RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/config.template.yml

424 lines
18 KiB
YAML
Raw Normal View History

Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
###############################################################
# Authelia configuration #
###############################################################
Registration process sends an email to allow user to register its U2F device
2017-01-22 16:54:45 +00:00
Add host parameter to configure the interface Authelia listens on.
2019-12-06 20:45:59 +00:00
# The host and port to listen on
host: 0.0.0.0
Fix e2e test with minimal configuration.
2019-01-30 15:47:03 +00:00
port: 9091
[MISC] Append log file instead of overwriting (#1450) * [MISC] Append log file instead of overwriting If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file. This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`. * Amend documentation for log_file_path
2020-11-12 23:14:45 +00:00
# tls_key: /config/ssl/key.pem
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
# tls_cert: /config/ssl/cert.pem
Move config adaptation into a module and make it testable
2017-03-21 19:57:03 +00:00
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
# Configuration options specific to the internal http server
server:
# Buffers usually should be configured to be the same value.
# Explanation at https://docs.authelia.com/configuration/server.html
# Read buffer size configures the http server's maximum incoming request size in bytes.
read_buffer_size: 4096
# Write buffer size configures the http server's maximum outgoing response size in bytes.
write_buffer_size: 4096
[FEATURE] Allow Authelia to listen on a specified path (#1027) * [FEATURE] Allow Authelia to listen on a specified path * Fix linting and add a couple typescript types * Template index.html to support base_url * Update docs and configuration template * Access base path from body attribute. * Update CSP * Fix unit test Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful. * Template index.html with ${PUBLIC_URL} * Define PUBLIC_URL in .env(s) * Add docs clarification Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 02:20:55 +00:00
# Set the single level path Authelia listens on, must be alphanumeric chars and should not contain any slashes.
path: ""
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
Add host parameter to configure the interface Authelia listens on.
2019-12-06 20:45:59 +00:00
# Level of verbosity for logs: info, debug, trace
[FEATURE] [BREAKING] Support writing logs in a file. (#686) * [FEATURE] Support writing logs in a file. * Add documentation about logs file path. * Rename logs_level and logs_file_path into log_level and log_file_path. * Update BREAKING.md Fixes #338 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-09 19:57:53 +00:00
log_level: debug
## File path where the logs will be written. If not set logs are written to stdout.
[MISC] Append log file instead of overwriting (#1450) * [MISC] Append log file instead of overwriting If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file. This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`. * Amend documentation for log_file_path
2020-11-12 23:14:45 +00:00
# log_file_path: /config/authelia.log
Set the level of logs in the config file
2017-01-22 17:18:19 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
# The secret used to generate JWT tokens when validating user identity by
# email confirmation.
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# JWT Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
jwt_secret: a_very_important_secret
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# Default redirection URL
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
#
# If user tries to authenticate without any referer, Authelia
# does not know where to redirect the user to at the end of the
# authentication process.
# This parameter allows you to specify the default redirection
# URL Authelia will use in such a case.
#
# Note: this parameter is optional. If not provided, user won't
# be redirected upon successful authentication.
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work.
2017-11-02 20:34:07 +00:00
default_redirection_url: https://home.example.com:8080/
Add default_redirection_url as configuration option This URL is used when user access the authentication domain without providing the 'redirect' query parameter. In that case, Authelia does not know where to redirect the user. If the parameter is defined, Authelia can redirect the user to a default page when no redirect parameter is provided. When user is already authenticated and tries to access the authentication domain, the "already logged in" page is rendered and it now tells the user he is to be redirected in few seconds and uses this URL to redirect. This parameter is optional. If it is not provided, there is only a notification message at the end of the authentication process, as before, and the user is not redirected when visiting the authentication domain while already authenticated.
2017-10-17 21:24:02 +00:00
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic
2020-03-25 01:48:20 +00:00
# TOTP Settings
Update config.template.yml to include TOTP issuer name * Update config.template.yml and hook.ts This fixes issue reported in #251.
2018-08-19 08:59:47 +00:00
#
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic
2020-03-25 01:48:20 +00:00
# Parameters used for TOTP generation
Update config.template.yml to include TOTP issuer name * Update config.template.yml and hook.ts This fixes issue reported in #251.
2018-08-19 08:59:47 +00:00
totp:
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic
2020-03-25 01:48:20 +00:00
# The issuer name displayed in the Authenticator application of your choice
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
Update config.template.yml to include TOTP issuer name * Update config.template.yml and hook.ts This fixes issue reported in #251.
2018-08-19 08:59:47 +00:00
issuer: authelia.com
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic
2020-03-25 01:48:20 +00:00
# The period in seconds a one-time password is current for. Changing this will require all users to register
# their TOTP applications again.
# Warning: before changing period read the docs link below.
period: 30
# The skew controls number of one-time passwords either side of the current one that are valid.
# Warning: before changing skew read the docs link below.
skew: 1
# See: https://docs.authelia.com/configuration/one-time-password.html#period-and-skew to read the documentation.
Update config.template.yml to include TOTP issuer name * Update config.template.yml and hook.ts This fixes issue reported in #251.
2018-08-19 08:59:47 +00:00
Add Duo Push Notification option as 2FA.
2019-03-24 14:15:49 +00:00
# Duo Push API
#
# Parameters used to contact the Duo API. Those are generated when you protect an application
# of type "Partner Auth API" in the management panel.
duo_api:
Update the documentation to include information on Duo.
2019-03-24 17:45:32 +00:00
hostname: api-123456789.example.com
Add Duo Push Notification option as 2FA.
2019-03-24 14:15:49 +00:00
integration_key: ABCDEF
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Add Duo Push Notification option as 2FA.
2019-03-24 14:15:49 +00:00
secret_key: 1234567890abcdefghifjkl
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# The authentication backend to use for verifying user passwords
# and retrieve information such as email address and groups
# users belong to.
Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains
2017-03-25 14:17:21 +00:00
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# There are two supported backends: 'ldap' and 'file'.
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
authentication_backend:
[FEATURE] Disable Reset Password (#823) * [FEATURE] Disable Reset Password * add configuration key to authentication_backend called disable_reset_password * disable_reset_password prevents the API handler for the functionality and the UI element * disable_reset_password is a boolean * adjust RememberMeEnabled to be RememberMe instead as it's just unnecessary * add docs for security measures and in the authentication docs * updated config.template.yml * add flexEnd style to align reset password when remember me disabled * add todo items for ldap user/password validation relating to this
2020-04-04 23:28:09 +00:00
# Disable both the HTML element and the API for reset password functionality
disable_reset_password: false
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 19:39:25 +00:00
# The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
# To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users
# will always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
# To force update on every request you can set this to '0' or 'always', this will increase processor demand.
# See the below documentation for more information.
# Duration Notation docs: https://docs.authelia.com/configuration/index.html#duration-notation-format
# Refresh Interval docs: https://docs.authelia.com/configuration/authentication/ldap.html#refresh-interval
refresh_interval: 5m
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# LDAP backend configuration.
#
# This backend allows Authelia to be scaled to more
# than one instance and therefore is recommended for
# production.
ldap:
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
# The url to the ldap server. Scheme can be ldap:// or ldaps://
Fix e2e test with minimal configuration.
2019-01-30 15:47:03 +00:00
url: ldap://127.0.0.1
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Add support for LDAP over TLS.
2019-12-06 08:15:54 +00:00
# Skip verifying the server certificate (to allow self-signed certificate).
skip_verify: false
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# The base dn for every entries
base_dn: dc=example,dc=com
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
# The attribute holding the username of the user. This attribute is used to populate
# the username in the session information. It was introduced due to #561 to handle case
# insensitive search queries.
# For you information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
# usually uses 'uid'
[DOCS] Improve documentation about users unique identifier. (#871) Following discussion in #865.
2020-04-15 23:46:51 +00:00
# Beware that this attribute holds the unique identifiers for the users binding the user and the configuration
# stored in database. Therefore only single value attributes are allowed and the value
# must never be changed once attributed to a user otherwise it would break the configuration
# for that user. Technically, non-unique attributes like 'mail' can also be used but we don't recommend using
# them, we instead advise to use the attributes mentioned above (sAMAccountName and uid) to follow
# https://www.ietf.org/rfc/rfc2307.txt.
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
username_attribute: uid
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# An additional dn to define the scope to all users
additional_users_dn: ou=users
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
# The users filter used in search queries to find the user profile based on input filled in login form.
# Various placeholders are available to represent the user input and back reference other options of the configuration:
# - {input} is a placeholder replaced by what the user inputs in the login form.
# - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
# - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
# - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later versions, so please don't use it.
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# Recommended settings are as follows:
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
# - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
# - OpenLDAP: (&({username_attribute}={input})(objectClass=person))' or '(&({username_attribute}={input})(objectClass=inetOrgPerson))
#
# To allow sign in both with username and email, one can use a filter like
[DOCS] Fix users_filter typo in docs (#805) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-03-31 21:12:53 +00:00
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
users_filter: (&({username_attribute}={input})(objectClass=person))
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# An additional dn to define the scope of groups
additional_groups_dn: ou=groups
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
[FEATURE][BREAKING] Allow users to sign in with email. (#792) * [FEATURE][BREAKING] Allow users to sign in with email. The users_filter purpose evolved with the introduction of username_attribute but is reverted here to allow the most flexibility. users_filter is now the actual filter used for searching the user and not a sub-filter based on the username_attribute anymore. * {input} placeholder has been introduced to later deprecate {0} which has been kept for backward compatibility. * {username_attribute} and {mail_attribute} are new placeholders used to back reference other configuration options. Fix #735 * [MISC] Introduce new placeholders for groups_filter too. * [MISC] Update BREAKING.md to mention the change regarding users_filter. * [MISC] Fix unit and integration tests. * Log an error message in console when U2F is not supported. * Apply suggestions from code review * Update BREAKING.md Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-30 22:36:04 +00:00
# The groups filter used in search queries to find the groups of the user.
# - {input} is a placeholder replaced by what the user inputs in the login form.
# - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
# - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
# - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
# - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
# - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later versions, so please don't use it.
# - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in later version, so please don't use it.
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
groups_filter: (&(member={dn})(objectclass=groupOfNames))
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 19:39:25 +00:00
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# The attribute holding the name of the group
group_name_attribute: cn
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 19:39:25 +00:00
[DOCS] Improve documentation about users unique identifier. (#871) Following discussion in #865.
2020-04-15 23:46:51 +00:00
# The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the first
# one returned by the LDAP server is used.
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
mail_attribute: mail
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 19:39:25 +00:00
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
# The attribute holding the display name of the user. This will be used to greet an authenticated user.
display_name_attribute: displayname
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
password: password
Introduce LDAP filters to search users and groups for more flexibility.
2017-09-02 20:38:26 +00:00
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# File backend configuration.
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
#
# With this backend, the users database is stored in a file
# which is updated when users reset their passwords.
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# Therefore, this backend is meant to be used in a dev environment
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
# and not in production since it prevents Authelia to be scaled to
[BUGFIX] Password hashing schema map mismatch with docs (#852) * add a nolint for gosec 'possibly hardcoded password' that was incorrect * make all parameters consistent * update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing' * reword some of the docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 03:54:18 +00:00
# more than one instance. The options under 'password' have sane
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
# defaults, and as it has security implications it is highly recommended
# you leave the default values. Before considering changing these settings
# please read the docs page below:
# https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
#
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
## file:
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
## path: /config/users_database.yml
[BUGFIX] Password hashing schema map mismatch with docs (#852) * add a nolint for gosec 'possibly hardcoded password' that was incorrect * make all parameters consistent * update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing' * reword some of the docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 03:54:18 +00:00
## password:
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
## algorithm: argon2id
## iterations: 1
## key_length: 32
## salt_length: 16
[MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively (#685) * [MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively * Argon2id memory in MB for Config Template * Doc Fix Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-03-06 08:40:56 +00:00
## memory: 1024
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
## parallelism: 8
Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains
2017-03-25 14:17:21 +00:00
# Access Control
#
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains
2017-03-25 14:17:21 +00:00
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# If 'access_control' is not defined, ACL rules are disabled and the 'bypass'
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README.
2017-09-03 13:22:09 +00:00
# the rules defined.
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
#
# Note: One can use the wildcard * to match any subdomain.
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
#
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# Note: You must put patterns containing wildcards between simple quotes for the YAML
Misc Spelling Corrections - Mostly changes to spelling of comments/docs/displayed text - A few changes to test function names
2020-01-21 00:10:00 +00:00
# to be syntactically correct.
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README.
2017-09-03 13:22:09 +00:00
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# Definition: A 'rule' is an object with the following keys: 'domain', 'subject',
# 'policy' and 'resources'.
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# - 'domain' defines which domain or set of domains the rule applies to.
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README.
2017-09-03 13:22:09 +00:00
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# - 'subject' defines the subject to apply authorizations to. This parameter is
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
# optional and matching any user if not provided. If provided, the parameter
# represents either a user or a group. It should be of the form 'user:<username>'
# or 'group:<groupname>'.
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# - 'policy' is the policy to apply to resources. It must be either 'bypass',
# 'one_factor', 'two_factor' or 'deny'.
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
#
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# - 'resources' is a list of regular expressions that matches a set of resources to
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# apply the policy to. This parameter is optional and matches any resource if not
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
# provided.
Edit README to make the user add more subdomains in /etc/hosts for testing the example locally
2017-03-25 17:42:48 +00:00
#
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains
2017-03-25 14:17:21 +00:00
access_control:
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
# It is the policy applied to any resource if there is no policy to be applied
# to the user.
Refine access control with per resource ACLs ACLs can now be defined by subdomain AND resource using pattern matching with regular expressions. It allows a very fine-grained access control to backend resources. [Note] For using example environmnent, user must update its /etc/hosts with new subdomains updated in README.
2017-09-03 13:22:09 +00:00
default_policy: deny
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
rules:
# Rules applied to everyone
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work.
2017-11-02 20:34:07 +00:00
- domain: public.example.com
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal.
2019-03-03 22:51:52 +00:00
policy: bypass
Add network criteria in ACLs to specify policy based on network subnet.
2019-03-27 22:09:01 +00:00
- domain: secure.example.com
policy: one_factor
# Network based rule, if not provided any network matches.
networks:
- 192.168.1.0/24
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
- domain:
- secure.example.com
- private.example.com
Integrate more policy options in ACL rules. The possible values for ACL policies are now: bypass, one_factor, two_factor, deny. This change also deprecate auth_methods because the method is now associated directly to a resource in the ACLs instead of a domain.
2018-10-22 21:21:17 +00:00
policy: two_factor
Add network criteria in ACLs to specify policy based on network subnet.
2019-03-27 22:09:01 +00:00
[BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal.
2019-03-03 22:51:52 +00:00
- domain: singlefactor.example.com
Integrate more policy options in ACL rules. The possible values for ACL policies are now: bypass, one_factor, two_factor, deny. This change also deprecate auth_methods because the method is now associated directly to a resource in the ACLs instead of a domain.
2018-10-22 21:21:17 +00:00
policy: one_factor
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
# Rules applied to 'admins' group
- domain: "mx2.mail.example.com"
Fix DuoPush suite and do some clean up.
2019-12-04 07:46:49 +00:00
subject: "group:admins"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
policy: deny
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
- domain: "*.example.com"
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
subject:
- "group:admins"
- "group:moderators"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
policy: two_factor
# Rules applied to 'dev' group
- domain: dev.example.com
resources:
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
- "^/groups/dev/.*$"
subject: "group:dev"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
policy: two_factor
# Rules applied to user 'john'
- domain: dev.example.com
resources:
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
- "^/users/john/.*$"
subject: "user:john"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
policy: two_factor
# Rules applied to user 'harry'
- domain: dev.example.com
resources:
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
- "^/users/harry/.*$"
subject: "user:harry"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
policy: two_factor
# Rules applied to user 'bob'
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
- domain: "*.mail.example.com"
subject: "user:bob"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
policy: two_factor
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
- domain: "dev.example.com"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
resources:
Fix and parallelize integration tests.
2019-11-30 16:49:52 +00:00
- "^/users/bob/.*$"
subject: "user:bob"
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
policy: two_factor
Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains
2017-03-25 14:17:21 +00:00
Handle SSO over multiple subdomains
2017-03-15 22:07:57 +00:00
# Configuration of session cookies
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
#
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
# The session cookies identify the user once logged in.
Registration process sends an email to allow user to register its U2F device
2017-01-22 16:54:45 +00:00
session:
Make session cookie name customizable. (#256) This option is optional and set to authelia_session by default.
2018-08-19 11:07:00 +00:00
# The name of the session cookie. (default: authelia_session).
name: authelia_session
[MISC] Encrypt session data in redis store. (#789) This is a regression from v3. With this change session data is encrypted with AES-GCM using a 256-bit key derived from the provided secret. Fixes #652.
2020-03-28 06:10:39 +00:00
# The secret to encrypt the session data. This is only used with Redis.
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording
2020-04-03 23:11:33 +00:00
secret: insecure_session_secret
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
Update expiration timeouts from milliseconds to seconds.
2019-12-06 08:59:32 +00:00
# The time in seconds before the cookie expires and session is reset.
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
expiration: 1h
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
Update expiration timeouts from milliseconds to seconds.
2019-12-06 08:59:32 +00:00
# The inactivity time in seconds before the session is reset.
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
inactivity: 5m
Implement session inactivity timeout This timeout will prevent an attacker from using a session that has been inactive for too long. This inactivity timeout combined with the timeout before expiration makes a good combination of security mechanisms to prevent session theft. If no activity timeout is provided, then the feature is disabled and only session expiration remains as a protection.
2017-10-16 22:38:10 +00:00
[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording
2020-04-03 23:11:33 +00:00
# The remember me duration.
# Value of 0 disables remember me.
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
# Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording
2020-04-03 23:11:33 +00:00
# Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
# or attack. Currently the default is 1M or 1 month.
remember_me_duration: 1M
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
# The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
# is restricted to the subdomain of the issuer.
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work.
2017-11-02 20:34:07 +00:00
domain: example.com
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# The redis connection details
Add redis option to the express-session middleware
2017-06-29 17:41:05 +00:00
redis:
Fix e2e test with minimal configuration.
2019-01-30 15:47:03 +00:00
host: 127.0.0.1
Add redis option to the express-session middleware
2017-06-29 17:41:05 +00:00
port: 6379
[FEATURE] Bump to fasthttp/session/v2 to support redis unix socket. (#1001) * [FEATURE] Bump to fasthttp/session/v2 to support redis unix socket. * Fix lint issues. * Remove v1 import and fix double import. * [DOCS] Document use of redis unix socket. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-18 02:45:47 +00:00
# # Use a unix socket instead
# host: /var/run/redis/redis.sock
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Enable authentication to Mongo and Redis. (#263) * Fix issue in unit test of IdentityCheckMiddleware. * Enable authentication to Mongo server. * Enable authentication to Redis.
2018-08-26 11:10:23 +00:00
password: authelia
[FEATURE] Redis DB Index Selection (#653) * [FEATURE] Redis DB Number Selection - Allow users to specify the DB number - This is so users who use their redis for multiple purposes can have clear demarcation between their data * revert: import order * Add default/example to config template with docs * Set DB Index property name to be more clear
2020-02-28 00:14:44 +00:00
# This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
database_index: 0
Registration process sends an email to allow user to register its U2F device
2017-01-22 16:54:45 +00:00
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
# Configuration of the authentication regulation mechanism.
#
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of
# time.
regulation:
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
# The number of failed login attempts before user is banned.
Refactor configuration to remove optional sections from minimal template Also move tests from dedicated directory to source dir with .spec.ts extension
2018-07-08 15:02:28 +00:00
# Set it to 0 to disable regulation.
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
max_retries: 3
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
# The time range during which the user can attempt login before being banned.
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687) * [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examples
2020-03-15 07:10:25 +00:00
# The user is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
# Find Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
find_time: 2m
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
# The length of time before a banned user can login again.
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
# Ban Time accepts duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
ban_time: 5m
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
# Configuration of the storage backend used to store data and secrets.
#
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-02-01 12:54:50 +00:00
# You must use only an available configuration: local, mysql, postgres
Add Mongo as scalable and resilient storage backend
2017-07-19 19:06:12 +00:00
storage:
# The directory where the DB files will be saved
Backend and frontend are reloaded on code change.
2019-01-11 21:11:54 +00:00
## local:
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
## path: /config/db.sqlite3
[BREAKING] Flatten the ACL rules to enable some use cases. With previous configuration format rules were not ordered between groups and thus not predictable. Also in some cases `any` must have been a higher precedence than `groups`. Flattening the rules let the user apply whatever policy he can think of. When several rules match the (subject, domain, resource), the first one is applied. NOTE: This commit changed the format for declaring ACLs. Be sure to update your configuration file before upgrading.
