`resources:`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`- '^/users/bob/.*$'`
			`subject: 'user:bob'`
			`policy: 'two_factor'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-12 10:57:44 +00:00
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`regulation:`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`# Set it to 0 to disable max_retries.`
			`max_retries: 3`
Misc Spelling Corrections - Mostly changes to spelling of comments/docs/displayed text - A few changes to test function names 2020-01-21 00:10:00 +00:00			# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`find_time: '5m'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`# The length of time before a banned user can login again.`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`ban_time: '15m'`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`notifier:`
			`smtp:`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`address: 'smtp://smtp:1025'`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`sender: 'admin@example.com'`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`disable_require_tls: true`
feat(ntp): check clock sync on startup (#2251) This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal. Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-09-17 04:44:35 +00:00			`ntp:`
			`## NTP server address`
refactor: single quote yaml strings Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:41:41 +00:00			`address: 'time.cloudflare.com:123'`
feat(ntp): check clock sync on startup (#2251) This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal. Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-09-17 04:44:35 +00:00			`## ntp version`
			`version: 4`
			`## "maximum desynchronization" is the allowed offset time between the host and the ntp server`
			`max_desync: 3s`
			`## You can enable or disable the NTP synchronization check on startup`
			`disable_startup_check: false`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00
			`password_policy:`
			`standard:`
			`# Enables standard password Policy`
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`enabled: false`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`min_length: 8`
			`max_length: 0`
			`require_uppercase: true`
			`require_lowercase: true`
			`require_number: true`
			`require_special: true`
			`zxcvbn:`
			`## zxcvbn: uses zxcvbn for password strength checking (see: https://github.com/dropbox/zxcvbn)`
			`## Note that the zxcvbn option does not prohibit the user from using a weak password,`
			`## it only offers feedback about the strength of the password they are entering.`
			## if you need to enforce password rules, you should use `mode=classic`
			`enabled: false`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`...`