authelia/docs/content/en/configuration/miscellaneous/server.md

---
title: "Server"
description: "Configuring the Server Settings."
lead: "Authelia runs an internal webserver. This section describes how to configure and tune this."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
  configuration:
    parent: "miscellaneous"
weight: 199200
toc: true
aliases:
  - /c/server
  - /docs/configuration/server.html
---

## Configuration

```yaml
server:
  host: 0.0.0.0
  port: 9091
  path: ""
  enable_pprof: false
  enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""
    client_certificates: []
  headers:
    csp_template: ""
  buffers:
    read: 4096
    write: 4096
  timeouts:
    read: 10s
    write: 10s
    idle: 10s
```

## Options

## host

{{< confkey type="string" default="0.0.0.0" required="no" >}}

Defines the address to listen on. See also [port](#port). Should typically be `0.0.0.0` or `127.0.0.1`, the former for
containerized environments and the later for daemonized environments like init.d and systemd.

Note: If utilising an IPv6 literal address it must be enclosed by square brackets and quoted:

```yaml
host: "[fd00:1111:2222:3333::1]"
```

### port

{{< confkey type="integer" default="9091" required="no" >}}

Defines the port to listen on. See also [host](#host).

### path

{{< confkey type="string " required="no" >}}

Authelia by default is served from the root `/` location, either via its own domain or subdomain.

Modifying this setting will allow you to serve Authelia out from a specified base path. Please note
that currently only a single level path is supported meaning slashes are not allowed, and only
alphanumeric characters are supported.

__Example:__

```yaml
server:
  path: ""
```

*Works for https://auth.example.com/, https://example.com/, etc*.

__Example:__

```yaml
server:
  path: authelia
```

*Works for https://auth.example.com/authelia/,  https://example.com/authelia/, etc*.

### asset_path

{{< confkey type="string " required="no" >}}

Authelia by default serves all static assets from an embedded filesystem in the Go binary.

Modifying this setting will allow you to override and serve specific assets for Authelia from a specified path. All
assets that can be overridden must be placed in the `asset_path`. The structure of this directory and the assets which
can be overriden is documented in the
[Sever Asset Overrides Reference Guide](../../reference/guides/server-asset-overrides.md).

### enable_pprof

{{< confkey type="boolean" default="false" required="no" >}}

Enables the go pprof endpoints.

### enable_expvars

{{< confkey type="boolean" default="false" required="no" >}}

Enables the go expvars endpoints.

### disable_healthcheck

{{< confkey type="boolean" default="false" required="no" >}}

On startup Authelia checks for the existence of /app/healthcheck.sh and /app/.healthcheck.env and if both of these exist
it writes the configuration vars for the healthcheck to the /app/.healthcheck.env file. In instances where this is not
desirable it's possible to disable these interactions entirely.

An example situation where this is the case is in Kubernetes when set security policies that prevent writing to the
ephemeral storage of a container or just don't want to enable the internal health check.

### tls

Authelia typically listens for plain unencrypted connections. This is by design as most environments allow to
security on lower areas of the OSI model. However it required, if you specify both the [tls key](#key) and
[tls certificate](#certificate) options, Authelia will listen for TLS connections.

The key must be generated by the administrator and can be done by following the
[Generating an RSA Self Signed Certificate](../miscellaneous/guides.md#generating-an-rsa-self-signed-certificate)
guide provided a self-signed certificate is fit for purpose. If a self-signed certificate is fit for purpose is beyond
the scope of the documentation and if it is not fit for purpose we instead recommend generating a certificate signing
request or obtaining a certificate signed by one of the many ACME certificate providers. Methods to achieve this are
beyond the scope of this guide.

#### key

{{< confkey type="string" required="situational" >}}

The path to the private key for TLS connections. Must be in DER base64/PEM format.

#### certificate

{{< confkey type="string" required="situational" >}}

The path to the public certificate for TLS connections. Must be in DER base64/PEM format.

#### client_certificates

{{< confkey type="list(string)" required="situational" >}}

The list of file paths to certificates used for authenticating clients. Those certificates can be root
or intermediate certificates. If no item is provided mutual TLS is disabled.

### headers

#### csp_template

{{< confkey type="string" required="no" >}}

This customizes the value of the Content-Security-Policy header. It will replace all instances of `${NONCE}` with the
nonce value of the Authelia react bundle. This is an advanced option to customize and you should do sufficient research
about how browsers utilize and understand this header before attempting to customize it.

For example, the default CSP template is `default-src 'self'; object-src 'none'; style-src 'self' 'nonce-${NONCE}'`.

### buffers

Configures the server buffers. See the [Server Buffers](../prologue/common.md#server-buffers) documentation for more
information.

### timeouts

Configures the server timeouts. See the [Server Timeouts](../prologue/common.md#server-timeouts) documentation for more
information.

## Additional Notes

### Buffer Sizes

The read and write buffer sizes generally should be the same. This is because when Authelia verifies
if the user is authorized to visit a URL, it also sends back nearly the same size response as the request. However
you're able to tune these individually depending on your needs.

### Asset Overrides

If replacing the Logo for your Authelia portal it is recommended to upload a transparent PNG of your desired logo.
Authelia will automatically resize the logo to an appropriate size to present in the frontend.
feat: major documentation refresh (#3475) This marks the launch of the new documentation website. 2022-06-15 07:51:47 +00:00			`---`
			`title: "Server"`
			`description: "Configuring the Server Settings."`
			`lead: "Authelia runs an internal webserver. This section describes how to configure and tune this."`
docs: update dates (#3615) 2022-06-28 05:27:14 +00:00			`date: 2022-06-15T17:51:47+10:00`
feat: major documentation refresh (#3475) This marks the launch of the new documentation website. 2022-06-15 07:51:47 +00:00			`draft: false`
			`images: []`
			`menu:`
			`configuration:`
			`parent: "miscellaneous"`
			`weight: 199200`
			`toc: true`
			`aliases:`
			`- /c/server`
			`- /docs/configuration/server.html`
			`---`

			`## Configuration`

			```yaml
			`server:`
			`host: 0.0.0.0`
			`port: 9091`
			`path: ""`
			`enable_pprof: false`
			`enable_expvars: false`
			`disable_healthcheck: false`
			`tls:`
			`key: ""`
			`certificate: ""`
			`client_certificates: []`
			`headers:`
			`csp_template: ""`
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc. 2022-08-08 21:50:12 +00:00			`buffers:`
			`read: 4096`
			`write: 4096`
			`timeouts:`
			`read: 10s`
			`write: 10s`
			`idle: 10s`
feat: major documentation refresh (#3475) This marks the launch of the new documentation website. 2022-06-15 07:51:47 +00:00			```

			`## Options`

			`## host`

			`{{< confkey type="string" default="0.0.0.0" required="no" >}}`

			Defines the address to listen on. See also [port](#port). Should typically be `0.0.0.0` or `127.0.0.1`, the former for
			`containerized environments and the later for daemonized environments like init.d and systemd.`

			`Note: If utilising an IPv6 literal address it must be enclosed by square brackets and quoted:`

			```yaml
			`host: "[fd00:1111:2222:3333::1]"`
			```

			`### port`

			`{{< confkey type="integer" default="9091" required="no" >}}`

			`Defines the port to listen on. See also [host](#host).`

			`### path`

			`{{< confkey type="string " required="no" >}}`

			Authelia by default is served from the root `/` location, either via its own domain or subdomain.

			`Modifying this setting will allow you to serve Authelia out from a specified base path. Please note`
			`that currently only a single level path is supported meaning slashes are not allowed, and only`
			`alphanumeric characters are supported.`

			`__Example:__`

			```yaml
			`server:`
			`path: ""`
			```

			`Works for https://auth.example.com/, https://example.com/, etc.`

			`__Example:__`

			```yaml
			`server:`
			`path: authelia`
			```

			`Works for https://auth.example.com/authelia/, https://example.com/authelia/, etc.`

			`### asset_path`

			`{{< confkey type="string " required="no" >}}`

			`Authelia by default serves all static assets from an embedded filesystem in the Go binary.`

			`Modifying this setting will allow you to override and serve specific assets for Authelia from a specified path. All`
			assets that can be overridden must be placed in the `asset_path`. The structure of this directory and the assets which
			`can be overriden is documented in the`
			`[Sever Asset Overrides Reference Guide](../../reference/guides/server-asset-overrides.md).`

			`### enable_pprof`

			`{{< confkey type="boolean" default="false" required="no" >}}`

			`Enables the go pprof endpoints.`

			`### enable_expvars`

			`{{< confkey type="boolean" default="false" required="no" >}}`

			`Enables the go expvars endpoints.`

			`### disable_healthcheck`

			`{{< confkey type="boolean" default="false" required="no" >}}`

			`On startup Authelia checks for the existence of /app/healthcheck.sh and /app/.healthcheck.env and if both of these exist`
			`it writes the configuration vars for the healthcheck to the /app/.healthcheck.env file. In instances where this is not`
			`desirable it's possible to disable these interactions entirely.`

			`An example situation where this is the case is in Kubernetes when set security policies that prevent writing to the`
			`ephemeral storage of a container or just don't want to enable the internal health check.`

			`### tls`

			`Authelia typically listens for plain unencrypted connections. This is by design as most environments allow to`
			`security on lower areas of the OSI model. However it required, if you specify both the [tls key](#key) and`
			`[tls certificate](#certificate) options, Authelia will listen for TLS connections.`

			`The key must be generated by the administrator and can be done by following the`
			`[Generating an RSA Self Signed Certificate](../miscellaneous/guides.md#generating-an-rsa-self-signed-certificate)`
			`guide provided a self-signed certificate is fit for purpose. If a self-signed certificate is fit for purpose is beyond`
			`the scope of the documentation and if it is not fit for purpose we instead recommend generating a certificate signing`
			`request or obtaining a certificate signed by one of the many ACME certificate providers. Methods to achieve this are`
			`beyond the scope of this guide.`

			`#### key`

			`{{< confkey type="string" required="situational" >}}`

			`The path to the private key for TLS connections. Must be in DER base64/PEM format.`

			`#### certificate`

			`{{< confkey type="string" required="situational" >}}`

			`The path to the public certificate for TLS connections. Must be in DER base64/PEM format.`

			`#### client_certificates`

			`{{< confkey type="list(string)" required="situational" >}}`

			`The list of file paths to certificates used for authenticating clients. Those certificates can be root`
			`or intermediate certificates. If no item is provided mutual TLS is disabled.`

			`### headers`

			`#### csp_template`

			`{{< confkey type="string" required="no" >}}`

			This customizes the value of the Content-Security-Policy header. It will replace all instances of `${NONCE}` with the
			`nonce value of the Authelia react bundle. This is an advanced option to customize and you should do sufficient research`
			`about how browsers utilize and understand this header before attempting to customize it.`

			For example, the default CSP template is `default-src 'self'; object-src 'none'; style-src 'self' 'nonce-${NONCE}'`.

refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc. 2022-08-08 21:50:12 +00:00			`### buffers`

			`Configures the server buffers. See the [Server Buffers](../prologue/common.md#server-buffers) documentation for more`
			`information.`

			`### timeouts`

			`Configures the server timeouts. See the [Server Timeouts](../prologue/common.md#server-timeouts) documentation for more`
			`information.`

feat: major documentation refresh (#3475) This marks the launch of the new documentation website. 2022-06-15 07:51:47 +00:00			`## Additional Notes`

			`### Buffer Sizes`

			`The read and write buffer sizes generally should be the same. This is because when Authelia verifies`
			`if the user is authorized to visit a URL, it also sends back nearly the same size response as the request. However`
			`you're able to tune these individually depending on your needs.`

			`### Asset Overrides`

			`If replacing the Logo for your Authelia portal it is recommended to upload a transparent PNG of your desired logo.`
			`Authelia will automatically resize the logo to an appropriate size to present in the frontend.`