RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/docs/configuration/index.md

79 lines
3.4 KiB
Markdown
Raw Normal View History

[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 00:43:59 +00:00
---
layout: default
title: Configuration
nav_order: 4
has_children: true
---
# Configuration
Authelia uses a YAML file as configuration file. A template with all possible
[DOCS] Fix Docs Links (#674) - Fixed a few broken links
2020-03-01 05:58:26 +00:00
options can be found [here](https://github.com/authelia/authelia/blob/master/config.template.yml), at the root of the repository.
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 00:43:59 +00:00
When running **Authelia**, you can specify your configuration by passing
the file path as shown below.
$ authelia --config config.custom.yml
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
## Validation
Authelia validates the configuration when it starts. This process checks multiple factors including configuration keys
that don't exist, configuration keys that have changed, the values of the keys are valid, and that a configuration
key isn't supplied at the same time as a secret for the same configuration option.
You may also optionally validate your configuration against this validation process manually by using the validate-config
option with the Authelia binary as shown below. Keep in mind if you're using [secrets](./secrets.md) you will have to
manually provide these if you don't want to get certain validation errors (specifically requesting you provide one of
the secret values). You can choose to ignore them if you know what you're doing. This command is useful prior to
[FIX] Hash Password Cmd Not Encoding Provided Salt (#999) * using authelia hash-password if you provide a salt it doesn't encode it as a base64 string * this causes invalid salts to be stored if a user manually provided one instead of reliance on the automatic generation * additionally bumped the minimum required salt length to 8 as per reference spec * additionally removed the maximum salt length as per reference spec (actually 2^32-1 per int32) * see docs: * https://tools.ietf.org/html/draft-irtf-cfrg-argon2-10 * https://github.com/P-H-C/phc-winner-argon2 * https://github.com/P-H-C/phc-string-format * encode all salts * fix edge case of false positive in CheckPassword * bump crypt version and fix tests
2020-05-14 05:55:03 +00:00
upgrading to prevent configuration changes from impacting downtime in an upgrade. This process does not validate
integrations, it only checks that your configuration syntax is valid.
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
$ authelia validate-config configuration.yml
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
## Duration Notation Format
We have implemented a string based notation for configuration options that take a duration. This section describes its
usage. You can use this implementation in: session for expiration, inactivity, and remember_me_duration; and regulation
for ban_time, and find_time. This notation also supports just providing the number of seconds instead.
The notation is comprised of a number which must be positive and not have leading zeros, followed by a letter
denoting the unit of time measurement. The table below describes the units of time and the associated letter.
|Unit |Associated Letter|
|:-----:|:---------------:|
|Years |y |
|Months |M |
|Weeks |w |
|Days |d |
|Hours |h |
|Minutes|m |
|Seconds|s |
Examples:
* 1 hour and 30 minutes: 90m
* 1 day: 1d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
* 10 hours: 10h
## TLS Configuration
Various sections of the configuration use a uniform configuration section called TLS. Notably LDAP and SMTP.
This section documents the usage.
### Server Name
The key `server_name` overrides the name checked against the certificate in the verification process. Useful if you
require to use a direct IP address for the address of the backend service but want to verify a specific SNI.
### Skip Verify
The key `skip_verify` completely negates validating the certificate of the backend service. This is not recommended,
instead you should tweak the `server_name` option, and the global option [certificates_directory](./miscellaneous.md#certificates-directory).
### Minimum Version
The key `minimum_version` controls the minimum TLS version Authelia will use when opening TLS connections.
The possible values are `TLS1.3`, `TLS1.2`, `TLS1.1`, `TLS1.0`. Anything other than `TLS1.3` or `TLS1.2`
are very old and deprecated. You should avoid using these and upgrade your backend service instead of decreasing
this value.