feat(configuration): comment unnecessary template lines (#4222)
This adjusts the default configuration to mostly include commented configuration.pull/4203/head^2
parent
9532823a99
commit
5c981e7603
|
@ -218,13 +218,13 @@ webauthn:
|
||||||
##
|
##
|
||||||
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
|
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
|
||||||
## "Partner Auth API" in the management panel.
|
## "Partner Auth API" in the management panel.
|
||||||
duo_api:
|
# duo_api:
|
||||||
disable: false
|
# disable: false
|
||||||
hostname: api-123456789.example.com
|
# hostname: api-123456789.example.com
|
||||||
integration_key: ABCDEF
|
# integration_key: ABCDEF
|
||||||
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
secret_key: 1234567890abcdefghifjkl
|
# secret_key: 1234567890abcdefghifjkl
|
||||||
enable_self_enrollment: false
|
# enable_self_enrollment: false
|
||||||
|
|
||||||
##
|
##
|
||||||
## NTP Configuration
|
## NTP Configuration
|
||||||
|
@ -281,7 +281,7 @@ authentication_backend:
|
||||||
## This is the recommended Authentication Provider in production
|
## This is the recommended Authentication Provider in production
|
||||||
## because it allows Authelia to offload the stateful operations
|
## because it allows Authelia to offload the stateful operations
|
||||||
## onto the LDAP service.
|
## onto the LDAP service.
|
||||||
ldap:
|
# ldap:
|
||||||
## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
|
## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
|
||||||
## Acceptable options are as follows:
|
## Acceptable options are as follows:
|
||||||
## - 'activedirectory' - For Microsoft Active Directory.
|
## - 'activedirectory' - For Microsoft Active Directory.
|
||||||
|
@ -291,32 +291,32 @@ authentication_backend:
|
||||||
## Depending on the option here certain other values in this section have a default value, notably all of the
|
## Depending on the option here certain other values in this section have a default value, notably all of the
|
||||||
## attribute mappings have a default value that this config overrides, you can read more about these default values
|
## attribute mappings have a default value that this config overrides, you can read more about these default values
|
||||||
## at https://www.authelia.com/c/ldap#defaults
|
## at https://www.authelia.com/c/ldap#defaults
|
||||||
implementation: custom
|
# implementation: custom
|
||||||
|
|
||||||
## The url to the ldap server. Format: <scheme>://<address>[:<port>].
|
## The url to the ldap server. Format: <scheme>://<address>[:<port>].
|
||||||
## Scheme can be ldap or ldaps in the format (port optional).
|
## Scheme can be ldap or ldaps in the format (port optional).
|
||||||
url: ldap://127.0.0.1
|
# url: ldap://127.0.0.1
|
||||||
|
|
||||||
## The dial timeout for LDAP.
|
## The dial timeout for LDAP.
|
||||||
timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
## Use StartTLS with the LDAP connection.
|
## Use StartTLS with the LDAP connection.
|
||||||
start_tls: false
|
# start_tls: false
|
||||||
|
|
||||||
tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case it's not set correctly in the URL).
|
## Server Name for certificate validation (in case it's not set correctly in the URL).
|
||||||
# server_name: ldap.example.com
|
# server_name: ldap.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate (to allow a self-signed certificate).
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
||||||
skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
|
||||||
minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
|
||||||
maximum_version: TLS1.3
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
## i.e. Mutual TLS.
|
## i.e. Mutual TLS.
|
||||||
|
@ -393,7 +393,7 @@ authentication_backend:
|
||||||
|
|
||||||
## The distinguished name of the container searched for objects in the directory information tree.
|
## The distinguished name of the container searched for objects in the directory information tree.
|
||||||
## See also: additional_users_dn, additional_groups_dn.
|
## See also: additional_users_dn, additional_groups_dn.
|
||||||
base_dn: dc=example,dc=com
|
# base_dn: dc=example,dc=com
|
||||||
|
|
||||||
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
||||||
## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
|
## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
|
||||||
|
@ -407,7 +407,7 @@ authentication_backend:
|
||||||
|
|
||||||
## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
|
## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
|
||||||
## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
|
## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
|
||||||
additional_users_dn: ou=users
|
# additional_users_dn: ou=users
|
||||||
|
|
||||||
## The users filter used in search queries to find the user profile based on input filled in login form.
|
## The users filter used in search queries to find the user profile based on input filled in login form.
|
||||||
## Various placeholders are available in the user filter which you can read about in the documentation which can
|
## Various placeholders are available in the user filter which you can read about in the documentation which can
|
||||||
|
@ -421,11 +421,11 @@ authentication_backend:
|
||||||
##
|
##
|
||||||
## To allow sign in both with username and email, one can use a filter like
|
## To allow sign in both with username and email, one can use a filter like
|
||||||
## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
# users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||||
|
|
||||||
## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
|
## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
|
||||||
## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
|
## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
|
||||||
additional_groups_dn: ou=groups
|
# additional_groups_dn: ou=groups
|
||||||
|
|
||||||
## The groups filter used in search queries to find the groups based on relevant authenticated user.
|
## The groups filter used in search queries to find the groups based on relevant authenticated user.
|
||||||
## Various placeholders are available in the groups filter which you can read about in the documentation which can
|
## Various placeholders are available in the groups filter which you can read about in the documentation which can
|
||||||
|
@ -433,7 +433,7 @@ authentication_backend:
|
||||||
##
|
##
|
||||||
## If your groups use the `groupOfUniqueNames` structure use this instead:
|
## If your groups use the `groupOfUniqueNames` structure use this instead:
|
||||||
## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
|
## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
# groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||||
|
|
||||||
## The attribute holding the name of the group.
|
## The attribute holding the name of the group.
|
||||||
# group_name_attribute: cn
|
# group_name_attribute: cn
|
||||||
|
@ -447,12 +447,12 @@ authentication_backend:
|
||||||
|
|
||||||
## Follow referrals returned by the server.
|
## Follow referrals returned by the server.
|
||||||
## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
|
## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
|
||||||
permit_referrals: false
|
# permit_referrals: false
|
||||||
|
|
||||||
## The username and password of the admin user.
|
## The username and password of the admin user.
|
||||||
user: cn=admin,dc=example,dc=com
|
# user: cn=admin,dc=example,dc=com
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: password
|
# password: password
|
||||||
|
|
||||||
##
|
##
|
||||||
## File (Authentication Provider)
|
## File (Authentication Provider)
|
||||||
|
@ -566,18 +566,18 @@ access_control:
|
||||||
## resource if there is no policy to be applied to the user.
|
## resource if there is no policy to be applied to the user.
|
||||||
default_policy: deny
|
default_policy: deny
|
||||||
|
|
||||||
networks:
|
# networks:
|
||||||
- name: internal
|
# - name: internal
|
||||||
networks:
|
# networks:
|
||||||
- 10.10.0.0/16
|
# - 10.10.0.0/16
|
||||||
- 192.168.2.0/24
|
# - 192.168.2.0/24
|
||||||
- name: VPN
|
# - name: VPN
|
||||||
networks: 10.9.0.0/16
|
# networks: 10.9.0.0/16
|
||||||
|
|
||||||
rules:
|
# rules:
|
||||||
## Rules applied to everyone
|
## Rules applied to everyone
|
||||||
- domain: 'public.example.com'
|
# - domain: 'public.example.com'
|
||||||
policy: bypass
|
# policy: bypass
|
||||||
|
|
||||||
## Domain Regex examples. Generally we recommend just using a standard domain.
|
## Domain Regex examples. Generally we recommend just using a standard domain.
|
||||||
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
||||||
|
@ -591,64 +591,64 @@ access_control:
|
||||||
# - domain_regex: '^.*\.example\.com$'
|
# - domain_regex: '^.*\.example\.com$'
|
||||||
# policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
- domain: 'secure.example.com'
