authelia/internal/suites/DuoPush/configuration.yml

---
###############################################################
#                Authelia minimal configuration               #
###############################################################

port: 9091
tls_cert: /config/ssl/cert.pem
tls_key: /config/ssl/key.pem

log:
  level: trace

default_redirection_url: https://home.example.com:8080/

jwt_secret: very_important_secret

authentication_backend:
  file:
    path: /config/users.yml

session:
  secret: unsecure_session_secret
  domain: example.com
  expiration: 3600  # 1 hour
  inactivity: 300  # 5 minutes
  remember_me_duration: 1y

# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
  local:
    path: /config/db.sqlite

# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
  issuer: example.com

# The Duo Push Notification API configuration
duo_api:
  hostname: duo.example.com
  integration_key: ABCDEFGHIJKL
  secret_key: abcdefghijklmnopqrstuvwxyz123456789

# Access Control
#
# Access control is a set of rules you can use to restrict user access to certain
# resources.
access_control:
  # Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
  default_policy: two_factor

  rules:
    - domain: singlefactor.example.com
      policy: one_factor

    - domain: public.example.com
      policy: bypass

    - domain: secure.example.com
      policy: two_factor

    - domain: "*.example.com"
      subject: "group:admins"
      policy: two_factor

    - domain: dev.example.com
      resources:
        - "^/users/john/.*$"
      subject: "user:john"
      policy: two_factor

    - domain: dev.example.com
      resources:
        - "^/users/harry/.*$"
      subject: "user:harry"
      policy: two_factor

    - domain: "*.mail.example.com"
      subject: "user:bob"
      policy: two_factor

    - domain: dev.example.com
      resources:
        - "^/users/bob/.*$"
      subject: "user:bob"
      policy: two_factor

# Configuration of the authentication regulation mechanism.
regulation:
  # Set it to 0 to disable max_retries.
  max_retries: 3

  # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
  find_time: 300

  # The length of time before a banned user can login again.
  ban_time: 900

notifier:
  filesystem:
    filename: /tmp/notifier.html
...
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`---`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`###############################################################`
			`# Authelia minimal configuration #`
			`###############################################################`

			`port: 9091`
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml 2020-06-17 06:25:35 +00:00			`tls_cert: /config/ssl/cert.pem`
			`tls_key: /config/ssl/key.pem`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00
refactor(configuration): use key log instead of logging (#2072) * refactor: logging config key to log This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging). * docs: add step to getting started to get the latest tagged commit This is so we avoid issues with changes on master having differences that don't work on the latest docker tag. * test: adjust tests * docs: adjust doc strings 2021-06-08 13:15:43 +00:00			`log:`
feat(configuration): add error and warn log levels (#2050) This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level. 2021-06-01 04:09:50 +00:00			`level: trace`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 12:54:50 +00:00			`default_redirection_url: https://home.example.com:8080/`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`jwt_secret: very_important_secret`

Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`authentication_backend:`
			`file:`
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml 2020-06-17 06:25:35 +00:00			`path: /config/users.yml`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00
			`session:`
			`secret: unsecure_session_secret`
			`domain: example.com`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`expiration: 3600 # 1 hour`
			`inactivity: 300 # 5 minutes`
[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording 2020-04-03 23:11:33 +00:00			`remember_me_duration: 1y`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00
			`# Configuration of the storage backend used to store data and secrets. i.e. totp data`
			`storage:`
			`local:`
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml 2020-06-17 06:25:35 +00:00			`path: /config/db.sqlite`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00
			`# TOTP Issuer Name`
			`#`
			`# This will be the issuer name displayed in Google Authenticator`
			`# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names`
			`totp:`
			`issuer: example.com`

			`# The Duo Push Notification API configuration`
			`duo_api:`
			`hostname: duo.example.com`
			`integration_key: ABCDEFGHIJKL`
			`secret_key: abcdefghijklmnopqrstuvwxyz123456789`

			`# Access Control`
			`#`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`# Access control is a set of rules you can use to restrict user access to certain`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`# resources.`
			`access_control:`
			# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
[MISC] Validate all sections of ACLs on startup (#1595) * [MISC] Validate all sections of ACLs on startup This change ensure that all sections of the `access_control` key are validated on startup. * Change error format to clearly identify values 2021-01-16 10:05:41 +00:00			`default_policy: two_factor`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00
			`rules:`
			`- domain: singlefactor.example.com`
			`policy: one_factor`

			`- domain: public.example.com`
			`policy: bypass`

			`- domain: secure.example.com`
			`policy: two_factor`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- domain: "*.example.com"`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`subject: "group:admins"`
			`policy: two_factor`

			`- domain: dev.example.com`
			`resources:`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- "^/users/john/.*$"`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`subject: "user:john"`
			`policy: two_factor`

			`- domain: dev.example.com`
			`resources:`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- "^/users/harry/.*$"`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`subject: "user:harry"`
			`policy: two_factor`

Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- domain: "*.mail.example.com"`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`subject: "user:bob"`
			`policy: two_factor`

			`- domain: dev.example.com`
			`resources:`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`- "^/users/bob/.*$"`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`subject: "user:bob"`
			`policy: two_factor`

			`# Configuration of the authentication regulation mechanism.`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`regulation:`
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`# Set it to 0 to disable max_retries.`
			`max_retries: 3`

Misc Spelling Corrections - Mostly changes to spelling of comments/docs/displayed text - A few changes to test function names 2020-01-21 00:10:00 +00:00			# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
Add Duo Push Notification option as 2FA. 2019-03-24 14:15:49 +00:00			`find_time: 300`

			`# The length of time before a banned user can login again.`
			`ban_time: 900`

			`notifier:`
[FEATURE] Notifier Startup Checks (#889) * implement SMTP notifier startup check * check dial, starttls, auth, mail from, rcpt to, reset, and quit * log the error on failure * implement mock * misc optimizations, adjustments, and refactoring * implement validate_skip config option * fix comments to end with period * fix suites that used smtp notifier without a smtp container * add docs * add file notifier startup check * move file mode into const.go * disable gosec linting on insecureskipverify since it's intended, warned, and discouraged * minor PR commentary adjustment * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> 2020-04-21 04:59:38 +00:00			`filesystem:`
ci: add yamllint (#1895) This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit. 2021-04-10 20:51:00 +00:00			`filename: /tmp/notifier.html`
			`...`