2018-10-23 22:29:09 +00:00
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
# Settings to connect to MySQL server
mysql:
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
host: 127.0.0.1
port: 3306
Fix unit and integration tests
2018-03-28 22:04:59 +00:00
database: authelia
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
username: authelia
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
password: mypassword
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
[DOCS] Fix typo in the template and docs for Postgres (#853) * update config.template.yml * update postgres documentation
2020-04-11 02:38:57 +00:00
# Settings to connect to PostgreSQL server
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
# postgres:
# host: 127.0.0.1
[DOCS] Fix typo in the template and docs for Postgres (#853) * update config.template.yml * update postgres documentation
2020-04-11 02:38:57 +00:00
# port: 5432
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
# database: authelia
# username: authelia
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
# password: mypassword
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# sslmode: disable
Create a filesystem notifier for simple getting started
2017-01-28 18:59:15 +00:00
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes.
2017-09-02 23:25:43 +00:00
# Configuration of the notification system.
#
Handle SSO over multiple subdomains
2017-03-15 22:07:57 +00:00
# Notifications are sent to users when they require a password reset, a u2f
# registration or a TOTP registration.
[FEATURE] Notifier Startup Checks (#889) * implement SMTP notifier startup check * check dial, starttls, auth, mail from, rcpt to, reset, and quit * log the error on failure * implement mock * misc optimizations, adjustments, and refactoring * implement validate_skip config option * fix comments to end with period * fix suites that used smtp notifier without a smtp container * add docs * add file notifier startup check * move file mode into const.go * disable gosec linting on insecureskipverify since it's intended, warned, and discouraged * minor PR commentary adjustment * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 04:59:38 +00:00
# Use only an available configuration: filesystem, smtp.
Registration process sends an email to allow user to register its U2F device
2017-01-22 16:54:45 +00:00
notifier:
[FEATURE] Notifier Startup Checks (#889) * implement SMTP notifier startup check * check dial, starttls, auth, mail from, rcpt to, reset, and quit * log the error on failure * implement mock * misc optimizations, adjustments, and refactoring * implement validate_skip config option * fix comments to end with period * fix suites that used smtp notifier without a smtp container * add docs * add file notifier startup check * move file mode into const.go * disable gosec linting on insecureskipverify since it's intended, warned, and discouraged * minor PR commentary adjustment * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 04:59:38 +00:00
# You can disable the notifier startup check by setting this to true.
disable_startup_check: false
Make file system an available notifier option for testing purpose
2017-10-08 20:48:20 +00:00
# For testing purpose, notifications can be sent in a file
Add support for users database on disk. (#262) In order to simplify the deployment of Authelia for testing, LDAP is now optional made optional thanks to users database stored in a file. One can update the file manually even while Authelia is running. With this feature the minimal configuration requires only two components: Authelia and nginx. The users database is obviously made for development environments only as it prevents Authelia to be scaled to more than one instance. Note: Configuration has been updated. Key `ldap` has been nested in `authentication_backend`.
2018-08-26 08:30:43 +00:00
## filesystem:
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
## filename: /config/notification.txt
Make file system an available notifier option for testing purpose
2017-10-08 20:48:20 +00:00
Force TLS and valid x509 certs in SMTP Notifier by default - Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN - Removed: secure (notifier smtp conf) boolean string - Added: disable_verify_cert (notifier smtp conf) boolean - disables X509 validation of certificates - Added: disable_require_tls (notifier smtp conf) boolean - allows emails to be sent over plain text (for non-authenticated only) - Added: trusted_cert (notifier smtp conf) string (path) - allows specifying the path of a PEM format cert to add to trusted cert pool - Make SMTP notifier return errors on connection over plain text - Make SMTP notifier return errors on TLS connection with invalid certs - Implemented various debug logging for the SMTP notifier - Implemented explicit SMTP closes on errors (previously left con open) - Split SMTPNotifier Send func to seperate funcs for: - writing future test suites and startup checks more easily - organization and readability - Add details of changes to docs/security.yml - Adjust config.yml's (template and test) for the changes
2019-12-30 02:03:51 +00:00
# Use a SMTP server for sending notifications. Authelia uses PLAIN or LOGIN method to authenticate.
# [Security] By default Authelia will:
# - force all SMTP connections over TLS including unauthenticated connections
# - use the disable_require_tls boolean value to disable this requirement (only works for unauthenticated connections)
# - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
# - trusted_cert option:
# - this is a string value, that may specify the path of a PEM format cert, it is completely optional
# - if it is not set, a blank string, or an invalid path; will still trust the host machine/containers cert store
# - defaults to the host machine (or docker container's) trusted certificate chain for validation
# - use the trusted_cert string value to specify the path of a PEM format public cert to trust in addition to the hosts trusted certificates
# - use the disable_verify_cert boolean value to disable the validation (prefer the trusted_cert option as it's more secure)
Add SMTP notifier as an available option in configuration One can now plug its own SMTP server to send notifications for identity validation and password reset requests. Filesystem has been removed from the template configuration file since even tests now use mail catcher (the fake webmail) to retrieve the email and the confirmation link.
2017-09-24 12:49:03 +00:00
smtp:
username: test
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
# Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Improve logging format for clarity Previously, logs were not very friendly and it was hard to track a request because of the lack of request ID. Now every log message comes with a header containing: method, path request ID, session ID, IP of the user, date. Moreover, the configurations displayed in the logs have their secrets hidden from this commit.
2017-10-07 22:46:57 +00:00
password: password
Fix e2e test with minimal configuration.
2019-01-30 15:47:03 +00:00
host: 127.0.0.1
Add SMTP notifier as an available option in configuration One can now plug its own SMTP server to send notifications for identity validation and password reset requests. Filesystem has been removed from the template configuration file since even tests now use mail catcher (the fake webmail) to retrieve the email and the confirmation link.
2017-09-24 12:49:03 +00:00
port: 1025
Change basicauth.test.local into single_factor.test.local
2017-10-19 20:33:10 +00:00
sender: admin@example.com
[BUGFIX] Add ability to specify SMTP HELO/EHLO identifier (#1416) * add docs * add configuration option for SMTP called `identifier` * default should act the same as before
2020-11-04 23:22:10 +00:00
# HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
identifier: localhost
[FEATURE] Customizable Email Subject (#830) * [FEATURE] Customizable Email Subject * allow users to optionally change email subject * this is so they can more easily communicate the source of the email * Update docs/configuration/notifier/smtp.md Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-09 00:21:28 +00:00
# Subject configuration of the emails sent.
# {title} is replaced by the text from the notifier
subject: "[Authelia] {title}"
[FEATURE] Notifier Startup Checks (#889) * implement SMTP notifier startup check * check dial, starttls, auth, mail from, rcpt to, reset, and quit * log the error on failure * implement mock * misc optimizations, adjustments, and refactoring * implement validate_skip config option * fix comments to end with period * fix suites that used smtp notifier without a smtp container * add docs * add file notifier startup check * move file mode into const.go * disable gosec linting on insecureskipverify since it's intended, warned, and discouraged * minor PR commentary adjustment * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 04:59:38 +00:00
# This address is used during the startup check to verify the email configuration is correct. It's not important what it is except if your email server only allows local delivery.
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
startup_check_address: test@authelia.com
trusted_cert: ""
disable_require_tls: false
disable_verify_cert: false
[FEATURE] Plain Text Email Notifications (#1238) * add a plain text email template * use plain text email template for file based emails * add config option to SMTP emails named disable_html_emails * config option is a boolean that when set to true will only send plain text emails * add docs for more complex SMTP notifier options * update template * add rfc1341 multipart logic to notifier * check for errors after identity_verification * * fix nil ptr * go mod tidy * remove needless checks * * use multipart/atlernative instead * * add rfc5322 compliant date header * * fix linting issues
2020-08-21 02:16:23 +00:00
disable_html_emails: false
[MISC] Document usage of env variables for setting secrets. (#606) Closes #579.
2020-02-01 13:17:39 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
# Sending an email using a Gmail account is as simple as the next section.
# You need to create an app password by following: https://support.google.com/accounts/answer/185833?hl=en
## smtp:
## username: myaccount@gmail.com
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 01:11:32 +00:00
## # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
## password: yourapppassword
## sender: admin@example.com
## host: smtp.gmail.com
## port: 587