From b4d9e2138788c9ad3b76bbe6efa5dffd8779d613 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Wed, 7 Dec 2022 20:43:02 +1100 Subject: [PATCH] docs: fix misc url issues (#4503) --- CONTRIBUTING.md | 4 +- README.md | 4 +- SECURITY.md | 8 +-- .../en/configuration/first-factor/ldap.md | 23 ++++---- .../identity-providers/open-id-connect.md | 17 +++--- .../en/configuration/methods/environment.md | 2 +- .../en/configuration/methods/secrets.md | 16 +++--- .../miscellaneous/introduction.md | 2 +- .../en/configuration/miscellaneous/ntp.md | 2 +- .../en/configuration/prologue/common.md | 6 +- .../en/configuration/prologue/migration.md | 6 +- .../time-based-one-time-password.md | 8 ++- .../configuration/security/access-control.md | 16 +++--- .../en/configuration/session/introduction.md | 4 +- .../en/configuration/storage/sqlite.md | 2 +- .../configuration/telemetry/introduction.md | 2 +- .../en/contributing/prologue/financial.md | 6 +- .../en/contributing/prologue/translations.md | 2 +- docs/content/en/information/contact.md | 4 +- .../en/integration/deployment/docker.md | 4 +- .../en/integration/deployment/introduction.md | 2 +- .../en/integration/deployment/kubernetes.md | 2 +- .../en/integration/kubernetes/introduction.md | 4 +- .../integration/kubernetes/traefik-ingress.md | 2 +- .../openid-connect/introduction.md | 2 +- .../en/integration/prologue/get-started.md | 8 +-- .../proxies/nginx-proxy-manager/index.md | 12 ++-- docs/content/en/integration/proxies/nginx.md | 2 +- .../content/en/integration/proxies/support.md | 2 +- docs/content/en/integration/proxies/swag.md | 2 +- .../overview/authentication/introduction.md | 4 +- .../authentication/push-notification/index.md | 9 +-- .../overview/prologue/architecture/index.md | 6 +- docs/content/en/overview/security/measures.md | 57 ++++++++++--------- docs/content/en/policies/security.md | 10 ++-- docs/content/en/reference/guides/ldap.md | 2 +- .../guides/notification-templates.md | 4 +- docs/content/en/reference/guides/passwords.md | 2 +- .../guides/server-asset-overrides.md | 8 +-- .../guides/troubleshooting-sanitizaiton.md | 1 - 40 files changed, 139 insertions(+), 140 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1b23c8aaf..b3c2bc9f5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,7 +2,7 @@ Anybody willing to contribute to the project either with code, documentation, security reviews or whatever, are very welcome to create or review pull requests and take part in discussions in any of our public -[chat rooms](./README.md#contact-options). +[chat rooms](README.md#contact-options). It's also possible to contribute financially in order to support the community. @@ -42,4 +42,4 @@ Read more about this in the [GitHub docs, Re-requesting a review](https://docs.g Sometimes the codebase can be a challenge to navigate, especially for a first-time contributor. We don't want you spending an hour trying to work out something that would take us only a minute to explain. -If you'd like some help getting started we have several [contact options](./README.md#contact-options) available. +If you'd like some help getting started we have several [contact options](README.md#contact-options) available. diff --git a/README.md b/README.md index e800faaee..abc3236bc 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,7 @@ Internet (your reverse proxies are) however, it's still the control plane for yo ## Contribute -If you want to contribute to Authelia, please read our [contribution guidelines](./CONTRIBUTING.md). +If you want to contribute to Authelia, please read our [contribution guidelines](CONTRIBUTING.md). Authelia exists thanks to all the people who contribute so don't be shy, come chat with us on either [Matrix](#matrix) or [Discord](#discord) and start contributing too. @@ -379,7 +379,7 @@ Companies contributing to Authelia via Open Collective will have a special menti ## License **Authelia** is **licensed** under the **[Apache 2.0]** license. The terms of the license are detailed in -[LICENSE](./LICENSE). +[LICENSE](LICENSE). [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauthelia%2Fauthelia.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauthelia%2Fauthelia?ref=badge_large) diff --git a/SECURITY.md b/SECURITY.md index 6324e796c..90c512187 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -19,14 +19,14 @@ For more information about [security](https://www.authelia.com/information/secur ## Contact Options -Several [contact options](./README.md#contact-options) exist, it's important to make sure you contact the maintainers -privately which is described in each available contact method. The methods include our [security email](./README.md#security), -[Matrix](./README.md#matrix), and [Discord](./README.md#discord). +Several [contact options](README.md#contact-options) exist, it's important to make sure you contact the maintainers +privately which is described in each available contact method. The methods include our [security email](README.md#security), +[Matrix](README.md#matrix), and [Discord](README.md#discord). ## Credit Users who report bugs will optionally be credited for the discovery. Both in the [security advisory] and in our -[all contributors](./README.md#contribute) configuration/documentation. +[all contributors](README.md#contribute) configuration/documentation. ## Process diff --git a/docs/content/en/configuration/first-factor/ldap.md b/docs/content/en/configuration/first-factor/ldap.md index 9fb9127f3..95b91524d 100644 --- a/docs/content/en/configuration/first-factor/ldap.md +++ b/docs/content/en/configuration/first-factor/ldap.md @@ -167,14 +167,14 @@ section [here](../prologue/common.md#tls-configuration). Sets the base distinguished name container for all LDAP queries. If your LDAP domain is example.com this is usually `DC=example,DC=com`, however you can fine tune this to be more specific for example to only include objects inside the -authelia OU: `OU=authelia,DC=example,DC=com`. This is prefixed with the [additional_users_dn](#additional_users_dn) for -user searches and [additional_groups_dn](#additional_groups_dn) for groups searches. +authelia OU: `OU=authelia,DC=example,DC=com`. This is prefixed with the [additional_users_dn](#additionalusersdn) for +user searches and [additional_groups_dn](#additionalgroupsdn) for groups searches. ### additional_users_dn {{< confkey type="string" required="no" >}} -Additional LDAP path to append to the [base_dn](#base_dn) when searching for users. Useful if you want to restrict +Additional LDAP path to append to the [base_dn](#basedn) when searching for users. Useful if you want to restrict exactly which OU to get users from for either security or performance reasons. For example setting it to `OU=users,OU=people` with a base_dn set to `DC=example,DC=com` will mean user searches will occur in `OU=users,OU=people,DC=example,DC=com`. @@ -184,28 +184,31 @@ exactly which OU to get users from for either security or performance reasons. F {{< confkey type="string" required="situational" >}} *__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a -default negating this requirement. Refer to the [filter defaults](#filter-defaults) for more information.* +default negating this requirement. Refer to the [filter defaults](../../reference/guides/ldap.md#filter-defaults) for +more information.* The LDAP filter to narrow down which users are valid. This is important to set correctly as to exclude disabled users. The default value is dependent on the [implementation](#implementation), refer to the -[attribute defaults](#attribute-defaults) for more information. +[attribute defaults](../../reference/guides/ldap.md#attribute-defaults) for more information. ### username_attribute {{< confkey type="string" required="situational" >}} *__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a -default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more information.* +default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults) +for more information.* The LDAP attribute that maps to the username in *Authelia*. This must contain the `{username_attribute}` -[placeholder](#users-filter-replacements). +[placeholder](../../reference/guides/ldap.md#users-filter-replacements). ### mail_attribute {{< confkey type="string" required="situational" >}} *__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a -default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more information.* +default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults) +for more information.* The attribute to retrieve which contains the users email addresses. This is important for the device registration and password reset processes. The user must have an email address in order for Authelia to perform identity verification @@ -294,7 +297,7 @@ characters and the user password is changed to this value. ## Refresh Interval -It's recommended you either use the default [refresh interval](./introduction.md#refresh_interval) or configure this to +It's recommended you either use the default [refresh interval](introduction.md#refreshinterval) or configure this to a value low enough to refresh the user groups and status (deleted, disabled, etc) to adequately secure your environment. ## Important notes @@ -311,6 +314,6 @@ for your users. - [LDAP Reference Guide](../../reference/guides/ldap.md) -[username attribute]: #username_attribute +[username attribute]: #usernameattribute [TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx [RFC2307]: https://www.rfc-editor.org/rfc/rfc2307.html diff --git a/docs/content/en/configuration/identity-providers/open-id-connect.md b/docs/content/en/configuration/identity-providers/open-id-connect.md index 9baad93f0..2e0f78e55 100644 --- a/docs/content/en/configuration/identity-providers/open-id-connect.md +++ b/docs/content/en/configuration/identity-providers/open-id-connect.md @@ -157,8 +157,8 @@ The HMAC secret used to sign the [JWT]'s. The provided string is hashed to a SHA purpose of meeting the required format. It's __strongly recommended__ this is a -[Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more -characters. +[Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) +with 64 or more characters. ### issuer_certificate_chain @@ -173,7 +173,7 @@ as per [RFC7517]. [x5c]: https://www.rfc-editor.org/rfc/rfc7517#section-4.7 [x5t]: https://www.rfc-editor.org/rfc/rfc7517#section-4.8 -The first certificate in the chain must have the public key for the [issuer_private_key](#issuer_private_key), each +The first certificate in the chain must have the public key for the [issuer_private_key](#issuerprivatekey), each certificate in the chain must be valid for the current date, and each certificate in the chain should be signed by the certificate immediately following it if present. @@ -185,14 +185,15 @@ certificate immediately following it if present. especially for containerized deployments.* The private key used to sign/encrypt the [OpenID Connect] issued [JWT]'s. The key must be generated by the administrator -and can be done by following the [Generating an RSA Keypair](../../reference/guides/generating-secure-values.md#generating-an-rsa-keypair) guide. +and can be done by following the +[Generating an RSA Keypair](../../reference/guides/generating-secure-values.md#generating-an-rsa-keypair) guide. The private key *__MUST__*: * Be a PEM block encoded in the DER base64 format ([RFC4648]). * Be an RSA Key. * Have a key size of at least 2048 bits. -If the [issuer_certificate_chain](#issuer_certificate_chain) is provided the private key must include matching public +If the [issuer_certificate_chain](#issuercertificatechain) is provided the private key must include matching public key data for the first certificate in the chain. ### access_token_lifespan @@ -302,7 +303,7 @@ you must configure this option manually if you want http endpoints to be permitt Origins must only have the scheme, hostname and port, they may not have a trailing slash or path. In addition to an Origin URI, you may specify the wildcard origin in the allowed_origins. It MUST be specified by itself -and the [allowed_origins_from_client_redirect_uris](#allowed_origins_from_client_redirect_uris) MUST NOT be enabled. The +and the [allowed_origins_from_client_redirect_uris](#allowedoriginsfromclientredirecturis) MUST NOT be enabled. The wildcard origin is denoted as `*`. Examples: ```yaml @@ -422,7 +423,7 @@ Configures the consent mode. The following table describes the different modes: | implicit | Automatically assumes consent for every authorization, never asking the user if they wish to give consent. *__Note:__* this option is not technically part of the specification. | | pre-configured | Allows the end-user to remember their consent for the [pre_configured_consent_duration]. | -[pre_configured_consent_duration]: #pre_configured_consent_duration +[pre_configured_consent_duration]: #preconfiguredconsentduration #### pre_configured_consent_duration @@ -439,7 +440,7 @@ The period of time dictates how long a users choice to remember the pre-configur Pre-configured consents are only valid if the subject, client id are exactly the same and the requested scopes/audience match exactly with the granted scopes/audience. -[consent_mode]: #consent_mode +[consent_mode]: #consentmode #### audience diff --git a/docs/content/en/configuration/methods/environment.md b/docs/content/en/configuration/methods/environment.md index e5e4686bb..5a59b7060 100644 --- a/docs/content/en/configuration/methods/environment.md +++ b/docs/content/en/configuration/methods/environment.md @@ -27,7 +27,7 @@ likely result in an error or even worse misconfiguration. ### Kubernetes Please see the -[Kubernetes Integration: Enable Service Links](../../integration/kubernetes/introduction/index.md#enable-service-links) +[Kubernetes Integration: Enable Service Links](../../integration/kubernetes/introduction.md#enable-service-links) documentation for specific requirements for using *Authelia* with Kubernetes. ## Mapping diff --git a/docs/content/en/configuration/methods/secrets.md b/docs/content/en/configuration/methods/secrets.md index 25802b9bb..182c74edd 100644 --- a/docs/content/en/configuration/methods/secrets.md +++ b/docs/content/en/configuration/methods/secrets.md @@ -55,15 +55,15 @@ other configuration using the environment but instead of loading a file the valu {{% table-config-keys secrets="true" %}} [server.tls.key]: ../miscellaneous/server.md#key -[jwt_secret]: ../miscellaneous/introduction.md#jwt_secret -[duo_api.integration_key]: ../second-factor/duo.md#integration_key -[duo_api.secret_key]: ../second-factor/duo.md#secret_key +[jwt_secret]: ../miscellaneous/introduction.md#jwtsecret +[duo_api.integration_key]: ../second-factor/duo.md#integrationkey +[duo_api.secret_key]: ../second-factor/duo.md#secretkey [session.secret]: ../session/introduction.md#secret [session.redis.password]: ../session/redis.md#password [session.redis.tls.certificate_chain]: ../session/redis.md#tls [session.redis.tls.private_key]: ../session/redis.md#tls -[session.redis.high_availability.sentinel_password]: ../session/redis.md#sentinel_password -[storage.encryption_key]: ../storage/introduction.md#encryption_key +[session.redis.high_availability.sentinel_password]: ../session/redis.md#sentinelpassword +[storage.encryption_key]: ../storage/introduction.md#encryptionkey [storage.mysql.password]: ../storage/mysql.md#password [storage.mysql.tls.certificate_chain]: ../storage/mysql.md#tls [storage.mysql.tls.private_key]: ../storage/mysql.md#tls @@ -77,9 +77,9 @@ other configuration using the environment but instead of loading a file the valu [authentication_backend.ldap.password]: ../first-factor/ldap.md#password [authentication_backend.ldap.tls.certificate_chain]: ../first-factor/ldap.md#tls [authentication_backend.ldap.tls.private_key]: ../first-factor/ldap.md#tls -[identity_providers.oidc.issuer_certificate_chain]: ../identity-providers/open-id-connect.md#issuer_certificate_chain -[identity_providers.oidc.issuer_private_key]: ../identity-providers/open-id-connect.md#issuer_private_key -[identity_providers.oidc.hmac_secret]: ../identity-providers/open-id-connect.md#hmac_secret +[identity_providers.oidc.issuer_certificate_chain]: ../identity-providers/open-id-connect.md#issuercertificatechain +[identity_providers.oidc.issuer_private_key]: ../identity-providers/open-id-connect.md#issuerprivatekey +[identity_providers.oidc.hmac_secret]: ../identity-providers/open-id-connect.md#hmacsecret ## Secrets in configuration file diff --git a/docs/content/en/configuration/miscellaneous/introduction.md b/docs/content/en/configuration/miscellaneous/introduction.md index d8de18f72..b7036e231 100644 --- a/docs/content/en/configuration/miscellaneous/introduction.md +++ b/docs/content/en/configuration/miscellaneous/introduction.md @@ -73,7 +73,7 @@ default_2fa_method: totp especially for containerized deployments.* Defines the secret used to craft JWT tokens leveraged by the identity verification process. This can a random string. -It's strongly recommended this is a [Random Alphanumeric String](../../reference/guides/generating-secure-values.md/#generating-a-random-alphanumeric-string) with +It's strongly recommended this is a [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more characters. ### theme diff --git a/docs/content/en/configuration/miscellaneous/ntp.md b/docs/content/en/configuration/miscellaneous/ntp.md index 6de640f5c..b16751d8e 100644 --- a/docs/content/en/configuration/miscellaneous/ntp.md +++ b/docs/content/en/configuration/miscellaneous/ntp.md @@ -68,4 +68,4 @@ Setting this to true will disable the startup check entirely. Setting this to true will allow Authelia to start and just log an error instead of exiting. The default is that if Authelia can contact the NTP server successfully, and the time reported by the server is greater than what is configured -in [max_desync](#max_desync) that Authelia fails to start and logs a fatal error. +in [max_desync](#maxdesync) that Authelia fails to start and logs a fatal error. diff --git a/docs/content/en/configuration/prologue/common.md b/docs/content/en/configuration/prologue/common.md index 6222e5448..1f4be33a1 100644 --- a/docs/content/en/configuration/prologue/common.md +++ b/docs/content/en/configuration/prologue/common.md @@ -123,7 +123,7 @@ require an IP address for the host of the backend service but want to verify a s The key `skip_verify` completely negates validating the certificate of the backend service. This is not recommended, instead you should tweak the `server_name` option, and the global option -[certificates directory](../miscellaneous/introduction.md#certificates_directory). +[certificates directory](../miscellaneous/introduction.md#certificatesdirectory). ### minimum_version @@ -147,7 +147,7 @@ this value. At the time of this writing `SSL3.0` will always produce errors. {{< confkey type="string" required="no" >}} -The certificate chain/bundle to be used with the [private_key](#private_key) to perform mutual TLS authentication with +The certificate chain/bundle to be used with the [private_key](#privatekey) to perform mutual TLS authentication with the server. The value must be one or more certificates encoded in the DER base64 ([RFC4648]) encoded PEM format. @@ -159,7 +159,7 @@ The value must be one or more certificates encoded in the DER base64 ([RFC4648]) *__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__ especially for containerized deployments.* -The private key to be used with the [certificate_chain](#certificate_chain) for mutual TLS authentication. +The private key to be used with the [certificate_chain](#certificatechain) for mutual TLS authentication. The value must be one private key encoded in the DER base64 ([RFC4648]) encoded PEM format. diff --git a/docs/content/en/configuration/prologue/migration.md b/docs/content/en/configuration/prologue/migration.md index e03460c95..82f9c3f59 100644 --- a/docs/content/en/configuration/prologue/migration.md +++ b/docs/content/en/configuration/prologue/migration.md @@ -73,7 +73,7 @@ environment variable or other environment variables set. This also applies to ot *__Please Note:__ if you're using Authelia with Kubernetes and are not using the provided [helm chart](https://charts.authelia.com) you will be required to -[configure the enableServiceLinks](../../integration/kubernetes/introduction/index.md#enable-service-links) option.* +[configure the enableServiceLinks](../../integration/kubernetes/introduction.md#enable-service-links) option.* ### 4.25.0 @@ -99,7 +99,7 @@ The following changes occurred in 4.7.0: | logs_level | log_level | | logs_file | log_file | -*__Please Note:__ The new keys also changed in [4.30.0](#4.30.0) so you will need to update them to the new values if you -are using [4.30.0](#4.30.0) or newer instead of the new keys listed here.* +*__Please Note:__ The new keys also changed in [4.30.0](#4300) so you will need to update them to the new values if you +are using [4.30.0](#4300) or newer instead of the new keys listed here.* [YAML]: https://yaml.org/ diff --git a/docs/content/en/configuration/second-factor/time-based-one-time-password.md b/docs/content/en/configuration/second-factor/time-based-one-time-password.md index cc6c45c0f..e452dcd6f 100644 --- a/docs/content/en/configuration/second-factor/time-based-one-time-password.md +++ b/docs/content/en/configuration/second-factor/time-based-one-time-password.md @@ -61,10 +61,12 @@ by Authelia from others. *__Important Note:__ Many TOTP applications do not support this option. It is strongly advised you find out which applications your users use and test them before changing this option. It is insufficient to test that the application -can add the key, it must also authenticate with Authelia as some applications silently ignore these options. Bitwarden +can add the key, it must also authenticate with Authelia as some applications silently ignore these options. [Bitwarden] is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option please see [Issue 2650](https://github.com/authelia/authelia/issues/2650).* +[Bitwarden]: https://bitwarden.com/ + The algorithm used for the TOTP key. Possible Values (case-insensitive): @@ -82,7 +84,7 @@ information. *__Important Note:__ Some TOTP applications do not support this option. It is strongly advised you find out which applications your users use and test them before changing this option. It is insufficient to test that the application -can add the key, it must also authenticate with Authelia as some applications silently ignore these options. Bitwarden +can add the key, it must also authenticate with Authelia as some applications silently ignore these options. [Bitwarden] is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option please see [Issue 2650](https://github.com/authelia/authelia/issues/2650).* @@ -160,7 +162,7 @@ check the clients. ## Encryption -The TOTP secret is [encrypted](../storage/introduction.md#encryption_key) in the database in version 4.33.0 and above. +The TOTP secret is [encrypted](../storage/introduction.md#encryptionkey) in the database in version 4.33.0 and above. This is so a user having access to only the database cannot easily compromise your two-factor authentication method. This may be inconvenient for some users who wish to export TOTP keys from Authelia to other services. As such there is diff --git a/docs/content/en/configuration/security/access-control.md b/docs/content/en/configuration/security/access-control.md index 011cec776..8993b2027 100644 --- a/docs/content/en/configuration/security/access-control.md +++ b/docs/content/en/configuration/security/access-control.md @@ -198,7 +198,7 @@ When used in conjunction with [domain] the rule will match when either the [doma In addition to standard regex patterns this criteria can match some [Named Regex Groups]. -[domain_regex]: #domain_regex +[domain_regex]: #domainregex ##### Examples @@ -339,7 +339,7 @@ access_control: {{< confkey type="list(string)" required="no" >}} This criteria is a list of values which can be an IP Address, network address range in CIDR notation, or an alias from -the [global](#networks-global) section. It matches against the first address in the `X-Forwarded-For` header, or if there +the [global](#networks--global-) section. It matches against the first address in the `X-Forwarded-For` header, or if there are none it will fall back to the IP address of the packet TCP source IP address. For this reason it's important for you to configure the proxy server correctly in order to accurately match requests with this criteria. *__Note:__ you may combine CIDR networks with the alias rules as you please.* @@ -360,7 +360,7 @@ for administrators to tune the security to their specific needs if desired. ##### Examples -*Require [two_factor](#two_factor) for all clients other than internal clients and `112.134.145.167`. The first two +*Require [two_factor](#twofactor) for all clients other than internal clients and `112.134.145.167`. The first two rules in this list are effectively the same rule just expressed in different ways.* ```yaml @@ -485,7 +485,7 @@ access_control: ## Policies The policy of the first matching rule in the configured list decides the policy applied to the request, if no rule -matches the request the [default_policy](#default_policy) is applied. +matches the request the [default_policy](#defaultpolicy) is applied. [policies]: #policies @@ -510,14 +510,14 @@ about the subject is [one_factor]. See [Rule Matching Concept 2] for more inform This policy requires the user at minimum complete 1FA successfully (username and password). This means if they have performed 2FA then they will be allowed to access the resource. -[one_factor]: #one_factor +[one_factor]: #onefactor ### two_factor This policy requires the user to complete 2FA successfully. This is currently the highest level of authentication policy available. -[two_factor]: #two_factor +[two_factor]: #twofactor ## Rule Matching @@ -554,7 +554,7 @@ a match for that request. policy: two_factor ``` -[Rule Matching Concept 1]: #rule-matching-concept-1-sequential-order +[Rule Matching Concept 1]: #rule-matching-concept-1--sequential-order ### Rule Matching Concept 2: Subject Criteria Requires Authentication @@ -569,7 +569,7 @@ for authentication if no prior rules match the request per [Rule Matching Concep identical rules, and one of them has a subject based reliant criteria, and the other one is a [bypass] rule then the [bypass] rule should generally come first. -[Rule Matching Concept 2]: #rule-matching-concept-2-subject-criteria-requires-authentication +[Rule Matching Concept 2]: #rule-matching-concept-2--subject-criteria-requires-authentication ## Named Regex Groups diff --git a/docs/content/en/configuration/session/introduction.md b/docs/content/en/configuration/session/introduction.md index 6bc2a3baa..24e54f1aa 100644 --- a/docs/content/en/configuration/session/introduction.md +++ b/docs/content/en/configuration/session/introduction.md @@ -40,7 +40,7 @@ There are currently two providers for session storage (three if you count Redis * Memory (default, stateful, no additional configuration) * [Redis](redis.md) (stateless). -* [Redis Sentinel](redis.md#high_availability) (stateless, highly available). +* [Redis Sentinel](redis.md#highavailability) (stateless, highly available). ### Kubernetes or High Availability @@ -99,7 +99,7 @@ characters. the [common options](../prologue/common.md#duration-notation-format) documentation for information on this format.* The period of time before the cookie expires and the session is destroyed. This is overriden by -[remember_me_duration](#remember_me_duration) when the remember me box is checked. +[remember_me_duration](#remembermeduration) when the remember me box is checked. ### inactivity diff --git a/docs/content/en/configuration/storage/sqlite.md b/docs/content/en/configuration/storage/sqlite.md index d0a27b758..cdb39a319 100644 --- a/docs/content/en/configuration/storage/sqlite.md +++ b/docs/content/en/configuration/storage/sqlite.md @@ -35,7 +35,7 @@ storage: ### encryption_key -See the [encryption_key docs](introduction.md#encryption_key). +See the [encryption_key docs](introduction.md#encryptionkey). ### path diff --git a/docs/content/en/configuration/telemetry/introduction.md b/docs/content/en/configuration/telemetry/introduction.md index f073ae94b..c7d1e84ff 100644 --- a/docs/content/en/configuration/telemetry/introduction.md +++ b/docs/content/en/configuration/telemetry/introduction.md @@ -13,7 +13,7 @@ toc: true --- *Authelia* allows collecting telemetry for the purpose of monitoring it. At the present time we only allow collecting -[metrics](./metrics.md). These [metrics](./metrics.md) are stored in memory and must be scraped manually by the +[metrics](metrics.md). These [metrics](metrics.md) are stored in memory and must be scraped manually by the administrator. No metrics or telemetry are reported from an *Authelia* binary to any location the administrator doesn't explicitly diff --git a/docs/content/en/contributing/prologue/financial.md b/docs/content/en/contributing/prologue/financial.md index 9b7de9e96..1b68bf242 100644 --- a/docs/content/en/contributing/prologue/financial.md +++ b/docs/content/en/contributing/prologue/financial.md @@ -24,7 +24,7 @@ was not prompted by any bug bounty program as we do not have one, but we hope to Potential usage for the money, ranked in order of priority: -1. Put Authelia through a comprehensive [Security Audit](../../../information/security.md#help-wanted). +1. Put Authelia through a comprehensive [Security Audit](../../policies/security.md#help-wanted). 1. Audit of Code Security via Analysis. 2. Audit via Penetration Testing. 2. Bug Bounty Program. @@ -38,11 +38,11 @@ Please visit [Open Collective] in order to financially contribute to Authelia. Authelia is sponsored by several companies via indirect means. These companies deserve a special mention since their contributions are very important to us but not easily visible. -If you feel you have a product or service that Authelia could benefit from please feel free to [contact](../../../information/contact.md) us. +If you feel you have a product or service that Authelia could benefit from please feel free to [contact](../../information/contact.md) us. We are currently directly looking for someone to sponsor: -* [Security Audit](../../../information/security.md#help-wanted) +* [Security Audit](../../policies/security.md#help-wanted) ### Balto diff --git a/docs/content/en/contributing/prologue/translations.md b/docs/content/en/contributing/prologue/translations.md index f7290b9af..510fa4e54 100644 --- a/docs/content/en/contributing/prologue/translations.md +++ b/docs/content/en/contributing/prologue/translations.md @@ -29,7 +29,7 @@ If the language you wish to translate is not on [Crowdin] then you have a few op ## Overrides Users can override translations easily locally using the -[assets](../../configuration/miscellaneous/server.md#asset_path) directory. This is useful if you wish to perform a +[assets](../../configuration/miscellaneous/server.md#assetpath) directory. This is useful if you wish to perform a translation and see if it looks correct in the browser. [Crowdin]: https://translate.authelia.com diff --git a/docs/content/en/information/contact.md b/docs/content/en/information/contact.md index dc3b4f38f..25ca62ff8 100644 --- a/docs/content/en/information/contact.md +++ b/docs/content/en/information/contact.md @@ -11,8 +11,8 @@ aliases: ## Security -If you believe you have identified a security related bug with Authelia please visit the [security policy](security.md) -documentation. +If you believe you have identified a security related bug with Authelia please visit the +[security policy](../policies/security.md) documentation. ## GitHub diff --git a/docs/content/en/integration/deployment/docker.md b/docs/content/en/integration/deployment/docker.md index 58177b2be..3aee92211 100644 --- a/docs/content/en/integration/deployment/docker.md +++ b/docs/content/en/integration/deployment/docker.md @@ -42,10 +42,10 @@ It expects the following: * The file `data/authelia/config/configuration.yml` is present and the configuration file. * The directory `data/authelia/secrets/` exists and contain the relevant [secret](../../configuration/methods/secrets.md) files: - * A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwt_secret) + * A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwtsecret) * A file named `SESSION_SECRET` for the [session secret](../../configuration/session/introduction.md#secret) * A file named `STORAGE_PASSWORD` for the [PostgreSQL password secret](../../configuration/storage/postgres.md#password) - * A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryption_key) + * A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryptionkey) * You're using PostgreSQL. * You have an external network named `net` which is in bridge mode. diff --git a/docs/content/en/integration/deployment/introduction.md b/docs/content/en/integration/deployment/introduction.md index 76d245bea..bd590c057 100644 --- a/docs/content/en/integration/deployment/introduction.md +++ b/docs/content/en/integration/deployment/introduction.md @@ -15,7 +15,7 @@ toc: true There are three main methods to deploy *Authelia*. 1. [Docker](docker.md) -2. [Kubernetes](../kubernetes/introduction/index.md) +2. [Kubernetes](../kubernetes/introduction.md) 3. [Bare-Metal](bare-metal.md) ## Get Started diff --git a/docs/content/en/integration/deployment/kubernetes.md b/docs/content/en/integration/deployment/kubernetes.md index 99edc587d..0e317abf8 100644 --- a/docs/content/en/integration/deployment/kubernetes.md +++ b/docs/content/en/integration/deployment/kubernetes.md @@ -15,4 +15,4 @@ search: index: false --- -Please see the dedicated [Kubernetes Documentation](../kubernetes/introduction/index.md). +Please see the dedicated [Kubernetes Documentation](../kubernetes/introduction.md). diff --git a/docs/content/en/integration/kubernetes/introduction.md b/docs/content/en/integration/kubernetes/introduction.md index 4439f8aa0..71027e218 100644 --- a/docs/content/en/integration/kubernetes/introduction.md +++ b/docs/content/en/integration/kubernetes/introduction.md @@ -30,7 +30,7 @@ Users are welcome to reach out directly by using any of our various [contact opt ## Get Started It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our -[Get Started](../../prologue/get-started) guide. This takes you through various steps which are essential to +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to bootstrapping *Authelia*. ## Important Notes @@ -70,7 +70,7 @@ spec: If using file-based authentication, the argon2id provider will by default use 1GB of RAM for password generation. This means you should allow for at least this amount in your deployment/daemonset spec and have this much available on your node, alternatively you can -[tweak the providers settings](../../../configuration/first-factor/file.md#memory). Otherwise, +[tweak the providers settings](../../configuration/first-factor/file.md#memory). Otherwise, your Authelia may OOM during login. See [here](https://github.com/authelia/authelia/issues/1234#issuecomment-663910799) for more info. diff --git a/docs/content/en/integration/kubernetes/traefik-ingress.md b/docs/content/en/integration/kubernetes/traefik-ingress.md index 67fbda97c..3ada01b8e 100644 --- a/docs/content/en/integration/kubernetes/traefik-ingress.md +++ b/docs/content/en/integration/kubernetes/traefik-ingress.md @@ -86,7 +86,7 @@ metadata: name: app namespace: default annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.entryPoints: websecure traefik.ingress.kubernetes.io/router.middlewares: default-forwardauth-authelia@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: diff --git a/docs/content/en/integration/openid-connect/introduction.md b/docs/content/en/integration/openid-connect/introduction.md index bc7939fca..6a36150af 100644 --- a/docs/content/en/integration/openid-connect/introduction.md +++ b/docs/content/en/integration/openid-connect/introduction.md @@ -111,7 +111,7 @@ Below is a list of the potential values we place in the [Claim] and their meanin ## User Information Signing Algorithm The following table describes the response from the [UserInfo] endpoint depending on the -[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfo_signing_algorithm). +[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfosigningalgorithm). | Signing Algorithm | Encoding | Content Type | |:-----------------:|:------------:|:-----------------------------------:| diff --git a/docs/content/en/integration/prologue/get-started.md b/docs/content/en/integration/prologue/get-started.md index 5d41d4c7c..e9202ef8d 100644 --- a/docs/content/en/integration/prologue/get-started.md +++ b/docs/content/en/integration/prologue/get-started.md @@ -38,9 +38,9 @@ used as a basis for configuration. The important sections to consider in initial configuration are as follows: -1. [jwt_secret](../../configuration/miscellaneous/introduction.md#jwt_secret) which is used to sign identity +1. [jwt_secret](../../configuration/miscellaneous/introduction.md#jwtsecret) which is used to sign identity verification emails -2. [default_redirection_url](../../configuration/miscellaneous/introduction.md#default_redirection_url) which is the +2. [default_redirection_url](../../configuration/miscellaneous/introduction.md#defaultredirectionurl) which is the default URL users will be redirected to when visiting *Authelia* directly 3. [authentication_backend](../../configuration/first-factor/introduction.md) which you must pick between [LDAP](../../configuration/first-factor/ldap.md) and a [YAML File](../../configuration/first-factor/file.md) and is @@ -76,8 +76,8 @@ There are several methods of deploying *Authelia* and we recommend reading the The default method of utilizing *Authelia* is via the [Proxy Integrations](../proxies/introduction.md). It's recommended that you read the relevant [Proxy Integration Documentation](../proxies/introduction.md). -*__Important Note:__ When your [Deployment](#deployment) is on [Kubernetes](../kubernetes/introduction/index.md) we -recommend viewing the dedicated [Kubernetes Documentation](../kubernetes/introduction/index.md) prior to viewing the +*__Important Note:__ When your [Deployment](#deployment) is on [Kubernetes](../kubernetes/introduction.md) we +recommend viewing the dedicated [Kubernetes Documentation](../kubernetes/introduction.md) prior to viewing the [Proxy Integration Documentation](../proxies/introduction.md).* ## Moving to Production diff --git a/docs/content/en/integration/proxies/nginx-proxy-manager/index.md b/docs/content/en/integration/proxies/nginx-proxy-manager/index.md index e0bdf2ceb..8532112ab 100644 --- a/docs/content/en/integration/proxies/nginx-proxy-manager/index.md +++ b/docs/content/en/integration/proxies/nginx-proxy-manager/index.md @@ -24,12 +24,12 @@ throughout this documentation and in the [See Also](#see-also) section.* ## Get Started It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our -[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +[Get Started](../../prologue/get-started.md) guide. This takes you through various steps which are essential to bootstrapping *Authelia*. ## Requirements -[NGINX Proxy Manager] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box. +[NGINX Proxy Manager] supports the required [NGINX](../nginx.md#requirements) requirements for __Authelia__ out-of-the-box. ## Trusted Proxies @@ -37,7 +37,7 @@ bootstrapping *Authelia*. Especially if you have never read it before.* To configure trusted proxies for [NGINX Proxy Manager] see the [NGINX] section on -[Trusted Proxies](nginx.md#trusted-proxies). Adapting this to [NGINX Proxy Manager] is beyond the scope of +[Trusted Proxies](../nginx.md#trusted-proxies). Adapting this to [NGINX Proxy Manager] is beyond the scope of this documentation. ## Docker Compose @@ -137,9 +137,9 @@ either most likely require an adjustment, or may require an adjustment if you're ### Snippets The examples assume you've mounted a volume containing the relevant -[NGINX Snippets](nginx.md#supporting-configuration-snippets) from the [NGINX Integration Guide](nginx.md). The suggested -snippets are the `proxy.conf`, `authelia-location.conf`, and `authelia-authrequest.conf`. It may be fine to substitute -the standard variant of the `proxy.conf` for the headers only variant but this is untested. +[NGINX Snippets](../nginx.md#supporting-configuration-snippets) from the [NGINX Integration Guide](../nginx.md). The +suggested snippets are the `proxy.conf`, `authelia-location.conf`, and `authelia-authrequest.conf`. It may be fine to +substitute the standard variant of the `proxy.conf` for the headers only variant but this is untested. These snippets make the addition of a protected proxy host substantially easier. diff --git a/docs/content/en/integration/proxies/nginx.md b/docs/content/en/integration/proxies/nginx.md index 5b48e39be..683c2cf2a 100644 --- a/docs/content/en/integration/proxies/nginx.md +++ b/docs/content/en/integration/proxies/nginx.md @@ -62,7 +62,7 @@ required modules including the `http_set_misc` module. It also includes the [nginx-proxy-confs](https://github.com/linuxserver/docker-mods/tree/nginx-proxy-confs) mod where they have several configuration examples in the `/config/nginx/proxy-confs` directory. This can be omitted if desired. -If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](./swag.md) +If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](swag.md) which includes ACME and various other useful utilities. {{< details "docker-compose.yaml" >}} diff --git a/docs/content/en/integration/proxies/support.md b/docs/content/en/integration/proxies/support.md index cc0803e64..d74252e4e 100644 --- a/docs/content/en/integration/proxies/support.md +++ b/docs/content/en/integration/proxies/support.md @@ -76,7 +76,7 @@ For example the nginx ngx_http_auth_request_module does not seem to support this Authelia detects the upstream request method using the X-Forwarded-Method header. Some proxies set this out of the box, some require you to configure this manually. At the present time all proxies that have -[Standard Support](#standard-support) do support this. +[Standard Support](#standard) do support this. ## Specific proxy notes diff --git a/docs/content/en/integration/proxies/swag.md b/docs/content/en/integration/proxies/swag.md index d659672a2..2e49ce249 100644 --- a/docs/content/en/integration/proxies/swag.md +++ b/docs/content/en/integration/proxies/swag.md @@ -77,7 +77,7 @@ required modules including the `http_set_misc` module. It also includes the [nginx-proxy-confs](https://github.com/linuxserver/docker-mods/tree/nginx-proxy-confs) mod where they have several configuration examples in the `/config/nginx/proxy-confs` directory. This can be omitted if desired. -If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](./swag.md) +If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](swag.md) which includes ACME and various other useful utilities. {{< details "docker-compose.yaml" >}} diff --git a/docs/content/en/overview/authentication/introduction.md b/docs/content/en/overview/authentication/introduction.md index 9d3c0f632..4376e82e1 100644 --- a/docs/content/en/overview/authentication/introduction.md +++ b/docs/content/en/overview/authentication/introduction.md @@ -25,8 +25,8 @@ unreliable and simple usernames and passwords are not sufficient for security. __Authelia__ enables primarily two-factor authentication. These methods offered come in two forms: -* 1FA or first-factor authentication which is handled by a username and password. This falls into the *something you know* - categorization. +* 1FA or first-factor authentication which is handled by a username and password. This falls into the + *something you know* categorization. * 2FA or second-factor authentication which is handled by several methods including one-time passwords, authentication keys, etc. This falls into the *something you have* categorization. diff --git a/docs/content/en/overview/authentication/push-notification/index.md b/docs/content/en/overview/authentication/push-notification/index.md index e509f22d1..c7e5ba725 100644 --- a/docs/content/en/overview/authentication/push-notification/index.md +++ b/docs/content/en/overview/authentication/push-notification/index.md @@ -28,14 +28,7 @@ the user must match the name of the user in Authelia, or must have an alias that Then, in Duo interface, click on *Applications* and *Protect an Application*. Select the option *Partner Auth API*. This will generate an integration key, a secret key and a hostname. You can set the name of the application to __Authelia__ -and then you must add the generated information to Authelia [configuration](../../deployment/index.md) as shown below: - -```yaml -duo_api: - hostname: api-123456789.example.com - integration_key: ABCDEF - secret_key: 1234567890abcdefghifjkl -``` +and then you must add the generated information to Authelia [configuration](../../../configuration/second-factor/duo.md). See the [configuration documentation](../../../configuration/second-factor/duo.md) for more details. diff --git a/docs/content/en/overview/prologue/architecture/index.md b/docs/content/en/overview/prologue/architecture/index.md index d4e36f494..dd1866a7f 100644 --- a/docs/content/en/overview/prologue/architecture/index.md +++ b/docs/content/en/overview/prologue/architecture/index.md @@ -53,6 +53,6 @@ Authelia only works for websites served over HTTPS because the session cookie ca connections. Please note that it has been decided that we won't support websites served over HTTP in order to avoid any risk due to misconfiguration (see [#590](https://github.com/authelia/authelia/issues/590)). -If a self-signed certificate is required, the -[Generating an RSA Self-Signed Certificate](../../../reference/guides/generating-secure-values.md#generating-an-rsa-self-signed-certificate) -guide should be followed. +If a self-signed certificate is required, the [Generating an RSA Self-Signed Certificate] guide should be followed. + +[Generating an RSA Self-Signed Certificate]: ../../../reference/guides/generating-secure-values.md#generating-an-rsa-self-signed-certificate diff --git a/docs/content/en/overview/security/measures.md b/docs/content/en/overview/security/measures.md index 17d9dc17b..5c7067b8a 100644 --- a/docs/content/en/overview/security/measures.md +++ b/docs/content/en/overview/security/measures.md @@ -73,7 +73,7 @@ attacker obtains the file, each password has to be brute forced individually. Lastly Authelia's implementation of Argon2id is highly tunable. You can tune the key length, salt used, iterations (time), parallelism, and memory usage. To read more about this please read how to -[configure](../configuration/authentication/file.md) file authentication. +[configure](../../configuration/first-factor/file.md) file authentication. ## User profile and group membership always kept up-to-date (LDAP authentication provider) @@ -147,7 +147,7 @@ If you wish to change your encryption key for any reason you can do so using the ## Notifier security measures (SMTP) -The SMTP Notifier implementation does not allow connections that are not secure without changing default configuration +The SMTP Notifier implementation does not allow connections that are not secure without changing default configuration values. As such all SMTP connections require the following: @@ -158,59 +158,60 @@ As such all SMTP connections require the following: There is an option to disable both of these security measures however they are __not recommended__. -The following configuration options exist to configure the security level in order of most preferable to least +The following configuration options exist to configure the security level in order of most preferable to least preferable: ### Configuration Option: certificates_directory -You can [configure a directory](../../configuration/miscellaneous/introduction.md#certificates_directory) of -certificates for Authelia -to trust. These certificates can either be CA's or individual public certificates that should be trusted. These -are added in addition to the environments PKI trusted certificates if available. This is useful for trusting a -certificate that is self-signed without drastically reducing security. This is the most recommended workaround to not -having a valid PKI trusted certificate as it gives you complete control over which ones are trusted without disabling -critically needed validation of the identity of the target service. +You can configure a [certificates_directory] option which contains certificates for Authelia to trust. These certificates +can either be CA's or individual public certificates that should be trusted. These are added in addition to the +environments PKI trusted certificates if available. This is useful for trusting a certificate that is self-signed without +drastically reducing security. This is the most recommended workaround to not having a valid PKI trusted certificate as +it gives you complete control over which ones are trusted without disabling critically needed validation of the identity +of the target service. -Read more in the [documentation](../../configuration/miscellaneous/introduction.md#certificates_directory) for this -option. +Read more in the [certificates_directory] documentation for this option. + +[certificates_directory]: ../../configuration/miscellaneous/introduction.md#certificatesdirectory +[certificates directory]: #configuration-option--certificatesdirectory ### Configuration Option: tls.skip_verify The [tls.skip_verify](../../configuration/notifications/smtp.md#tls) option allows you to skip verifying the certificate -entirely which is why [certificates_directory](#configuration-option-certificates_directory) is preferred over this. -This will effectively mean you cannot be sure the certificate is valid which means an attacker via DNS poisoning or MITM -attacks could intercept emails from Authelia compromising a user's security without their knowledge. +entirely which is why [certificates directory] is preferred over this. This will effectively mean you cannot be sure the +certificate is valid which means an attacker via DNS poisoning or MITM attacks could intercept emails from Authelia +compromising a user's security without their knowledge. ### Configuration Option: disable_require_tls Authelia by default ensures that the SMTP server connection is secured via TLS prior to sending sensitive information. -The [disable_require_tls](../../configuration/notifications/smtp.md#disable_require_tls) option disables this -requirement which means the emails may be sent in cleartext. This is the least secure option as it effectively removes +The [disable_require_tls](../../configuration/notifications/smtp.md#disablerequiretls) option disables this +requirement which means the emails may be sent in cleartext. This is the least secure option as it effectively removes the validation of SMTP certificates and makes using an encrypted connection with TLS optional. -This means not only can the vulnerabilities of the [skip_verify](#configuration-option-tlsskip_verify) option be -exploited, but any router or switch along the route of the email which receives the packets could be used to silently +This means not only can the vulnerabilities of the [skip_verify](#configuration-option--tlsskipverify) option be +exploited, but any router or switch along the route of the email which receives the packets could be used to silently exploit the cleartext nature of the connection to manipulate the email in transit. -This is only usable currently with authentication disabled (_comment out the password_), and as such is only an option +This is only usable currently with authentication disabled (_comment out the password_), and as such is only an option for SMTP servers that allow unauthenticated relaying (bad practice). ### SMTP Ports All SMTP connections begin as [cleartext], and then negotiate to upgrade to a secure TLS connection via STARTTLS. -The [`submissions` service][service-submissions] (_typically port 465_) is an exception to this rule, where the -connection begins immediately secured with TLS (_similar to HTTPS_). When the configured [port for -SMTP][docs-config-smtp-port] is set to `465`, Authelia will initiate TLS connections without requiring STARTTLS +The [`submissions` service][service-submissions] (_typically port 465_) is an exception to this rule, where the +connection begins immediately secured with TLS (_similar to HTTPS_). When the configured [port for +SMTP][docs-config-smtp-port] is set to `465`, Authelia will initiate TLS connections without requiring STARTTLS negotiation. -When the `submissions` service port is available, it [should be preferred][port-465] over any STARTTLS port for +When the `submissions` service port is available, it [should be preferred][port-465] over any STARTTLS port for submitting mail. -**NOTE:** Prior to 2018, port 465 was previously assigned for a similar purpose known as [`smtps`][port-465] (_A TLS +**NOTE:** Prior to 2018, port 465 was previously assigned for a similar purpose known as [`smtps`][port-465] (_A TLS only equivalent of the `smtp` port 25_), which it had been deprecated for. Port 465 has since been re-assigned for only -supporting mail submission (_which unlike SMTP transfers via port 25, [requires authentication][smtp-auth]_), similar +supporting mail submission (_which unlike SMTP transfers via port 25, [requires authentication][smtp-auth]_), similar to port 587 (_the `submission` port, a common alternative that uses STARTTLS instead_). [docs-config-smtp-port]: ../../configuration/notifications/smtp.md#port @@ -237,7 +238,7 @@ would not even be able to create a TCP connection. This measure is recommended i configured some kind of ACLs specifically allowing the communication between proxies and Authelia instances like in a service mesh or some kind of network overlay. -To configure mutual TLS, please refer to [this document](../../configuration/miscellaneous/server.md#client_certificates) +To configure mutual TLS, please refer to [this document](../../configuration/miscellaneous/server.md#clientcertificates) ## Additional security @@ -255,7 +256,7 @@ database. The value of this option should be long and as random as possible. See [documentation](../../configuration/session/introduction.md#secret) for this option. The validity period of session is highly configurable. For example in a highly security conscious domain you could -set the session [remember_me_duration](../../configuration/session/introduction.md#remember_me_duration) to 0 to disable this +set the session [remember_me_duration](../../configuration/session/introduction.md#remembermeduration) to 0 to disable this feature, and set the [expiration](../../configuration/session/introduction.md#expiration) to 2 hours and the [inactivity](../../configuration/session/introduction.md#inactivity) of 10 minutes. Configuring the session security in this manner would mean if the cookie age was more than 2 hours or if the user was inactive for more than 10 minutes the diff --git a/docs/content/en/policies/security.md b/docs/content/en/policies/security.md index bbd332090..13618ba1c 100644 --- a/docs/content/en/policies/security.md +++ b/docs/content/en/policies/security.md @@ -37,11 +37,11 @@ This is the preferred method of reporting. ### Chat -If you wish to chat directly instead of sending an email please use one of the [chat options](../information/contact.md#chat) but it -is vital that when you do that you only do so privately with one of the maintainers. In order to start a private -discussion you should ask to have a private discussion with a team member without mentioning the reason why you wish to -have a private discussion so that provided the bug is confirmed we can coordinate the release of fixes and information -responsibly. +If you wish to chat directly instead of sending an email please use one of the +[chat options](../information/contact.md#chat) but it is vital that when you do that you only do so privately with one +of the maintainers. In order to start a private discussion you should ask to have a private discussion with a team +member without mentioning the reason why you wish to have a private discussion so that provided the bug is confirmed we +can coordinate the release of fixes and information responsibly. ## Credit diff --git a/docs/content/en/reference/guides/ldap.md b/docs/content/en/reference/guides/ldap.md index 80a5eccb2..3873b41c6 100644 --- a/docs/content/en/reference/guides/ldap.md +++ b/docs/content/en/reference/guides/ldap.md @@ -22,7 +22,7 @@ The most insecure method is unauthenticated binds. They are generally considered at all ensures anyone with any level of network access can easily obtain objects and their attributes. Authelia does support unauthenticated binds but it is not by default, you must configure the -[permit_unauthenticated_bind](../../configuration/first-factor/ldap.md#permit_unauthenticated_bind) configuration +[permit_unauthenticated_bind](../../configuration/first-factor/ldap.md#permitunauthenticatedbind) configuration option. ### End-User Binding diff --git a/docs/content/en/reference/guides/notification-templates.md b/docs/content/en/reference/guides/notification-templates.md index 42ab8f871..2962a39fe 100644 --- a/docs/content/en/reference/guides/notification-templates.md +++ b/docs/content/en/reference/guides/notification-templates.md @@ -16,7 +16,7 @@ Authelia uses templates to generate the HTML and plaintext emails sent via the n two extensions; `.html` for HTML templates, and `.txt` for plaintext templates. This guide effectively documents the usage of the -[template_path](../../configuration/notifications/introduction.md#template_path) notification configuration option. +[template_path](../../configuration/notifications/introduction.md#templatepath) notification configuration option. ## Important Notes @@ -37,7 +37,7 @@ This guide effectively documents the usage of the | PasswordReset | Used to render notifications sent when password has successfully been reset | For example, to modify the `IdentityVerification` HTML template, if your -[template_path](../../configuration/notifications/introduction.md#template_path) was configured as +[template_path](../../configuration/notifications/introduction.md#templatepath) was configured as `/config/email_templates`, you would create the `/config/email_templates/IdentityVerification.html` file to override the HTML `IdentityVerification` template. diff --git a/docs/content/en/reference/guides/passwords.md b/docs/content/en/reference/guides/passwords.md index 42c204f25..1163fa792 100644 --- a/docs/content/en/reference/guides/passwords.md +++ b/docs/content/en/reference/guides/passwords.md @@ -156,7 +156,7 @@ See the [Crypt (C) Wiki page](https://en.wikipedia.org/wiki/Crypt_(C)) for more #### Tuning The configuration variables are unique to the file authentication provider, thus they all exist in a key under the file -authentication configuration key called [password](../../configuration/first-factor/file.md#password). The defaults are +authentication configuration key called [password](../../configuration/first-factor/file.md#password-options). The defaults are considered as sane for a reasonable system however we still recommend taking time to figure out the best values to adequately determine the [cost](#cost). diff --git a/docs/content/en/reference/guides/server-asset-overrides.md b/docs/content/en/reference/guides/server-asset-overrides.md index d24790fa1..966401668 100644 --- a/docs/content/en/reference/guides/server-asset-overrides.md +++ b/docs/content/en/reference/guides/server-asset-overrides.md @@ -26,10 +26,10 @@ This guide effectively documents the usage of the ## Assets -| Asset | File Name | Directory | Notes | -|:-------------------:|:-----------:|:---------:|:-------------:| -| Favicon | favicon.ico | No | N/A | -| Logo | logo.png | No | N/A | +| Asset | File Name | Directory | Notes | +|:-------------------:|:-----------:|:---------:|:-----------------------:| +| Favicon | favicon.ico | No | N/A | +| Logo | logo.png | No | N/A | | Translation Locales | locales | Yes | see [locales](#locales) | ## locales diff --git a/docs/content/en/reference/guides/troubleshooting-sanitizaiton.md b/docs/content/en/reference/guides/troubleshooting-sanitizaiton.md index a73df0959..46448ada6 100644 --- a/docs/content/en/reference/guides/troubleshooting-sanitizaiton.md +++ b/docs/content/en/reference/guides/troubleshooting-sanitizaiton.md @@ -12,7 +12,6 @@ weight: 220 toc: true aliases: - /r/sanitize - - /reference/guides/domain-sanitizaiton --- Some users may wish to hide their domain in files provided during troubleshooting. While this is discouraged, if a user