refactor: misc consistency fixes (#5406)
Misc consistency fixes to docs and related content. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>pull/5409/head
parent
713f8e9ab7
commit
a0deacff55
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
name: Bug Report
|
name: 'Bug Report'
|
||||||
description: Report a bug
|
description: 'Report a bug'
|
||||||
labels:
|
labels:
|
||||||
- type/bug/unconfirmed
|
- 'type/bug/unconfirmed'
|
||||||
- status/needs-triage
|
- 'status/needs-triage'
|
||||||
- priority/4/normal
|
- 'priority/4/normal'
|
||||||
body:
|
body:
|
||||||
- type: markdown
|
- type: 'markdown'
|
||||||
attributes:
|
attributes:
|
||||||
value: |
|
value: |
|
||||||
Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first.
|
Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first.
|
||||||
|
@ -25,160 +25,190 @@ body:
|
||||||
- Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section.
|
- Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section.
|
||||||
- If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section.
|
- If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section.
|
||||||
7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues.
|
7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues.
|
||||||
- type: dropdown
|
- type: 'dropdown'
|
||||||
id: version
|
id: 'version'
|
||||||
attributes:
|
attributes:
|
||||||
label: Version
|
label: |
|
||||||
description: What version(s) of Authelia can you reproduce this bug on?
|
Version
|
||||||
|
description: |
|
||||||
|
What version(s) of Authelia can you reproduce this bug on?
|
||||||
multiple: true
|
multiple: true
|
||||||
options:
|
options:
|
||||||
- v4.37.5
|
- 'v4.37.5'
|
||||||
- v4.37.4
|
- 'v4.37.4'
|
||||||
- v4.37.3
|
- 'v4.37.3'
|
||||||
- v4.37.2
|
- 'v4.37.2'
|
||||||
- v4.37.1
|
- 'v4.37.1'
|
||||||
- v4.37.0
|
- 'v4.37.0'
|
||||||
- v4.36.9
|
- 'v4.36.9'
|
||||||
- v4.36.8
|
- 'v4.36.8'
|
||||||
- v4.36.7
|
- 'v4.36.7'
|
||||||
- v4.36.6
|
- 'v4.36.6'
|
||||||
- v4.36.5
|
- 'v4.36.5'
|
||||||
- v4.36.4
|
- 'v4.36.4'
|
||||||
- v4.36.3
|
- 'v4.36.3'
|
||||||
- v4.36.2
|
- 'v4.36.2'
|
||||||
- v4.36.1
|
- 'v4.36.1'
|
||||||
- v4.36.0
|
- 'v4.36.0'
|
||||||
- v4.35.6
|
- 'v4.35.6'
|
||||||
- v4.35.5
|
- 'v4.35.5'
|
||||||
- v4.35.4
|
- 'v4.35.4'
|
||||||
- v4.35.3
|
- 'v4.35.3'
|
||||||
- v4.35.2
|
- 'v4.35.2'
|
||||||
- v4.35.1
|
- 'v4.35.1'
|
||||||
- v4.35.0
|
- 'v4.35.0'
|
||||||
- v4.34.6
|
- 'v4.34.6'
|
||||||
- v4.34.5
|
- 'v4.34.5'
|
||||||
- v4.34.4
|
- 'v4.34.4'
|
||||||
- v4.34.3
|
- 'v4.34.3'
|
||||||
- v4.34.2
|
- 'v4.34.2'
|
||||||
- v4.34.1
|
- 'v4.34.1'
|
||||||
- v4.34.0
|
- 'v4.34.0'
|
||||||
- v4.33.2
|
- 'v4.33.2'
|
||||||
- v4.33.1
|
- 'v4.33.1'
|
||||||
- v4.33.0
|
- 'v4.33.0'
|
||||||
- v4.32.2
|
- 'v4.32.2'
|
||||||
- v4.32.1
|
- 'v4.32.1'
|
||||||
- v4.32.0
|
- 'v4.32.0'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: dropdown
|
- type: 'dropdown'
|
||||||
id: deployment
|
id: 'deployment'
|
||||||
attributes:
|
attributes:
|
||||||
label: Deployment Method
|
label: |
|
||||||
description: How are you deploying Authelia?
|
Deployment Method
|
||||||
|
description: |
|
||||||
|
How are you deploying Authelia?
|
||||||
options:
|
options:
|
||||||
- Docker
|
- 'Docker'
|
||||||
- Kubernetes
|
- 'Kubernetes'
|
||||||
- Bare-metal
|
- 'Bare-metal'
|
||||||
- Other
|
- 'Other'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: dropdown
|
- type: 'dropdown'
|
||||||
id: proxy
|
id: 'proxy'
|
||||||
attributes:
|
attributes:
|
||||||
label: Reverse Proxy
|
label: |
|
||||||
description: What reverse proxy are you using?
|
Reverse Proxy
|
||||||
|
description: |
|
||||||
|
What reverse proxy are you using?
|
||||||
options:
|
options:
|
||||||
- Caddy
|
- 'Caddy'
|
||||||
- Traefik
|
- 'Traefik'
|
||||||
- Envoy
|
- 'Envoy'
|
||||||
- Istio
|
- 'Istio'
|
||||||
- NGINX
|
- 'NGINX'
|
||||||
- SWAG
|
- 'SWAG'
|
||||||
- NGINX Proxy Manager
|
- 'NGINX Proxy Manager'
|
||||||
- HAProxy
|
- 'HAProxy'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: input
|
- type: 'input'
|
||||||
id: proxy-version
|
id: 'proxy-version'
|
||||||
attributes:
|
attributes:
|
||||||
label: Reverse Proxy Version
|
label: |
|
||||||
description: What is the version of your reverse proxy?
|
Reverse Proxy Version
|
||||||
placeholder: x.x.x
|
description: |
|
||||||
|
What is the version of your reverse proxy?
|
||||||
|
placeholder: 'x.x.x'
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: description
|
id: 'description'
|
||||||
attributes:
|
attributes:
|
||||||
label: Description
|
label: |
|
||||||
description: Describe the bug.
|
Description
|
||||||
|
description: |
|
||||||
|
Describe the bug.
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: reproduction
|
id: 'reproduction'
|
||||||
attributes:
|
attributes:
|
||||||
label: Reproduction
|
label: |
|
||||||
description: Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
|
Reproduction
|
||||||
|
description: |
|
||||||
|
Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: expectations
|
id: 'expectations'
|
||||||
attributes:
|
attributes:
|
||||||
label: Expectations
|
label: |
|
||||||
description: Describe the desired or expected results.
|
Expectations
|
||||||
|
description: |
|
||||||
|
Describe the desired or expected results.
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: configuration
|
id: 'configuration'
|
||||||
attributes:
|
attributes:
|
||||||
label: Configuration (Authelia)
|
label: |
|
||||||
description: Provide a complete configuration file (the template will automatically put this content in a code block).
|
Configuration (Authelia)
|
||||||
render: yaml
|
description: |
|
||||||
|
Provide a complete configuration file (the template will automatically put this content in a code block).
|
||||||
|
render: 'yaml'
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: logs
|
id: 'logs'
|
||||||
attributes:
|
attributes:
|
||||||
label: Logs (Authelia)
|
label: |
|
||||||
|
Logs (Authelia)
|
||||||
description: |
|
description: |
|
||||||
Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide.
|
Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide.
|
||||||
|
|
||||||
The template will automatically put this content in a code block so you can just paste it.
|
The template will automatically put this content in a code block so you can just paste it.
|
||||||
render: shell
|
render: 'shell'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: logs-other
|
id: 'logs-other'
|
||||||
attributes:
|
attributes:
|
||||||
label: Logs (Proxy / Application)
|
label: |
|
||||||
description: Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
|
Logs (Proxy / Application)
|
||||||
render: shell
|
description: |
|
||||||
|
Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
|
||||||
|
render: 'shell'
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: documentation
|
id: 'documentation'
|
||||||
attributes:
|
attributes:
|
||||||
label: Documentation
|
label: |
|
||||||
description: Provide any relevant specification or other documentation if applicable.
|
Documentation
|
||||||
|
description: |
|
||||||
|
Provide any relevant specification or other documentation if applicable.
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: checkboxes
|
- type: 'checkboxes'
|
||||||
id: checklist
|
id: 'checklist'
|
||||||
attributes:
|
attributes:
|
||||||
label: Pre-Submission Checklist
|
label: |
|
||||||
description: By submitting this issue confirm all of the following.
|
Pre-Submission Checklist
|
||||||
|
description: |
|
||||||
|
By submitting this issue confirm all of the following.
|
||||||
options:
|
options:
|
||||||
- label: I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
|
- label: |
|
||||||
|
I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
|
||||||
required: true
|
required: true
|
||||||
- label: This is a bug report and not a support request
|
- label: |
|
||||||
|
This is a bug report and not a support request
|
||||||
required: true
|
required: true
|
||||||
- label: I have read the security policy and this bug report is not a security issue or security related issue
|
- label: |
|
||||||
|
I have read the security policy and this bug report is not a security issue or security related issue
|
||||||
required: true
|
required: true
|
||||||
- label: I have either included the complete configuration file or I am sure it's unrelated to the configuration
|
- label: |
|
||||||
|
I have either included the complete configuration file or I am sure it's unrelated to the configuration
|
||||||
required: true
|
required: true
|
||||||
- label: I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
|
- label: |
|
||||||
|
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
|
||||||
required: true
|
required: true
|
||||||
- label: I have checked for related proxy or application logs and included them if available
|
- label: |
|
||||||
|
I have checked for related proxy or application logs and included them if available
|
||||||
required: true
|
required: true
|
||||||
- label: I have checked for related issues and checked the documentation
|
- label: |
|
||||||
|
I have checked for related issues and checked the documentation
|
||||||
required: true
|
required: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -90,13 +90,13 @@ server:
|
||||||
## Server Timeouts configuration.
|
## Server Timeouts configuration.
|
||||||
# timeouts:
|
# timeouts:
|
||||||
|
|
||||||
## Read timeout.
|
## Read timeout in the duration common syntax.
|
||||||
# read: '6s'
|
# read: '6s'
|
||||||
|
|
||||||
## Write timeout.
|
## Write timeout in the duration common syntax.
|
||||||
# write: '6s'
|
# write: '6s'
|
||||||
|
|
||||||
## Idle timeout.
|
## Idle timeout in the duration common syntax.
|
||||||
# idle: '30s'
|
# idle: '30s'
|
||||||
|
|
||||||
## Server Endpoints configuration.
|
## Server Endpoints configuration.
|
||||||
|
@ -171,13 +171,13 @@ telemetry:
|
||||||
## Metrics Server Timeouts configuration.
|
## Metrics Server Timeouts configuration.
|
||||||
# timeouts:
|
# timeouts:
|
||||||
|
|
||||||
## Read timeout.
|
## Read timeout in the duration common syntax.
|
||||||
# read: '6s'
|
# read: '6s'
|
||||||
|
|
||||||
## Write timeout.
|
## Write timeout in the duration common syntax.
|
||||||
# write: '6s'
|
# write: '6s'
|
||||||
|
|
||||||
## Idle timeout.
|
## Idle timeout in the duration common syntax.
|
||||||
# idle: '30s'
|
# idle: '30s'
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -223,7 +223,7 @@ webauthn:
|
||||||
## Disable WebAuthn.
|
## Disable WebAuthn.
|
||||||
disable: false
|
disable: false
|
||||||
|
|
||||||
## Adjust the interaction timeout for WebAuthn dialogues.
|
## The interaction timeout for WebAuthn dialogues in the duration common syntax.
|
||||||
timeout: '60s'
|
timeout: '60s'
|
||||||
|
|
||||||
## The display name the browser should show the user for when using WebAuthn to login/register.
|
## The display name the browser should show the user for when using WebAuthn to login/register.
|
||||||
|
@ -264,7 +264,7 @@ ntp:
|
||||||
## NTP version.
|
## NTP version.
|
||||||
version: 4
|
version: 4
|
||||||
|
|
||||||
## Maximum allowed time offset between the host and the NTP server in duration common syntax.
|
## Maximum allowed time offset between the host and the NTP server in the duration common syntax.
|
||||||
max_desync: '3s'
|
max_desync: '3s'
|
||||||
|
|
||||||
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
|
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
|
||||||
|
@ -293,14 +293,13 @@ authentication_backend:
|
||||||
## functionality.
|
## functionality.
|
||||||
custom_url: ''
|
custom_url: ''
|
||||||
|
|
||||||
## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
|
## The amount of time to wait before we refresh data from the authentication backend in the duration common syntax.
|
||||||
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
|
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
|
||||||
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
|
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
|
||||||
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
|
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
|
||||||
## See the below documentation for more information.
|
## See the below documentation for more information.
|
||||||
## Duration Notation docs: https://www.authelia.com/c/common#duration
|
|
||||||
## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval
|
## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval
|
||||||
refresh_interval: 5m
|
refresh_interval: '5m'
|
||||||
|
|
||||||
##
|
##
|
||||||
## LDAP (Authentication Provider)
|
## LDAP (Authentication Provider)
|
||||||
|
@ -736,7 +735,6 @@ session:
|
||||||
# same_site: 'lax'
|
# same_site: 'lax'
|
||||||
|
|
||||||
## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax.
|
## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax.
|
||||||
## See: https://www.authelia.com/c/common#duration
|
|
||||||
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
|
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
|
||||||
## because a stolen cookie will last longer giving attackers more time to spy or attack.
|
## because a stolen cookie will last longer giving attackers more time to spy or attack.
|
||||||
|
|
||||||
|
@ -753,30 +751,19 @@ session:
|
||||||
## this value to -1 disables remember me for this session cookie domain.
|
## this value to -1 disables remember me for this session cookie domain.
|
||||||
# remember_me: '1M'
|
# remember_me: '1M'
|
||||||
|
|
||||||
## Cookie Session Domain default 'name' value. The name of the session cookie.
|
## Cookie Session Domain default 'name' value.
|
||||||
name: 'authelia_session'
|
name: 'authelia_session'
|
||||||
|
|
||||||
## Cookie Session Domain default 'same_site' value. Sets the Cookie SameSite value. Possible options are none, lax,
|
## Cookie Session Domain default 'same_site' value.
|
||||||
## or strict. Please read https://www.authelia.com/c/session#same_site
|
|
||||||
same_site: 'lax'
|
same_site: 'lax'
|
||||||
|
|
||||||
## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax.
|
## Cookie Session Domain default 'inactivity' value.
|
||||||
## See: https://www.authelia.com/c/common#duration
|
|
||||||
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
|
|
||||||
## because a stolen cookie will last longer giving attackers more time to spy or attack.
|
|
||||||
|
|
||||||
## Cookie Session Domain default 'inactivity' value. The inactivity time before the session is reset. If expiration is
|
|
||||||
## set to 1h, and this is set to 5m, if the user does not select the remember me option their session will get
|
|
||||||
## destroyed after 1h, or after 5m since the last time Authelia detected user activity.
|
|
||||||
inactivity: '5m'
|
inactivity: '5m'
|
||||||
|
|
||||||
## Cookie Session Domain default 'expiration' value. The time before the session cookie expires and the session is
|
## Cookie Session Domain default 'expiration' value.
|
||||||
## destroyed if remember me IS NOT selected by the user.
|
|
||||||
expiration: '1h'
|
expiration: '1h'
|
||||||
|
|
||||||
## Cookie Session Domain default 'remember_me' value. The time before the cookie expires and the session is destroyed
|
## Cookie Session Domain default 'remember_me' value.
|
||||||
## if remember me IS selected by the user. Setting this value to -1 disables remember me for all session cookie
|
|
||||||
## domains which do not have a specific 'remember_me' value.
|
|
||||||
remember_me: '1M'
|
remember_me: '1M'
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -934,11 +921,11 @@ regulation:
|
||||||
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
|
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
## The time range in duration common syntax during which the user can attempt login before being banned. The user is
|
## The time range during which the user can attempt login before being banned in the duration common syntax. The user
|
||||||
## banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
|
## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
|
||||||
find_time: '2m'
|
find_time: '2m'
|
||||||
|
|
||||||
## The length of time in duration common syntax before a banned user can login again.
|
## The length of time before a banned user can login again in the duration common syntax.
|
||||||
ban_time: '5m'
|
ban_time: '5m'
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -1441,7 +1428,7 @@ notifier:
|
||||||
# DO NOT USE==
|
# DO NOT USE==
|
||||||
# -----END RSA PRIVATE KEY-----
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
## The lifespans configure the expiration for these token types.
|
## The lifespans configure the expiration for these token types in the duration common syntax.
|
||||||
# access_token_lifespan: '1h'
|
# access_token_lifespan: '1h'
|
||||||
# authorize_code_lifespan: '1m'
|
# authorize_code_lifespan: '1m'
|
||||||
# id_token_lifespan: '1h'
|
# id_token_lifespan: '1h'
|
||||||
|
@ -1547,6 +1534,6 @@ notifier:
|
||||||
# consent_mode: 'auto'
|
# consent_mode: 'auto'
|
||||||
|
|
||||||
## This value controls the duration a consent on this client remains remembered when the consent mode is
|
## This value controls the duration a consent on this client remains remembered when the consent mode is
|
||||||
## configured as 'auto' or 'pre-configured'.
|
## configured as 'auto' or 'pre-configured' in the duration common syntax.
|
||||||
# pre_configured_consent_duration: '1w'
|
# pre_configured_consent_duration: '1w'
|
||||||
...
|
...
|
||||||
|
|
|
@ -22,6 +22,7 @@ aliases:
|
||||||
```yaml
|
```yaml
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
|
umask: 0022
|
||||||
path: ''
|
path: ''
|
||||||
disable_healthcheck: false
|
disable_healthcheck: false
|
||||||
tls:
|
tls:
|
||||||
|
@ -67,7 +68,7 @@ see the [documentation](../prologue/common.md#address) on this format for more i
|
||||||
Configures the listener address for the Main HTTP Server. The address itself is a listener and the scheme must either be
|
Configures the listener address for the Main HTTP Server. The address itself is a listener and the scheme must either be
|
||||||
the `unix` scheme or one of the `tcp` schemes.
|
the `unix` scheme or one of the `tcp` schemes.
|
||||||
|
|
||||||
__Example:__
|
__Examples:__
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
server:
|
server:
|
||||||
|
@ -83,8 +84,15 @@ server:
|
||||||
|
|
||||||
{{< confkey type="int" required="no" >}}
|
{{< confkey type="int" required="no" >}}
|
||||||
|
|
||||||
If set temporarily changes the Umask during the creation of the unix domain socket if configured as such in the
|
If set temporarily changes the umask during the creation of the unix domain socket if configured as such in the
|
||||||
[address](#address).
|
[address](#address). Typically this should be set before the process is actually running and users should not use this
|
||||||
|
option, however it's recognized in various specific scenarios this may not be completely adequate.
|
||||||
|
|
||||||
|
One such example is when you want the proxy to have permission to the socket but not the files, in which case running a
|
||||||
|
umask of `0077` by default is good, and running a umask of `0027` so that the group Authelia is running as has
|
||||||
|
permission to the socket.
|
||||||
|
|
||||||
|
This value should typically be prefixed with a `0` to ensure the relevant parsers handle it correctly.
|
||||||
|
|
||||||
### path
|
### path
|
||||||
|
|
||||||
|
@ -203,11 +211,11 @@ Enables the go [pprof](https://pkg.go.dev/net/http/pprof) endpoints.
|
||||||
|
|
||||||
#### enable_expvars
|
#### enable_expvars
|
||||||
|
|
||||||
|
{{< confkey type="boolean" default="false" required="no" >}}
|
||||||
|
|
||||||
*__Security Note:__ This is a developer endpoint. __DO NOT__ enable it unless you know why you're enabling it.
|
*__Security Note:__ This is a developer endpoint. __DO NOT__ enable it unless you know why you're enabling it.
|
||||||
__DO NOT__ enable this in production.*
|
__DO NOT__ enable this in production.*
|
||||||
|
|
||||||
{{< confkey type="boolean" default="false" required="no" >}}
|
|
||||||
|
|
||||||
Enables the go [expvar](https://pkg.go.dev/expvar) endpoints.
|
Enables the go [expvar](https://pkg.go.dev/expvar) endpoints.
|
||||||
|
|
||||||
#### authz
|
#### authz
|
||||||
|
|
|
@ -24,24 +24,9 @@ guide on configuring any particular instance.
|
||||||
|
|
||||||
The base type for this syntax is a string, and it also handles integers however this is discouraged.
|
The base type for this syntax is a string, and it also handles integers however this is discouraged.
|
||||||
|
|
||||||
We have implemented a string/integer based syntax for configuration options that take a duration of time. This section
|
If you supply an integer, it is considered a representation of seconds. If you supply a string, it parses the string in
|
||||||
describes the implementation of this. You can use this implementation in various areas of configuration such as:
|
blocks of quantities and units (number followed by a unit letter). For example `5h` indicates a quantity of 5 units
|
||||||
|
of `h`.
|
||||||
* session:
|
|
||||||
* expiration
|
|
||||||
* inactivity
|
|
||||||
* remember_me
|
|
||||||
* regulation:
|
|
||||||
* ban_time
|
|
||||||
* find_time
|
|
||||||
* ntp:
|
|
||||||
* max_desync
|
|
||||||
* webauthn:
|
|
||||||
* timeout
|
|
||||||
|
|
||||||
The way this format works is you can either configure an integer or a string in the specific configuration areas. If you
|
|
||||||
supply an integer, it is considered a representation of seconds. If you supply a string, it parses the string in blocks
|
|
||||||
of quantities and units (number followed by a unit letter). For example `5h` indicates a quantity of 5 units of `h`.
|
|
||||||
|
|
||||||
The following is ignored:
|
The following is ignored:
|
||||||
- all spaces
|
- all spaces
|
||||||
|
@ -104,20 +89,44 @@ portions. Required portions may exist within optional portions, in which case th
|
||||||
format specific text which indicates if the accompanying text exists then it is actually required, otherwise it's
|
format specific text which indicates if the accompanying text exists then it is actually required, otherwise it's
|
||||||
entirely optional.
|
entirely optional.
|
||||||
|
|
||||||
The connector address values take the following formats:
|
The square brackets indicate optional sections, and the angled brackets indicate required sections. The following
|
||||||
|
sections elaborate on this. Sections may only be optional for the purposes of parsing, there may be a configuration
|
||||||
|
requirement that one of these is provided.
|
||||||
|
|
||||||
|
##### Hostname
|
||||||
|
|
||||||
|
The following format represents the hostname format. It's valid for both a listener and connector in most instances.
|
||||||
|
Refer to the individual documentation for an option for clarity. In this format as per the notation the scheme and port
|
||||||
|
are optional. The default for these when not provided varies.
|
||||||
|
|
||||||
```text
|
```text
|
||||||
[<scheme>://]<hostname>[:<port>]
|
[<scheme>://]<hostname>[:<port>]
|
||||||
|
```
|
||||||
|
|
||||||
|
##### Port
|
||||||
|
|
||||||
|
The following format represents the port format. It's valid only for a listener in most instances.
|
||||||
|
Refer to the individual documentation for an option for clarity. In this format as per the notation the scheme and
|
||||||
|
hostname are optional. The default for the scheme when not provided varies, and the default for the hostname is all
|
||||||
|
available addresses when not provided.
|
||||||
|
|
||||||
|
```text
|
||||||
|
[<scheme>://][hostname]:<port>
|
||||||
|
```
|
||||||
|
|
||||||
|
##### Unix Domain Socket
|
||||||
|
|
||||||
|
The following format represents the unix domain socket format. It's valid for both a listener and connector in most
|
||||||
|
instances. Refer to the individual documentation for an option for clarity. In this format as per the notation there
|
||||||
|
are no optional portions.
|
||||||
|
|
||||||
|
```text
|
||||||
unix://<path>
|
unix://<path>
|
||||||
```
|
```
|
||||||
|
|
||||||
The listener address values take the following additional formats:
|
##### Examples
|
||||||
|
|
||||||
```text
|
Various examples for these formats.
|
||||||
[<scheme>://]:<port>
|
|
||||||
```
|
|
||||||
|
|
||||||
Examples:
|
|
||||||
|
|
||||||
```text
|
```text
|
||||||
0.0.0.0
|
0.0.0.0
|
||||||
|
@ -131,9 +140,6 @@ udp://:123
|
||||||
|
|
||||||
unix:///var/lib/authelia.sock
|
unix:///var/lib/authelia.sock
|
||||||
```
|
```
|
||||||
The square brackets indicate optional sections, and the angled brackets indicate required sections. The following
|
|
||||||
sections elaborate on this. Sections may only be optional for the purposes of parsing, there may be a configuration
|
|
||||||
requirement that one of these is provided.
|
|
||||||
|
|
||||||
#### scheme
|
#### scheme
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,7 @@ telemetry:
|
||||||
metrics:
|
metrics:
|
||||||
enabled: false
|
enabled: false
|
||||||
address: 'tcp://:9959'
|
address: 'tcp://:9959'
|
||||||
|
umask: 0022
|
||||||
buffers:
|
buffers:
|
||||||
read: 4096
|
read: 4096
|
||||||
write: 4096
|
write: 4096
|
||||||
|
@ -56,8 +57,15 @@ the scheme must either be the `unix` scheme or one of the `tcp` schemes.
|
||||||
|
|
||||||
{{< confkey type="int" required="no" >}}
|
{{< confkey type="int" required="no" >}}
|
||||||
|
|
||||||
If set temporarily changes the Umask during the creation of the unix domain socket if configured as such in the
|
If set temporarily changes the umask during the creation of the unix domain socket if configured as such in the
|
||||||
[address](#address).
|
[address](#address). Typically this should be set before the process is actually running and users should not use this
|
||||||
|
option, however it's recognized in various specific scenarios this may not be completely adequate.
|
||||||
|
|
||||||
|
One such example is when you want the proxy to have permission to the socket but not the files, in which case running a
|
||||||
|
umask of `0077` by default is good, and running a umask of `0027` so that the group Authelia is running as has
|
||||||
|
permission to the socket.
|
||||||
|
|
||||||
|
This value should typically be prefixed with a `0` to ensure the relevant parsers handle it correctly.
|
||||||
|
|
||||||
### buffers
|
### buffers
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
title: "Time-based OTP Applications"
|
title: "Time-based OTP Applications"
|
||||||
description: "A Time-based OTP Application integration reference guide"
|
description: "A Time-based OTP Application integration reference guide"
|
||||||
lead: "This section contains a Time-based OTP Application integration reference guide for Authelia."
|
lead: "This section contains a Time-based OTP Application integration reference guide for Authelia."
|
||||||
date: 2022-11-19T16:47:09+11:00
|
date: 2023-05-07T17:52:47+10:00
|
||||||
draft: false
|
draft: false
|
||||||
images: []
|
images: []
|
||||||
menu:
|
menu:
|
||||||
|
|
|
@ -90,13 +90,13 @@ server:
|
||||||
## Server Timeouts configuration.
|
## Server Timeouts configuration.
|
||||||
# timeouts:
|
# timeouts:
|
||||||
|
|
||||||
## Read timeout.
|
## Read timeout in the duration common syntax.
|
||||||
# read: '6s'
|
# read: '6s'
|
||||||
|
|
||||||
## Write timeout.
|
## Write timeout in the duration common syntax.
|
||||||
# write: '6s'
|
# write: '6s'
|
||||||
|
|
||||||
## Idle timeout.
|
## Idle timeout in the duration common syntax.
|
||||||
# idle: '30s'
|
# idle: '30s'
|
||||||
|
|
||||||
## Server Endpoints configuration.
|
## Server Endpoints configuration.
|
||||||
|
@ -171,13 +171,13 @@ telemetry:
|
||||||
## Metrics Server Timeouts configuration.
|
## Metrics Server Timeouts configuration.
|
||||||
# timeouts:
|
# timeouts:
|
||||||
|
|
||||||
## Read timeout.
|
## Read timeout in the duration common syntax.
|
||||||
# read: '6s'
|
# read: '6s'
|
||||||
|
|
||||||
## Write timeout.
|
## Write timeout in the duration common syntax.
|
||||||
# write: '6s'
|
# write: '6s'
|
||||||
|
|
||||||
## Idle timeout.
|
## Idle timeout in the duration common syntax.
|
||||||
# idle: '30s'
|
# idle: '30s'
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -223,7 +223,7 @@ webauthn:
|
||||||
## Disable WebAuthn.
|
## Disable WebAuthn.
|
||||||
disable: false
|
disable: false
|
||||||
|
|
||||||
## Adjust the interaction timeout for WebAuthn dialogues.
|
## The interaction timeout for WebAuthn dialogues in the duration common syntax.
|
||||||
timeout: '60s'
|
timeout: '60s'
|
||||||
|
|
||||||
## The display name the browser should show the user for when using WebAuthn to login/register.
|
## The display name the browser should show the user for when using WebAuthn to login/register.
|
||||||
|
@ -264,7 +264,7 @@ ntp:
|
||||||
## NTP version.
|
## NTP version.
|
||||||
version: 4
|
version: 4
|
||||||
|
|
||||||
## Maximum allowed time offset between the host and the NTP server in duration common syntax.
|
## Maximum allowed time offset between the host and the NTP server in the duration common syntax.
|
||||||
max_desync: '3s'
|
max_desync: '3s'
|
||||||
|
|
||||||
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
|
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
|
||||||
|
@ -293,14 +293,13 @@ authentication_backend:
|
||||||
## functionality.
|
## functionality.
|
||||||
custom_url: ''
|
custom_url: ''
|
||||||
|
|
||||||
## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
|
## The amount of time to wait before we refresh data from the authentication backend in the duration common syntax.
|
||||||
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
|
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
|
||||||
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
|
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
|
||||||
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
|
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
|
||||||
## See the below documentation for more information.
|
## See the below documentation for more information.
|
||||||
## Duration Notation docs: https://www.authelia.com/c/common#duration
|
|
||||||
## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval
|
## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval
|
||||||
refresh_interval: 5m
|
refresh_interval: '5m'
|
||||||
|
|
||||||
##
|
##
|
||||||
## LDAP (Authentication Provider)
|
## LDAP (Authentication Provider)
|
||||||
|
@ -736,7 +735,6 @@ session:
|
||||||
# same_site: 'lax'
|
# same_site: 'lax'
|
||||||
|
|
||||||
## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax.
|
## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax.
|
||||||
## See: https://www.authelia.com/c/common#duration
|
|
||||||
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
|
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
|
||||||
## because a stolen cookie will last longer giving attackers more time to spy or attack.
|
## because a stolen cookie will last longer giving attackers more time to spy or attack.
|
||||||
|
|
||||||
|
@ -753,30 +751,19 @@ session:
|
||||||
## this value to -1 disables remember me for this session cookie domain.
|
## this value to -1 disables remember me for this session cookie domain.
|
||||||
# remember_me: '1M'
|
# remember_me: '1M'
|
||||||
|
|
||||||
## Cookie Session Domain default 'name' value. The name of the session cookie.
|
## Cookie Session Domain default 'name' value.
|
||||||
name: 'authelia_session'
|
name: 'authelia_session'
|
||||||
|
|
||||||
## Cookie Session Domain default 'same_site' value. Sets the Cookie SameSite value. Possible options are none, lax,
|
## Cookie Session Domain default 'same_site' value.
|
||||||
## or strict. Please read https://www.authelia.com/c/session#same_site
|
|
||||||
same_site: 'lax'
|
same_site: 'lax'
|
||||||
|
|
||||||
## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax.
|
## Cookie Session Domain default 'inactivity' value.
|
||||||
## See: https://www.authelia.com/c/common#duration
|
|
||||||
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
|
|
||||||
## because a stolen cookie will last longer giving attackers more time to spy or attack.
|
|
||||||
|
|
||||||
## Cookie Session Domain default 'inactivity' value. The inactivity time before the session is reset. If expiration is
|
|
||||||
## set to 1h, and this is set to 5m, if the user does not select the remember me option their session will get
|
|
||||||
## destroyed after 1h, or after 5m since the last time Authelia detected user activity.
|
|
||||||
inactivity: '5m'
|
inactivity: '5m'
|
||||||
|
|
||||||
## Cookie Session Domain default 'expiration' value. The time before the session cookie expires and the session is
|
## Cookie Session Domain default 'expiration' value.
|
||||||
## destroyed if remember me IS NOT selected by the user.
|
|
||||||
expiration: '1h'
|
expiration: '1h'
|
||||||
|
|
||||||
## Cookie Session Domain default 'remember_me' value. The time before the cookie expires and the session is destroyed
|
## Cookie Session Domain default 'remember_me' value.
|
||||||
## if remember me IS selected by the user. Setting this value to -1 disables remember me for all session cookie
|
|
||||||
## domains which do not have a specific 'remember_me' value.
|
|
||||||
remember_me: '1M'
|
remember_me: '1M'
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -934,11 +921,11 @@ regulation:
|
||||||
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
|
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
## The time range in duration common syntax during which the user can attempt login before being banned. The user is
|
## The time range during which the user can attempt login before being banned in the duration common syntax. The user
|
||||||
## banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
|
## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
|
||||||
find_time: '2m'
|
find_time: '2m'
|
||||||
|
|
||||||
## The length of time in duration common syntax before a banned user can login again.
|
## The length of time before a banned user can login again in the duration common syntax.
|
||||||
ban_time: '5m'
|
ban_time: '5m'
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -1441,7 +1428,7 @@ notifier:
|
||||||
# DO NOT USE==
|
# DO NOT USE==
|
||||||
# -----END RSA PRIVATE KEY-----
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
## The lifespans configure the expiration for these token types.
|
## The lifespans configure the expiration for these token types in the duration common syntax.
|
||||||
# access_token_lifespan: '1h'
|
# access_token_lifespan: '1h'
|
||||||
# authorize_code_lifespan: '1m'
|
# authorize_code_lifespan: '1m'
|
||||||
# id_token_lifespan: '1h'
|
# id_token_lifespan: '1h'
|
||||||
|
@ -1547,6 +1534,6 @@ notifier:
|
||||||
# consent_mode: 'auto'
|
# consent_mode: 'auto'
|
||||||
|
|
||||||
## This value controls the duration a consent on this client remains remembered when the consent mode is
|
## This value controls the duration a consent on this client remains remembered when the consent mode is
|
||||||
## configured as 'auto' or 'pre-configured'.
|
## configured as 'auto' or 'pre-configured' in the duration common syntax.
|
||||||
# pre_configured_consent_duration: '1w'
|
# pre_configured_consent_duration: '1w'
|
||||||
...
|
...
|
||||||
|
|
|
@ -759,7 +759,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseOnBadRefreshInterval
|
||||||
suite.Len(suite.validator.Warnings(), 0)
|
suite.Len(suite.validator.Warnings(), 0)
|
||||||
suite.Require().Len(suite.validator.Errors(), 1)
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
|
|
||||||
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: option 'refresh_interval' is configured to 'blah' but it must be either a duration notation or one of 'disable', or 'always': could not parse 'blah' as a duration")
|
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: option 'refresh_interval' is configured to 'blah' but it must be either in duration common syntax or one of 'disable', or 'always': could not parse 'blah' as a duration")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultImplementation() {
|
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultImplementation() {
|
||||||
|
|
|
@ -79,7 +79,7 @@ const (
|
||||||
errFmtAuthBackendMultipleConfigured = "authentication_backend: please ensure only one of the 'file' or 'ldap' " +
|
errFmtAuthBackendMultipleConfigured = "authentication_backend: please ensure only one of the 'file' or 'ldap' " +
|
||||||
"backend is configured"
|
"backend is configured"
|
||||||
errFmtAuthBackendRefreshInterval = "authentication_backend: option 'refresh_interval' is configured to '%s' but " +
|
errFmtAuthBackendRefreshInterval = "authentication_backend: option 'refresh_interval' is configured to '%s' but " +
|
||||||
"it must be either a duration notation or one of 'disable', or 'always': %w"
|
"it must be either in duration common syntax or one of 'disable', or 'always': %w"
|
||||||
errFmtAuthBackendPasswordResetCustomURLScheme = "authentication_backend: password_reset: option 'custom_url' is" +
|
errFmtAuthBackendPasswordResetCustomURLScheme = "authentication_backend: password_reset: option 'custom_url' is" +
|
||||||
" configured to '%s' which has the scheme '%s' but the scheme must be either 'http' or 'https'"
|
" configured to '%s' which has the scheme '%s' but the scheme must be either 'http' or 'https'"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue