docs: fix regex examples (#3094)
parent
86dcb54e4a
commit
4d7f930e74
|
@ -363,22 +363,22 @@ access_control:
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
## Rules applied to everyone
|
## Rules applied to everyone
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: bypass
|
||||||
|
|
||||||
## Domain Regex examples. Generally we recommend just using a standard domain.
|
## Domain Regex examples. Generally we recommend just using a standard domain.
|
||||||
# - domain_regex: "^(?P<User>\w+)\\.example\\.com$"
|
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
||||||
# policy: one_factor
|
# policy: one_factor
|
||||||
# - domain_regex: "^(?P<Group>\w+)\\.example\\.com$"
|
# - domain_regex: '^(?P<Group>\w+)\.example\.com$'
|
||||||
# policy: one_factor
|
# policy: one_factor
|
||||||
# - domain_regex:
|
# - domain_regex:
|
||||||
# - "^appgroup-.*\\.example\\.com$"
|
# - '^appgroup-.*\.example\.com$'
|
||||||
# - "^appgroup2-.*\\.example\\.com$"
|
# - '^appgroup2-.*\.example\.com$'
|
||||||
# policy: one_factor
|
# policy: one_factor
|
||||||
# - domain_regex: "^.*\\.example.com$"
|
# - domain_regex: '^.*\.example\.com$'
|
||||||
# policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
## Network based rule, if not provided any network matches.
|
## Network based rule, if not provided any network matches.
|
||||||
networks:
|
networks:
|
||||||
|
@ -388,53 +388,53 @@ access_control:
|
||||||
- 10.0.0.1
|
- 10.0.0.1
|
||||||
|
|
||||||
- domain:
|
- domain:
|
||||||
- secure.example.com
|
- 'secure.example.com'
|
||||||
- private.example.com
|
- 'private.example.com'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
|
|
||||||
## Rules applied to 'admins' group
|
## Rules applied to 'admins' group
|
||||||
- domain: "mx2.mail.example.com"
|
- domain: 'mx2.mail.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: deny
|
policy: deny
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject:
|
subject:
|
||||||
- "group:admins"
|
- 'group:admins'
|
||||||
- "group:moderators"
|
- 'group:moderators'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to 'dev' group
|
## Rules applied to 'dev' group
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/groups/dev/.*$'
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'john'
|
## Rules applied to user 'john'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/users/john/.*$'
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'harry'
|
## Rules applied to user 'harry'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/users/harry/.*$'
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'bob'
|
## Rules applied to user 'bob'
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
- domain: "dev.example.com"
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/users/bob/.*$'
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
##
|
##
|
||||||
|
|
|
@ -22,16 +22,16 @@ access_control:
|
||||||
- 192.168.0.0/18
|
- 192.168.0.0/18
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
domain_regex: "^\d+\\.public.example.com$"
|
domain_regex: '^\d+\.public.example.com$'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
- 1.1.1.1
|
- 1.1.1.1
|
||||||
subject:
|
subject:
|
||||||
- ["user:adam"]
|
- ['user:adam']
|
||||||
- ["user:fred"]
|
- ['user:fred']
|
||||||
- ["group:admins"]
|
- ['group:admins']
|
||||||
methods:
|
methods:
|
||||||
- GET
|
- GET
|
||||||
- HEAD
|
- HEAD
|
||||||
|
@ -156,10 +156,10 @@ different ways.*
|
||||||
```yaml
|
```yaml
|
||||||
access_control:
|
access_control:
|
||||||
rules:
|
rules:
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
policy: bypass
|
policy: bypass
|
||||||
- domain:
|
- domain:
|
||||||
- "*.example.com"
|
- '*.example.com'
|
||||||
policy: bypass
|
policy: bypass
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -169,7 +169,7 @@ list are effectively the same rule just expressed in different ways.*
|
||||||
```yaml
|
```yaml
|
||||||
access_control:
|
access_control:
|
||||||
rules:
|
rules:
|
||||||
- domain: ["apple.example.com", "banana.example.com"]
|
- domain: ['apple.example.com', 'banana.example.com']
|
||||||
policy: bypass
|
policy: bypass
|
||||||
- domain:
|
- domain:
|
||||||
- apple.example.com
|
- apple.example.com
|
||||||
|
@ -190,14 +190,13 @@ _**Required:** This criteria OR the [domain](#domain) criteria are required._
|
||||||
_**Important Note:** If you intend to use this criteria with a bypass rule please read
|
_**Important Note:** If you intend to use this criteria with a bypass rule please read
|
||||||
[bypass and subjects](#bypass-and-user-identity) before doing so._
|
[bypass and subjects](#bypass-and-user-identity) before doing so._
|
||||||
|
|
||||||
|
_**Important Note:** to utilize regex you must escape it properly. See [regex](./index.md#regex) for more information._
|
||||||
|
|
||||||
This criteria matches the domain name and has two methods of configuration, either as a single string or as a list of
|
This criteria matches the domain name and has two methods of configuration, either as a single string or as a list of
|
||||||
strings. When it's a list of strings the rule matches when **any** of the domains in the list match the request domain.
|
strings. When it's a list of strings the rule matches when **any** of the domains in the list match the request domain.
|
||||||
When used in conjunction with [domain](#domain) the rule will match when either the [domain](#domain) or the
|
When used in conjunction with [domain](#domain) the rule will match when either the [domain](#domain) or the
|
||||||
[domain_regex](#domain_regex) criteria matches.
|
[domain_regex](#domain_regex) criteria matches.
|
||||||
|
|
||||||
As this is a regex string you will either need to use single quotes or need to double-escape certain portions of the
|
|
||||||
regex in order make this work.
|
|
||||||
|
|
||||||
This criteria takes any standard go regex pattern to match the requests. We additionally utilize two special named match
|
This criteria takes any standard go regex pattern to match the requests. We additionally utilize two special named match
|
||||||
groups which match attributes of the user:
|
groups which match attributes of the user:
|
||||||
|
|
||||||
|
@ -221,8 +220,8 @@ access_control:
|
||||||
- banana.example.com
|
- banana.example.com
|
||||||
policy: bypass
|
policy: bypass
|
||||||
- domain_regex:
|
- domain_regex:
|
||||||
- "^user-(?P<User>\w+)\\.example\\.com$"
|
- '^user-(?P<User>\w+)\.example\.com$'
|
||||||
- "^group-(?P<Group>\w+)\\.example\\.com$"
|
- '^group-(?P<Group>\w+)\.example\.com$'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -407,17 +406,15 @@ required: no
|
||||||
{: .label .label-config .label-green }
|
{: .label .label-config .label-green }
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
_**Important Note:** to utilize regex you must escape it properly. See [regex](./index.md#regex) for more information._
|
||||||
|
|
||||||
This criteria matches the path and query of the request using regular expressions. The rule is expressed as a list of
|
This criteria matches the path and query of the request using regular expressions. The rule is expressed as a list of
|
||||||
strings. If any one of the regular expressions in the list matches the request it's considered a match. A useful tool
|
strings. If any one of the regular expressions in the list matches the request it's considered a match. A useful tool
|
||||||
for debugging these regular expressions is called [Rego](https://regoio.herokuapp.com/).
|
for debugging these regular expressions is called [Rego](https://regoio.herokuapp.com/).
|
||||||
|
|
||||||
***Note:** Prior to 4.27.0 the regular expressions only matched the path excluding the query parameters. After 4.27.0
|
_**Note:** Prior to 4.27.0 the regular expressions only matched the path excluding the query parameters. After 4.27.0
|
||||||
they match the entire path including the query parameters. When upgrading you may be required to alter some of your
|
they match the entire path including the query parameters. When upgrading you may be required to alter some of your
|
||||||
resource rules to get them to operate as they previously did.*
|
resource rules to get them to operate as they previously did._
|
||||||
|
|
||||||
As this is a regex string you will either need to use single quotes or need to double-escape certain portions of the
|
|
||||||
regex in order make this work. If you don't do either of these things either the regex may not be parsed, or it may not
|
|
||||||
be parsed correctly. It's technically optional but will likely save you a lot of time if you do it for all resource rules.
|
|
||||||
|
|
||||||
Examples:
|
Examples:
|
||||||
|
|
||||||
|
@ -487,15 +484,15 @@ access_control:
|
||||||
- name: VPN
|
- name: VPN
|
||||||
networks: 10.9.0.0/16
|
networks: 10.9.0.0/16
|
||||||
rules:
|
rules:
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: bypass
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
policy: bypass
|
policy: bypass
|
||||||
methods:
|
methods:
|
||||||
- OPTIONS
|
- OPTIONS
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
|
@ -504,37 +501,37 @@ access_control:
|
||||||
- 10.0.0.1
|
- 10.0.0.1
|
||||||
|
|
||||||
- domain:
|
- domain:
|
||||||
- secure.example.com
|
- 'secure.example.com'
|
||||||
- private.example.com
|
- 'private.example.com'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
|
|
||||||
- domain: "mx2.mail.example.com"
|
- domain: 'mx2.mail.example.com'
|
||||||
subject: "group:admins"
|
subject: "group:admins"
|
||||||
policy: deny
|
policy: deny
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject:
|
subject:
|
||||||
- "group:admins"
|
- 'group:admins'
|
||||||
- "group:moderators"
|
- 'group:moderators'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: dev.example.com
|
||||||
resources:
|
resources:
|
||||||
- '^/groups/dev/.*$'
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: dev.example.com
|
||||||
resources:
|
resources:
|
||||||
- '^/users/john/.*$'
|
- '^/users/john/.*$'
|
||||||
subject:
|
subject:
|
||||||
- ["group:dev", "user:john"]
|
- ['group:dev', 'user:john']
|
||||||
- "group:admins"
|
- 'group:admins'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
- domain: "{user}.example.com"
|
- domain: '{user}.example.com'
|
||||||
policy: bypass
|
policy: bypass
|
||||||
```
|
```
|
||||||
|
|
|
@ -98,6 +98,27 @@ integrations, it only checks that your configuration syntax is valid.
|
||||||
$ authelia validate-config --config configuration.yml
|
$ authelia validate-config --config configuration.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
# Regex
|
||||||
|
|
||||||
|
We have several sections of configuration that utilize regular expressions. It's recommended to validate your regex
|
||||||
|
manually either via tools like [Rego](https://regoio.herokuapp.com/) or some other means.
|
||||||
|
|
||||||
|
It's important when attempting to utilize a backslash that it's utilized correctly. The YAML parser is likely to parse
|
||||||
|
this as you trying to use YAML escape syntax instead of regex escape syntax. To avoid this use single quotes instead of
|
||||||
|
no quotes or double quotes.
|
||||||
|
|
||||||
|
Good Example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
domain_regex: '^(admin|secure)\.example\.com$'
|
||||||
|
```
|
||||||
|
|
||||||
|
Bad Example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
domain_regex: "^(admin|secure)\.example\.com$"
|
||||||
|
```
|
||||||
|
|
||||||
# Duration Notation Format
|
# Duration Notation Format
|
||||||
|
|
||||||
We have implemented a string/integer based notation for configuration options that take a duration of time. This section
|
We have implemented a string/integer based notation for configuration options that take a duration of time. This section
|
||||||
|
|
|
@ -14,11 +14,14 @@ to the resource.
|
||||||
|
|
||||||
For instance a rule can look like this:
|
For instance a rule can look like this:
|
||||||
|
|
||||||
- domain: dev.example.com
|
```yaml
|
||||||
|
- domain: dev.example.com
|
||||||
resources:
|
resources:
|
||||||
- "^/groups/dev/.*$"
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
This rule matches when the request targets the domain `dev.example.com` and the path
|
This rule matches when the request targets the domain `dev.example.com` and the path
|
||||||
matches the regular expression `^/groups/dev/.*$`. In that case, a two-factor policy
|
matches the regular expression `^/groups/dev/.*$`. In that case, a two-factor policy
|
||||||
|
|
|
@ -363,22 +363,22 @@ access_control:
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
## Rules applied to everyone
|
## Rules applied to everyone
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: bypass
|
||||||
|
|
||||||
## Domain Regex examples. Generally we recommend just using a standard domain.
|
## Domain Regex examples. Generally we recommend just using a standard domain.
|
||||||
# - domain_regex: "^(?P<User>\w+)\\.example\\.com$"
|
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
||||||
# policy: one_factor
|
# policy: one_factor
|
||||||
# - domain_regex: "^(?P<Group>\w+)\\.example\\.com$"
|
# - domain_regex: '^(?P<Group>\w+)\.example\.com$'
|
||||||
# policy: one_factor
|
# policy: one_factor
|
||||||
# - domain_regex:
|
# - domain_regex:
|
||||||
# - "^appgroup-.*\\.example\\.com$"
|
# - '^appgroup-.*\.example\.com$'
|
||||||
# - "^appgroup2-.*\\.example\\.com$"
|
# - '^appgroup2-.*\.example\.com$'
|
||||||
# policy: one_factor
|
# policy: one_factor
|
||||||
# - domain_regex: "^.*\\.example.com$"
|
# - domain_regex: '^.*\.example\.com$'
|
||||||
# policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
## Network based rule, if not provided any network matches.
|
## Network based rule, if not provided any network matches.
|
||||||
networks:
|
networks:
|
||||||
|
@ -388,53 +388,53 @@ access_control:
|
||||||
- 10.0.0.1
|
- 10.0.0.1
|
||||||
|
|
||||||
- domain:
|
- domain:
|
||||||
- secure.example.com
|
- 'secure.example.com'
|
||||||
- private.example.com
|
- 'private.example.com'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
|
|
||||||
## Rules applied to 'admins' group
|
## Rules applied to 'admins' group
|
||||||
- domain: "mx2.mail.example.com"
|
- domain: 'mx2.mail.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: deny
|
policy: deny
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject:
|
subject:
|
||||||
- "group:admins"
|
- 'group:admins'
|
||||||
- "group:moderators"
|
- 'group:moderators'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to 'dev' group
|
## Rules applied to 'dev' group
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/groups/dev/.*$'
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'john'
|
## Rules applied to user 'john'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/users/john/.*$'
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'harry'
|
## Rules applied to user 'harry'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/users/harry/.*$'
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'bob'
|
## Rules applied to user 'bob'
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
- domain: "dev.example.com"
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- '^/users/bob/.*$'
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
|
||||||
##
|
##
|
||||||
|
|
Loading…
Reference in New Issue