|
# - domain: 'secure.example.com'
|
||||||
policy: one_factor
|
# policy: one_factor
|
||||||
## Network based rule, if not provided any network matches.
|
## Network based rule, if not provided any network matches.
|
||||||
networks:
|
# networks:
|
||||||
- internal
|
# - internal
|
||||||
- VPN
|
# - VPN
|
||||||
- 192.168.1.0/24
|
# - 192.168.1.0/24
|
||||||
- 10.0.0.1
|
# - 10.0.0.1
|
||||||
|
|
||||||
- domain:
|
# - domain:
|
||||||
- 'secure.example.com'
|
# - 'secure.example.com'
|
||||||
- 'private.example.com'
|
# - 'private.example.com'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
- domain: 'singlefactor.example.com'
|
# - domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
# policy: one_factor
|
||||||
|
|
||||||
## Rules applied to 'admins' group
|
## Rules applied to 'admins' group
|
||||||
- domain: 'mx2.mail.example.com'
|
# - domain: 'mx2.mail.example.com'
|
||||||
subject: 'group:admins'
|
# subject: 'group:admins'
|
||||||
policy: deny
|
# policy: deny
|
||||||
|
|
||||||
- domain: '*.example.com'
|
# - domain: '*.example.com'
|
||||||
subject:
|
# subject:
|
||||||
- 'group:admins'
|
# - 'group:admins'
|
||||||
- 'group:moderators'
|
# - 'group:moderators'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to 'dev' group
|
## Rules applied to 'dev' group
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/groups/dev/.*$'
|
# - '^/groups/dev/.*$'
|
||||||
subject: 'group:dev'
|
# subject: 'group:dev'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'john'
|
## Rules applied to user 'john'
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/users/john/.*$'
|
# - '^/users/john/.*$'
|
||||||
subject: 'user:john'
|
# subject: 'user:john'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'harry'
|
## Rules applied to user 'harry'
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/users/harry/.*$'
|
# - '^/users/harry/.*$'
|
||||||
subject: 'user:harry'
|
# subject: 'user:harry'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'bob'
|
## Rules applied to user 'bob'
|
||||||
- domain: '*.mail.example.com'
|
# - domain: '*.mail.example.com'
|
||||||
subject: 'user:bob'
|
# subject: 'user:bob'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/users/bob/.*$'
|
# - '^/users/bob/.*$'
|
||||||
subject: 'user:bob'
|
# subject: 'user:bob'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
##
|
##
|
||||||
## Session Provider Configuration
|
## Session Provider Configuration
|
||||||
|
@ -694,9 +694,9 @@ session:
|
||||||
##
|
##
|
||||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
||||||
##
|
##
|
||||||
redis:
|
# redis:
|
||||||
host: 127.0.0.1
|
# host: 127.0.0.1
|
||||||
port: 6379
|
# port: 6379
|
||||||
## Use a unix socket instead
|
## Use a unix socket instead
|
||||||
# host: /var/run/redis/redis.sock
|
# host: /var/run/redis/redis.sock
|
||||||
|
|
||||||
|
@ -704,16 +704,16 @@ session:
|
||||||
# username: authelia
|
# username: authelia
|
||||||
|
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: authelia
|
# password: authelia
|
||||||
|
|
||||||
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
|
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
|
||||||
database_index: 0
|
# database_index: 0
|
||||||
|
|
||||||
## The maximum number of concurrent active connections to Redis.
|
## The maximum number of concurrent active connections to Redis.
|
||||||
maximum_active_connections: 8
|
# maximum_active_connections: 8
|
||||||
|
|
||||||
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
|
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
|
||||||
minimum_idle_connections: 0
|
# minimum_idle_connections: 0
|
||||||
|
|
||||||
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
||||||
# tls:
|
# tls:
|
||||||
|
@ -728,6 +728,82 @@ session:
|
||||||
## Minimum TLS version for the connection.
|
## Minimum TLS version for the connection.
|
||||||
# minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for the connection.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
## The Redis HA configuration options.
|
## The Redis HA configuration options.
|
||||||
## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
|
## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
|
||||||
# high_availability:
|
# high_availability:
|
||||||
|
@ -777,7 +853,7 @@ regulation:
|
||||||
## Storage Provider Configuration
|
## Storage Provider Configuration
|
||||||
##
|
##
|
||||||
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
||||||
storage:
|
# storage:
|
||||||
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
|
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
|
||||||
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
|
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
|
||||||
# encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
# encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
||||||
|
@ -791,19 +867,20 @@ storage:
|
||||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
||||||
##
|
##
|
||||||
# local:
|
# local:
|
||||||
|
## Path to the SQLite3 Database.
|
||||||
# path: /config/db.sqlite3
|
# path: /config/db.sqlite3
|
||||||
|
|
||||||
##
|
##
|
||||||
## MySQL / MariaDB (Storage Provider)
|
## MySQL / MariaDB (Storage Provider)
|
||||||
##
|
##
|
||||||
mysql:
|
# mysql:
|
||||||
host: 127.0.0.1
|
# host: 127.0.0.1
|
||||||
port: 3306
|
# port: 3306
|
||||||
database: authelia
|
# database: authelia
|
||||||
username: authelia
|
# username: authelia
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: mypassword
|
# password: mypassword
|
||||||
timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
##
|
##
|
||||||
## PostgreSQL (Storage Provider)
|
## PostgreSQL (Storage Provider)
|
||||||
|
@ -814,7 +891,7 @@ storage:
|
||||||
# database: authelia
|
# database: authelia
|
||||||
# schema: public
|
# schema: public
|
||||||
# username: authelia
|
# username: authelia
|
||||||
# ## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
# password: mypassword
|
# password: mypassword
|
||||||
# timeout: 5s
|
# timeout: 5s
|
||||||
# ssl:
|
# ssl:
|
||||||
|
@ -850,55 +927,131 @@ notifier:
|
||||||
## (only works for unauthenticated connections)
|
## (only works for unauthenticated connections)
|
||||||
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
|
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
|
||||||
## (configure in tls section)
|
## (configure in tls section)
|
||||||
smtp:
|
# smtp:
|
||||||
## The SMTP host to connect to.
|
## The SMTP host to connect to.
|
||||||
host: 127.0.0.1
|
# host: 127.0.0.1
|
||||||
|
|
||||||
## The port to connect to the SMTP host on.
|
## The port to connect to the SMTP host on.
|
||||||
port: 1025
|
# port: 1025
|
||||||
|
|
||||||
## The connection timeout.
|
## The connection timeout.
|
||||||
timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
## The username used for SMTP authentication.
|
## The username used for SMTP authentication.
|
||||||
username: test
|
# username: test
|
||||||
|
|
||||||
## The password used for SMTP authentication.
|
## The password used for SMTP authentication.
|
||||||
## Can also be set using a secret: https://www.authelia.com/c/secrets
|
## Can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: password
|
# password: password
|
||||||
|
|
||||||
## The sender is used to is used for the MAIL FROM command and the FROM header.
|
## The sender is used to is used for the MAIL FROM command and the FROM header.
|
||||||
## If this is not defined and the username is an email, we use the username as this value. This can either be just
|
## If this is not defined and the username is an email, we use the username as this value. This can either be just
|
||||||
## an email address or the RFC5322 'Name <email address>' format.
|
## an email address or the RFC5322 'Name <email address>' format.
|
||||||
sender: "Authelia <admin@example.com>"
|
# sender: "Authelia <admin@example.com>"
|
||||||
|
|
||||||
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
|
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
|
||||||
identifier: localhost
|
# identifier: localhost
|
||||||
|
|
||||||
## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
|
## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
|
||||||
subject: "[Authelia] {title}"
|
# subject: "[Authelia] {title}"
|
||||||
|
|
||||||
## This address is used during the startup check to verify the email configuration is correct.
|
## This address is used during the startup check to verify the email configuration is correct.
|
||||||
## It's not important what it is except if your email server only allows local delivery.
|
## It's not important what it is except if your email server only allows local delivery.
|
||||||
startup_check_address: test@authelia.com
|
# startup_check_address: test@authelia.com
|
||||||
|
|
||||||
## By default we require some form of TLS. This disables this check though is not advised.
|
## By default we require some form of TLS. This disables this check though is not advised.
|
||||||
disable_require_tls: false
|
# disable_require_tls: false
|
||||||
|
|
||||||
## Disables sending HTML formatted emails.
|
## Disables sending HTML formatted emails.
|
||||||
disable_html_emails: false
|
# disable_html_emails: false
|
||||||
|
|
||||||
tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
||||||
# server_name: smtp.example.com
|
# server_name: smtp.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate (to allow a self-signed certificate).
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
||||||
skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either StartTLS or SMTPS.
|
## Minimum TLS version for either StartTLS or SMTPS.
|
||||||
minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for either StartTLS or SMTPS.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
##
|
##
|
||||||
## Identity Providers
|
## Identity Providers
|
||||||
|
|
|
@ -218,13 +218,13 @@ webauthn:
|
||||||
##
|
##
|
||||||
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
|
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
|
||||||
## "Partner Auth API" in the management panel.
|
## "Partner Auth API" in the management panel.
|
||||||
duo_api:
|
# duo_api:
|
||||||
disable: false
|
# disable: false
|
||||||
hostname: api-123456789.example.com
|
# hostname: api-123456789.example.com
|
||||||
integration_key: ABCDEF
|
# integration_key: ABCDEF
|
||||||
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
secret_key: 1234567890abcdefghifjkl
|
# secret_key: 1234567890abcdefghifjkl
|
||||||
enable_self_enrollment: false
|
# enable_self_enrollment: false
|
||||||
|
|
||||||
##
|
##
|
||||||
## NTP Configuration
|
## NTP Configuration
|
||||||
|
@ -281,7 +281,7 @@ authentication_backend:
|
||||||
## This is the recommended Authentication Provider in production
|
## This is the recommended Authentication Provider in production
|
||||||
## because it allows Authelia to offload the stateful operations
|
## because it allows Authelia to offload the stateful operations
|
||||||
## onto the LDAP service.
|
## onto the LDAP service.
|
||||||
ldap:
|
# ldap:
|
||||||
## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
|
## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
|
||||||
## Acceptable options are as follows:
|
## Acceptable options are as follows:
|
||||||
## - 'activedirectory' - For Microsoft Active Directory.
|
## - 'activedirectory' - For Microsoft Active Directory.
|
||||||
|
@ -291,32 +291,32 @@ authentication_backend:
|
||||||
## Depending on the option here certain other values in this section have a default value, notably all of the
|
## Depending on the option here certain other values in this section have a default value, notably all of the
|
||||||
## attribute mappings have a default value that this config overrides, you can read more about these default values
|
## attribute mappings have a default value that this config overrides, you can read more about these default values
|
||||||
## at https://www.authelia.com/c/ldap#defaults
|
## at https://www.authelia.com/c/ldap#defaults
|
||||||
implementation: custom
|
# implementation: custom
|
||||||
|
|
||||||
## The url to the ldap server. Format: <scheme>://<address>[:<port>].
|
## The url to the ldap server. Format: <scheme>://<address>[:<port>].
|
||||||
## Scheme can be ldap or ldaps in the format (port optional).
|
## Scheme can be ldap or ldaps in the format (port optional).
|
||||||
url: ldap://127.0.0.1
|
# url: ldap://127.0.0.1
|
||||||
|
|
||||||
## The dial timeout for LDAP.
|
## The dial timeout for LDAP.
|
||||||
timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
## Use StartTLS with the LDAP connection.
|
## Use StartTLS with the LDAP connection.
|
||||||
start_tls: false
|
# start_tls: false
|
||||||
|
|
||||||
tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case it's not set correctly in the URL).
|
## Server Name for certificate validation (in case it's not set correctly in the URL).
|
||||||
# server_name: ldap.example.com
|
# server_name: ldap.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate (to allow a self-signed certificate).
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
||||||
skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
|
||||||
minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
|
||||||
maximum_version: TLS1.3
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
## i.e. Mutual TLS.
|
## i.e. Mutual TLS.
|
||||||
|
@ -393,7 +393,7 @@ authentication_backend:
|
||||||
|
|
||||||
## The distinguished name of the container searched for objects in the directory information tree.
|
## The distinguished name of the container searched for objects in the directory information tree.
|
||||||
## See also: additional_users_dn, additional_groups_dn.
|
## See also: additional_users_dn, additional_groups_dn.
|
||||||
base_dn: dc=example,dc=com
|
# base_dn: dc=example,dc=com
|
||||||
|
|
||||||
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
||||||
## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
|
## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
|
||||||
|
@ -407,7 +407,7 @@ authentication_backend:
|
||||||
|
|
||||||
## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
|
## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
|
||||||
## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
|
## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
|
||||||
additional_users_dn: ou=users
|
# additional_users_dn: ou=users
|
||||||
|
|
||||||
## The users filter used in search queries to find the user profile based on input filled in login form.
|
## The users filter used in search queries to find the user profile based on input filled in login form.
|
||||||
## Various placeholders are available in the user filter which you can read about in the documentation which can
|
## Various placeholders are available in the user filter which you can read about in the documentation which can
|
||||||
|
@ -421,11 +421,11 @@ authentication_backend:
|
||||||
##
|
##
|
||||||
## To allow sign in both with username and email, one can use a filter like
|
## To allow sign in both with username and email, one can use a filter like
|
||||||
## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
# users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||||
|
|
||||||
## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
|
## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
|
||||||
## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
|
## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
|
||||||
additional_groups_dn: ou=groups
|
# additional_groups_dn: ou=groups
|
||||||
|
|
||||||
## The groups filter used in search queries to find the groups based on relevant authenticated user.
|
## The groups filter used in search queries to find the groups based on relevant authenticated user.
|
||||||
## Various placeholders are available in the groups filter which you can read about in the documentation which can
|
## Various placeholders are available in the groups filter which you can read about in the documentation which can
|
||||||
|
@ -433,7 +433,7 @@ authentication_backend:
|
||||||
##
|
##
|
||||||
## If your groups use the `groupOfUniqueNames` structure use this instead:
|
## If your groups use the `groupOfUniqueNames` structure use this instead:
|
||||||
## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
|
## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
# groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||||
|
|
||||||
## The attribute holding the name of the group.
|
## The attribute holding the name of the group.
|
||||||
# group_name_attribute: cn
|
# group_name_attribute: cn
|
||||||
|
@ -447,12 +447,12 @@ authentication_backend:
|
||||||
|
|
||||||
## Follow referrals returned by the server.
|
## Follow referrals returned by the server.
|
||||||
## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
|
## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
|
||||||
permit_referrals: false
|
# permit_referrals: false
|
||||||
|
|
||||||
## The username and password of the admin user.
|
## The username and password of the admin user.
|
||||||
user: cn=admin,dc=example,dc=com
|
# user: cn=admin,dc=example,dc=com
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: password
|
# password: password
|
||||||
|
|
||||||
##
|
##
|
||||||
## File (Authentication Provider)
|
## File (Authentication Provider)
|
||||||
|
@ -566,18 +566,18 @@ access_control:
|
||||||
## resource if there is no policy to be applied to the user.
|
## resource if there is no policy to be applied to the user.
|
||||||
default_policy: deny
|
default_policy: deny
|
||||||
|
|
||||||
networks:
|
# networks:
|
||||||
- name: internal
|
# - name: internal
|
||||||
networks:
|
# networks:
|
||||||
- 10.10.0.0/16
|
# - 10.10.0.0/16
|
||||||
- 192.168.2.0/24
|
# - 192.168.2.0/24
|
||||||
- name: VPN
|
# - name: VPN
|
||||||
networks: 10.9.0.0/16
|
# networks: 10.9.0.0/16
|
||||||
|
|
||||||
rules:
|
# rules:
|
||||||
## Rules applied to everyone
|
## Rules applied to everyone
|
||||||
- domain: 'public.example.com'
|
# - domain: 'public.example.com'
|
||||||
policy: bypass
|
# policy: bypass
|
||||||
|
|
||||||
## Domain Regex examples. Generally we recommend just using a standard domain.
|
## Domain Regex examples. Generally we recommend just using a standard domain.
|
||||||
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
|
||||||
|
@ -591,64 +591,64 @@ access_control:
|
||||||
# - domain_regex: '^.*\.example\.com$'
|
# - domain_regex: '^.*\.example\.com$'
|
||||||
# policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
- domain: 'secure.example.com'
|
# - domain: 'secure.example.com'
|
||||||
policy: one_factor
|
# policy: one_factor
|
||||||
## Network based rule, if not provided any network matches.
|
## Network based rule, if not provided any network matches.
|
||||||
networks:
|
# networks:
|
||||||
- internal
|
# - internal
|
||||||
- VPN
|
# - VPN
|
||||||
- 192.168.1.0/24
|
# - 192.168.1.0/24
|
||||||
- 10.0.0.1
|
# - 10.0.0.1
|
||||||
|
|
||||||
- domain:
|
# - domain:
|
||||||
- 'secure.example.com'
|
# - 'secure.example.com'
|
||||||
- 'private.example.com'
|
# - 'private.example.com'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
- domain: 'singlefactor.example.com'
|
# - domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
# policy: one_factor
|
||||||
|
|
||||||
## Rules applied to 'admins' group
|
## Rules applied to 'admins' group
|
||||||
- domain: 'mx2.mail.example.com'
|
# - domain: 'mx2.mail.example.com'
|
||||||
subject: 'group:admins'
|
# subject: 'group:admins'
|
||||||
policy: deny
|
# policy: deny
|
||||||
|
|
||||||
- domain: '*.example.com'
|
# - domain: '*.example.com'
|
||||||
subject:
|
# subject:
|
||||||
- 'group:admins'
|
# - 'group:admins'
|
||||||
- 'group:moderators'
|
# - 'group:moderators'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to 'dev' group
|
## Rules applied to 'dev' group
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/groups/dev/.*$'
|
# - '^/groups/dev/.*$'
|
||||||
subject: 'group:dev'
|
# subject: 'group:dev'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'john'
|
## Rules applied to user 'john'
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/users/john/.*$'
|
# - '^/users/john/.*$'
|
||||||
subject: 'user:john'
|
# subject: 'user:john'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'harry'
|
## Rules applied to user 'harry'
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/users/harry/.*$'
|
# - '^/users/harry/.*$'
|
||||||
subject: 'user:harry'
|
# subject: 'user:harry'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
## Rules applied to user 'bob'
|
## Rules applied to user 'bob'
|
||||||
- domain: '*.mail.example.com'
|
# - domain: '*.mail.example.com'
|
||||||
subject: 'user:bob'
|
# subject: 'user:bob'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
- domain: 'dev.example.com'
|
# - domain: 'dev.example.com'
|
||||||
resources:
|
# resources:
|
||||||
- '^/users/bob/.*$'
|
# - '^/users/bob/.*$'
|
||||||
subject: 'user:bob'
|
# subject: 'user:bob'
|
||||||
policy: two_factor
|
# policy: two_factor
|
||||||
|
|
||||||
##
|
##
|
||||||
## Session Provider Configuration
|
## Session Provider Configuration
|
||||||
|
@ -694,9 +694,9 @@ session:
|
||||||
##
|
##
|
||||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
||||||
##
|
##
|
||||||
redis:
|
# redis:
|
||||||
host: 127.0.0.1
|
# host: 127.0.0.1
|
||||||
port: 6379
|
# port: 6379
|
||||||
## Use a unix socket instead
|
## Use a unix socket instead
|
||||||
# host: /var/run/redis/redis.sock
|
# host: /var/run/redis/redis.sock
|
||||||
|
|
||||||
|
@ -704,16 +704,16 @@ session:
|
||||||
# username: authelia
|
# username: authelia
|
||||||
|
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: authelia
|
# password: authelia
|
||||||
|
|
||||||
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
|
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
|
||||||
database_index: 0
|
# database_index: 0
|
||||||
|
|
||||||
## The maximum number of concurrent active connections to Redis.
|
## The maximum number of concurrent active connections to Redis.
|
||||||
maximum_active_connections: 8
|
# maximum_active_connections: 8
|
||||||
|
|
||||||
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
|
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
|
||||||
minimum_idle_connections: 0
|
# minimum_idle_connections: 0
|
||||||
|
|
||||||
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
||||||
# tls:
|
# tls:
|
||||||
|
@ -728,6 +728,82 @@ session:
|
||||||
## Minimum TLS version for the connection.
|
## Minimum TLS version for the connection.
|
||||||
# minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for the connection.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
## The Redis HA configuration options.
|
## The Redis HA configuration options.
|
||||||
## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
|
## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
|
||||||
# high_availability:
|
# high_availability:
|
||||||
|
@ -777,7 +853,7 @@ regulation:
|
||||||
## Storage Provider Configuration
|
## Storage Provider Configuration
|
||||||
##
|
##
|
||||||
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
||||||
storage:
|
# storage:
|
||||||
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
|
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
|
||||||
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
|
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
|
||||||
# encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
# encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
||||||
|
@ -791,19 +867,20 @@ storage:
|
||||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
||||||
##
|
##
|
||||||
# local:
|
# local:
|
||||||
|
## Path to the SQLite3 Database.
|
||||||
# path: /config/db.sqlite3
|
# path: /config/db.sqlite3
|
||||||
|
|
||||||
##
|
##
|
||||||
## MySQL / MariaDB (Storage Provider)
|
## MySQL / MariaDB (Storage Provider)
|
||||||
##
|
##
|
||||||
mysql:
|
# mysql:
|
||||||
host: 127.0.0.1
|
# host: 127.0.0.1
|
||||||
port: 3306
|
# port: 3306
|
||||||
database: authelia
|
# database: authelia
|
||||||
username: authelia
|
# username: authelia
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: mypassword
|
# password: mypassword
|
||||||
timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
##
|
##
|
||||||
## PostgreSQL (Storage Provider)
|
## PostgreSQL (Storage Provider)
|
||||||
|
@ -814,7 +891,7 @@ storage:
|
||||||
# database: authelia
|
# database: authelia
|
||||||
# schema: public
|
# schema: public
|
||||||
# username: authelia
|
# username: authelia
|
||||||
# ## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
# password: mypassword
|
# password: mypassword
|
||||||
# timeout: 5s
|
# timeout: 5s
|
||||||
# ssl:
|
# ssl:
|
||||||
|
@ -850,55 +927,131 @@ notifier:
|
||||||
## (only works for unauthenticated connections)
|
## (only works for unauthenticated connections)
|
||||||
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
|
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
|
||||||
## (configure in tls section)
|
## (configure in tls section)
|
||||||
smtp:
|
# smtp:
|
||||||
## The SMTP host to connect to.
|
## The SMTP host to connect to.
|
||||||
host: 127.0.0.1
|
# host: 127.0.0.1
|
||||||
|
|
||||||
## The port to connect to the SMTP host on.
|
## The port to connect to the SMTP host on.
|
||||||
port: 1025
|
# port: 1025
|
||||||
|
|
||||||
## The connection timeout.
|
## The connection timeout.
|
||||||
timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
## The username used for SMTP authentication.
|
## The username used for SMTP authentication.
|
||||||
username: test
|
# username: test
|
||||||
|
|
||||||
## The password used for SMTP authentication.
|
## The password used for SMTP authentication.
|
||||||
## Can also be set using a secret: https://www.authelia.com/c/secrets
|
## Can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
password: password
|
# password: password
|
||||||
|
|
||||||
## The sender is used to is used for the MAIL FROM command and the FROM header.
|
## The sender is used to is used for the MAIL FROM command and the FROM header.
|
||||||
## If this is not defined and the username is an email, we use the username as this value. This can either be just
|
## If this is not defined and the username is an email, we use the username as this value. This can either be just
|
||||||
## an email address or the RFC5322 'Name <email address>' format.
|
## an email address or the RFC5322 'Name <email address>' format.
|
||||||
sender: "Authelia <admin@example.com>"
|
# sender: "Authelia <admin@example.com>"
|
||||||
|
|
||||||
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
|
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
|
||||||
identifier: localhost
|
# identifier: localhost
|
||||||
|
|
||||||
## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
|
## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
|
||||||
subject: "[Authelia] {title}"
|
# subject: "[Authelia] {title}"
|
||||||
|
|
||||||
## This address is used during the startup check to verify the email configuration is correct.
|
## This address is used during the startup check to verify the email configuration is correct.
|
||||||
## It's not important what it is except if your email server only allows local delivery.
|
## It's not important what it is except if your email server only allows local delivery.
|
||||||
startup_check_address: test@authelia.com
|
# startup_check_address: test@authelia.com
|
||||||
|
|
||||||
## By default we require some form of TLS. This disables this check though is not advised.
|
## By default we require some form of TLS. This disables this check though is not advised.
|
||||||
disable_require_tls: false
|
# disable_require_tls: false
|
||||||
|
|
||||||
## Disables sending HTML formatted emails.
|
## Disables sending HTML formatted emails.
|
||||||
disable_html_emails: false
|
# disable_html_emails: false
|
||||||
|
|
||||||
tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
||||||
# server_name: smtp.example.com
|
# server_name: smtp.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate (to allow a self-signed certificate).
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
||||||
skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either StartTLS or SMTPS.
|
## Minimum TLS version for either StartTLS or SMTPS.
|
||||||
minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for either StartTLS or SMTPS.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
##
|
##
|
||||||
## Identity Providers
|
## Identity Providers
|
||||||
|
|
|
@ -48,13 +48,13 @@ var ErrTLSVersionNotSupported = errors.New("supplied tls version isn't supported
|
||||||
const ProfileRefreshDisabled = "disable"
|
const ProfileRefreshDisabled = "disable"
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// ProfileRefreshAlways represents a Value for refresh_interval that's the same as 0ms.
|
// ProfileRefreshAlways represents a value for refresh_interval that's the same as 0ms.
|
||||||
ProfileRefreshAlways = "always"
|
ProfileRefreshAlways = "always"
|
||||||
|
|
||||||
// RefreshIntervalDefault represents the default Value of refresh_interval.
|
// RefreshIntervalDefault represents the default value of refresh_interval.
|
||||||
RefreshIntervalDefault = "5m"
|
RefreshIntervalDefault = "5m"
|
||||||
|
|
||||||
// RefreshIntervalAlways represents the duration Value refresh interval should have if set to always.
|
// RefreshIntervalAlways represents the duration value refresh interval should have if set to always.
|
||||||
RefreshIntervalAlways = 0 * time.Millisecond
|
RefreshIntervalAlways = 0 * time.Millisecond
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue