authelia/internal/suites/Standalone/configuration.yml

---
###############################################################
#                Authelia minimal configuration               #
###############################################################

port: 9091
tls_cert: /config/ssl/cert.pem
tls_key: /config/ssl/key.pem

logging:
  level: debug

authentication_backend:
  file:
    path: /config/users.yml

session:
  domain: example.com
  expiration: 3600  # 1 hour
  inactivity: 300  # 5 minutes
  remember_me_duration: 1y

storage:
  local:
    path: /tmp/db.sqlite3

totp:
  issuer: example.com

access_control:
  default_policy: deny

  rules:
    - domain: singlefactor.example.com
      policy: one_factor

    - domain: public.example.com
      policy: bypass

    - domain: secure.example.com
      policy: bypass
      methods:
        - OPTIONS

    - domain: secure.example.com
      policy: two_factor

    - domain: "*.example.com"
      subject: "group:admins"
      policy: two_factor

    - domain: dev.example.com
      resources:
        - "^/users/john/.*$"
      subject: "user:john"
      policy: two_factor

    - domain: dev.example.com
      resources:
        - "^/users/harry/.*$"
      subject: "user:harry"
      policy: two_factor

    - domain: "*.mail.example.com"
      subject: "user:bob"
      policy: two_factor

    - domain: dev.example.com
      resources:
        - "^/users/bob/.*$"
      subject: "user:bob"
      policy: two_factor

regulation:
  # Set it to 0 to disable max_retries.
  max_retries: 3
  # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
  find_time: 300
  # The length of time before a banned user can login again.
  ban_time: 900

notifier:
  smtp:
    host: smtp
    port: 1025
    sender: admin@example.com
    disable_require_tls: true
...
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`---`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`###############################################################`
			`# Authelia minimal configuration #`
			`###############################################################`

			`port: 9091`
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml 2020-06-17 06:25:35 +00:00			`tls_cert: /config/ssl/cert.pem`
			`tls_key: /config/ssl/key.pem`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
feat(configuration): add error and warn log levels (#2050) This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level. 2021-06-01 04:09:50 +00:00			`logging:`
			`level: debug`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`authentication_backend:`
			`file:`
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml 2020-06-17 06:25:35 +00:00			`path: /config/users.yml`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`session:`
			`domain: example.com`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`expiration: 3600 # 1 hour`
			`inactivity: 300 # 5 minutes`
[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording 2020-04-03 23:11:33 +00:00			`remember_me_duration: 1y`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`storage:`
			`local:`
Build docker image upfront in CI and use it in integration tests. (#555) * Build docker image upfront in CI and use it in integration tests. Previously, the development workflow was broken because the container generated from Dockerfile.CI was used in dev environments but the binary was not pre-built as it is on buildkite. I propose to just remove that image and use the "to be published" image instead in integration tests. This will have several advantages: - Fix the dev workflow. - Remove CI arch from authelia-scripts build command - Optimize CI time in buildkite since we'll cache a way small artifact - We don't build authelia more than once for earch arch. * Fix suites and only build ARM images on master or tagged commits * Optimise pipeline dependencies and Kubernetes suite to utilise cache * Run unit tests and docker image build in parallel. * Fix suite trying to write on read only fs. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-01-17 19:46:51 +00:00			`path: /tmp/db.sqlite3`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`totp:`
			`issuer: example.com`

			`access_control:`
			`default_policy: deny`

			`rules:`
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal. 2019-03-03 22:51:52 +00:00			`- domain: singlefactor.example.com`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`policy: one_factor`

Fix the bypass strategy. Before this fix an anonymous user was not able to access a resource that were configured with a bypass policy. This was due to a useless check of the userid in the auth session. Moreover, in the case of an anonymous user, we should not check the inactivity period since there is no session. Also refactor /verify endpoint for better testability and add tests in a new suite. 2019-03-22 15:54:27 +00:00			`- domain: public.example.com`
			`policy: bypass`

perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`- domain: secure.example.com`
			`policy: bypass`
			`methods:`
			`- OPTIONS`

Display only one 2FA option. Displaying only one option at 2FA stage will allow to add more options like DUO push or OAuth. The user can switch to other option and in this case the option is remembered so that next time, the user will see the same option. The latest option is considered as the prefered option by Authelia. 2019-03-23 14:44:46 +00:00			`- domain: secure.example.com`
			`policy: two_factor`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- domain: "*.example.com"`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`subject: "group:admins"`
			`policy: two_factor`

			`- domain: dev.example.com`
			`resources:`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- "^/users/john/.*$"`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`subject: "user:john"`
			`policy: two_factor`

			`- domain: dev.example.com`
			`resources:`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- "^/users/harry/.*$"`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`subject: "user:harry"`
			`policy: two_factor`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- domain: "*.mail.example.com"`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`subject: "user:bob"`
			`policy: two_factor`

			`- domain: dev.example.com`
			`resources:`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- "^/users/bob/.*$"`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`subject: "user:bob"`
			`policy: two_factor`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`regulation:`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`# Set it to 0 to disable max_retries.`
			`max_retries: 3`
Misc Spelling Corrections - Mostly changes to spelling of comments/docs/displayed text - A few changes to test function names 2020-01-21 00:10:00 +00:00			# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
Create a specific suite for short timeouts to let humans use simple suite. 2019-03-02 21:27:54 +00:00			`find_time: 300`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`# The length of time before a banned user can login again.`
Create a specific suite for short timeouts to let humans use simple suite. 2019-03-02 21:27:54 +00:00			`ban_time: 900`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00
			`notifier:`
			`smtp:`
Declare suites as Go structs and bootstrap e2e test framework in Go. Some tests are not fully rewritten in Go, a typescript wrapper is called instead until we remove the remaining TS tests and dependencies. Also, dockerize every components (mainly Authelia backend, frontend and kind) so that the project does not interfere with user host anymore (open ports for instance). The only remaining intrusive change is the one done during bootstrap to add entries in /etc/hosts. It will soon be avoided using authelia.com domain that I own. 2019-11-02 14:32:58 +00:00			`host: smtp`
Fix inactivity Ãe2e tests. 2019-01-30 22:33:14 +00:00			`port: 1025`
			`sender: admin@example.com`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`disable_require_tls: true`
			`...`