docs: fix misc url issues (#4503)
parent
99f965ae25
commit
b4d9e21387
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Anybody willing to contribute to the project either with code, documentation, security reviews or whatever, are very
|
Anybody willing to contribute to the project either with code, documentation, security reviews or whatever, are very
|
||||||
welcome to create or review pull requests and take part in discussions in any of our public
|
welcome to create or review pull requests and take part in discussions in any of our public
|
||||||
[chat rooms](./README.md#contact-options).
|
[chat rooms](README.md#contact-options).
|
||||||
|
|
||||||
It's also possible to contribute financially in order to support the community.
|
It's also possible to contribute financially in order to support the community.
|
||||||
|
|
||||||
|
@ -42,4 +42,4 @@ Read more about this in the [GitHub docs, Re-requesting a review](https://docs.g
|
||||||
Sometimes the codebase can be a challenge to navigate, especially for a first-time contributor. We don't want you
|
Sometimes the codebase can be a challenge to navigate, especially for a first-time contributor. We don't want you
|
||||||
spending an hour trying to work out something that would take us only a minute to explain.
|
spending an hour trying to work out something that would take us only a minute to explain.
|
||||||
|
|
||||||
If you'd like some help getting started we have several [contact options](./README.md#contact-options) available.
|
If you'd like some help getting started we have several [contact options](README.md#contact-options) available.
|
||||||
|
|
|
@ -184,7 +184,7 @@ Internet (your reverse proxies are) however, it's still the control plane for yo
|
||||||
|
|
||||||
## Contribute
|
## Contribute
|
||||||
|
|
||||||
If you want to contribute to Authelia, please read our [contribution guidelines](./CONTRIBUTING.md).
|
If you want to contribute to Authelia, please read our [contribution guidelines](CONTRIBUTING.md).
|
||||||
|
|
||||||
Authelia exists thanks to all the people who contribute so don't be shy, come chat with us on either [Matrix](#matrix)
|
Authelia exists thanks to all the people who contribute so don't be shy, come chat with us on either [Matrix](#matrix)
|
||||||
or [Discord](#discord) and start contributing too.
|
or [Discord](#discord) and start contributing too.
|
||||||
|
@ -379,7 +379,7 @@ Companies contributing to Authelia via Open Collective will have a special menti
|
||||||
## License
|
## License
|
||||||
|
|
||||||
**Authelia** is **licensed** under the **[Apache 2.0]** license. The terms of the license are detailed in
|
**Authelia** is **licensed** under the **[Apache 2.0]** license. The terms of the license are detailed in
|
||||||
[LICENSE](./LICENSE).
|
[LICENSE](LICENSE).
|
||||||
|
|
||||||
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauthelia%2Fauthelia.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauthelia%2Fauthelia?ref=badge_large)
|
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauthelia%2Fauthelia.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauthelia%2Fauthelia?ref=badge_large)
|
||||||
|
|
||||||
|
|
|
@ -19,14 +19,14 @@ For more information about [security](https://www.authelia.com/information/secur
|
||||||
|
|
||||||
## Contact Options
|
## Contact Options
|
||||||
|
|
||||||
Several [contact options](./README.md#contact-options) exist, it's important to make sure you contact the maintainers
|
Several [contact options](README.md#contact-options) exist, it's important to make sure you contact the maintainers
|
||||||
privately which is described in each available contact method. The methods include our [security email](./README.md#security),
|
privately which is described in each available contact method. The methods include our [security email](README.md#security),
|
||||||
[Matrix](./README.md#matrix), and [Discord](./README.md#discord).
|
[Matrix](README.md#matrix), and [Discord](README.md#discord).
|
||||||
|
|
||||||
## Credit
|
## Credit
|
||||||
|
|
||||||
Users who report bugs will optionally be credited for the discovery. Both in the [security advisory] and in our
|
Users who report bugs will optionally be credited for the discovery. Both in the [security advisory] and in our
|
||||||
[all contributors](./README.md#contribute) configuration/documentation.
|
[all contributors](README.md#contribute) configuration/documentation.
|
||||||
|
|
||||||
## Process
|
## Process
|
||||||
|
|
||||||
|
|
|
@ -167,14 +167,14 @@ section [here](../prologue/common.md#tls-configuration).
|
||||||
|
|
||||||
Sets the base distinguished name container for all LDAP queries. If your LDAP domain is example.com this is usually
|
Sets the base distinguished name container for all LDAP queries. If your LDAP domain is example.com this is usually
|
||||||
`DC=example,DC=com`, however you can fine tune this to be more specific for example to only include objects inside the
|
`DC=example,DC=com`, however you can fine tune this to be more specific for example to only include objects inside the
|
||||||
authelia OU: `OU=authelia,DC=example,DC=com`. This is prefixed with the [additional_users_dn](#additional_users_dn) for
|
authelia OU: `OU=authelia,DC=example,DC=com`. This is prefixed with the [additional_users_dn](#additionalusersdn) for
|
||||||
user searches and [additional_groups_dn](#additional_groups_dn) for groups searches.
|
user searches and [additional_groups_dn](#additionalgroupsdn) for groups searches.
|
||||||
|
|
||||||
### additional_users_dn
|
### additional_users_dn
|
||||||
|
|
||||||
{{< confkey type="string" required="no" >}}
|
{{< confkey type="string" required="no" >}}
|
||||||
|
|
||||||
Additional LDAP path to append to the [base_dn](#base_dn) when searching for users. Useful if you want to restrict
|
Additional LDAP path to append to the [base_dn](#basedn) when searching for users. Useful if you want to restrict
|
||||||
exactly which OU to get users from for either security or performance reasons. For example setting it to
|
exactly which OU to get users from for either security or performance reasons. For example setting it to
|
||||||
`OU=users,OU=people` with a base_dn set to `DC=example,DC=com` will mean user searches will occur in
|
`OU=users,OU=people` with a base_dn set to `DC=example,DC=com` will mean user searches will occur in
|
||||||
`OU=users,OU=people,DC=example,DC=com`.
|
`OU=users,OU=people,DC=example,DC=com`.
|
||||||
|
@ -184,28 +184,31 @@ exactly which OU to get users from for either security or performance reasons. F
|
||||||
{{< confkey type="string" required="situational" >}}
|
{{< confkey type="string" required="situational" >}}
|
||||||
|
|
||||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||||
default negating this requirement. Refer to the [filter defaults](#filter-defaults) for more information.*
|
default negating this requirement. Refer to the [filter defaults](../../reference/guides/ldap.md#filter-defaults) for
|
||||||
|
more information.*
|
||||||
|
|
||||||
The LDAP filter to narrow down which users are valid. This is important to set correctly as to exclude disabled users.
|
The LDAP filter to narrow down which users are valid. This is important to set correctly as to exclude disabled users.
|
||||||
The default value is dependent on the [implementation](#implementation), refer to the
|
The default value is dependent on the [implementation](#implementation), refer to the
|
||||||
[attribute defaults](#attribute-defaults) for more information.
|
[attribute defaults](../../reference/guides/ldap.md#attribute-defaults) for more information.
|
||||||
|
|
||||||
### username_attribute
|
### username_attribute
|
||||||
|
|
||||||
{{< confkey type="string" required="situational" >}}
|
{{< confkey type="string" required="situational" >}}
|
||||||
|
|
||||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||||
default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more information.*
|
default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults)
|
||||||
|
for more information.*
|
||||||
|
|
||||||
The LDAP attribute that maps to the username in *Authelia*. This must contain the `{username_attribute}`
|
The LDAP attribute that maps to the username in *Authelia*. This must contain the `{username_attribute}`
|
||||||
[placeholder](#users-filter-replacements).
|
[placeholder](../../reference/guides/ldap.md#users-filter-replacements).
|
||||||
|
|
||||||
### mail_attribute
|
### mail_attribute
|
||||||
|
|
||||||
{{< confkey type="string" required="situational" >}}
|
{{< confkey type="string" required="situational" >}}
|
||||||
|
|
||||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||||
default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more information.*
|
default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults)
|
||||||
|
for more information.*
|
||||||
|
|
||||||
The attribute to retrieve which contains the users email addresses. This is important for the device registration and
|
The attribute to retrieve which contains the users email addresses. This is important for the device registration and
|
||||||
password reset processes. The user must have an email address in order for Authelia to perform identity verification
|
password reset processes. The user must have an email address in order for Authelia to perform identity verification
|
||||||
|
@ -294,7 +297,7 @@ characters and the user password is changed to this value.
|
||||||
|
|
||||||
## Refresh Interval
|
## Refresh Interval
|
||||||
|
|
||||||
It's recommended you either use the default [refresh interval](./introduction.md#refresh_interval) or configure this to
|
It's recommended you either use the default [refresh interval](introduction.md#refreshinterval) or configure this to
|
||||||
a value low enough to refresh the user groups and status (deleted, disabled, etc) to adequately secure your environment.
|
a value low enough to refresh the user groups and status (deleted, disabled, etc) to adequately secure your environment.
|
||||||
|
|
||||||
## Important notes
|
## Important notes
|
||||||
|
@ -311,6 +314,6 @@ for your users.
|
||||||
|
|
||||||
- [LDAP Reference Guide](../../reference/guides/ldap.md)
|
- [LDAP Reference Guide](../../reference/guides/ldap.md)
|
||||||
|
|
||||||
[username attribute]: #username_attribute
|
[username attribute]: #usernameattribute
|
||||||
[TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
|
[TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
|
||||||
[RFC2307]: https://www.rfc-editor.org/rfc/rfc2307.html
|
[RFC2307]: https://www.rfc-editor.org/rfc/rfc2307.html
|
||||||
|
|
|
@ -157,8 +157,8 @@ The HMAC secret used to sign the [JWT]'s. The provided string is hashed to a SHA
|
||||||
purpose of meeting the required format.
|
purpose of meeting the required format.
|
||||||
|
|
||||||
It's __strongly recommended__ this is a
|
It's __strongly recommended__ this is a
|
||||||
[Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
|
[Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string)
|
||||||
characters.
|
with 64 or more characters.
|
||||||
|
|
||||||
### issuer_certificate_chain
|
### issuer_certificate_chain
|
||||||
|
|
||||||
|
@ -173,7 +173,7 @@ as per [RFC7517].
|
||||||
[x5c]: https://www.rfc-editor.org/rfc/rfc7517#section-4.7
|
[x5c]: https://www.rfc-editor.org/rfc/rfc7517#section-4.7
|
||||||
[x5t]: https://www.rfc-editor.org/rfc/rfc7517#section-4.8
|
[x5t]: https://www.rfc-editor.org/rfc/rfc7517#section-4.8
|
||||||
|
|
||||||
The first certificate in the chain must have the public key for the [issuer_private_key](#issuer_private_key), each
|
The first certificate in the chain must have the public key for the [issuer_private_key](#issuerprivatekey), each
|
||||||
certificate in the chain must be valid for the current date, and each certificate in the chain should be signed by the
|
certificate in the chain must be valid for the current date, and each certificate in the chain should be signed by the
|
||||||
certificate immediately following it if present.
|
certificate immediately following it if present.
|
||||||
|
|
||||||
|
@ -185,14 +185,15 @@ certificate immediately following it if present.
|
||||||
especially for containerized deployments.*
|
especially for containerized deployments.*
|
||||||
|
|
||||||
The private key used to sign/encrypt the [OpenID Connect] issued [JWT]'s. The key must be generated by the administrator
|
The private key used to sign/encrypt the [OpenID Connect] issued [JWT]'s. The key must be generated by the administrator
|
||||||
and can be done by following the [Generating an RSA Keypair](../../reference/guides/generating-secure-values.md#generating-an-rsa-keypair) guide.
|
and can be done by following the
|
||||||
|
[Generating an RSA Keypair](../../reference/guides/generating-secure-values.md#generating-an-rsa-keypair) guide.
|
||||||
|
|
||||||
The private key *__MUST__*:
|
The private key *__MUST__*:
|
||||||
* Be a PEM block encoded in the DER base64 format ([RFC4648]).
|
* Be a PEM block encoded in the DER base64 format ([RFC4648]).
|
||||||
* Be an RSA Key.
|
* Be an RSA Key.
|
||||||
* Have a key size of at least 2048 bits.
|
* Have a key size of at least 2048 bits.
|
||||||
|
|
||||||
If the [issuer_certificate_chain](#issuer_certificate_chain) is provided the private key must include matching public
|
If the [issuer_certificate_chain](#issuercertificatechain) is provided the private key must include matching public
|
||||||
key data for the first certificate in the chain.
|
key data for the first certificate in the chain.
|
||||||
|
|
||||||
### access_token_lifespan
|
### access_token_lifespan
|
||||||
|
@ -302,7 +303,7 @@ you must configure this option manually if you want http endpoints to be permitt
|
||||||
Origins must only have the scheme, hostname and port, they may not have a trailing slash or path.
|
Origins must only have the scheme, hostname and port, they may not have a trailing slash or path.
|
||||||
|
|
||||||
In addition to an Origin URI, you may specify the wildcard origin in the allowed_origins. It MUST be specified by itself
|
In addition to an Origin URI, you may specify the wildcard origin in the allowed_origins. It MUST be specified by itself
|
||||||
and the [allowed_origins_from_client_redirect_uris](#allowed_origins_from_client_redirect_uris) MUST NOT be enabled. The
|
and the [allowed_origins_from_client_redirect_uris](#allowedoriginsfromclientredirecturis) MUST NOT be enabled. The
|
||||||
wildcard origin is denoted as `*`. Examples:
|
wildcard origin is denoted as `*`. Examples:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -422,7 +423,7 @@ Configures the consent mode. The following table describes the different modes:
|
||||||
| implicit | Automatically assumes consent for every authorization, never asking the user if they wish to give consent. *__Note:__* this option is not technically part of the specification. |
|
| implicit | Automatically assumes consent for every authorization, never asking the user if they wish to give consent. *__Note:__* this option is not technically part of the specification. |
|
||||||
| pre-configured | Allows the end-user to remember their consent for the [pre_configured_consent_duration]. |
|
| pre-configured | Allows the end-user to remember their consent for the [pre_configured_consent_duration]. |
|
||||||
|
|
||||||
[pre_configured_consent_duration]: #pre_configured_consent_duration
|
[pre_configured_consent_duration]: #preconfiguredconsentduration
|
||||||
|
|
||||||
#### pre_configured_consent_duration
|
#### pre_configured_consent_duration
|
||||||
|
|
||||||
|
@ -439,7 +440,7 @@ The period of time dictates how long a users choice to remember the pre-configur
|
||||||
Pre-configured consents are only valid if the subject, client id are exactly the same and the requested scopes/audience
|
Pre-configured consents are only valid if the subject, client id are exactly the same and the requested scopes/audience
|
||||||
match exactly with the granted scopes/audience.
|
match exactly with the granted scopes/audience.
|
||||||
|
|
||||||
[consent_mode]: #consent_mode
|
[consent_mode]: #consentmode
|
||||||
|
|
||||||
#### audience
|
#### audience
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ likely result in an error or even worse misconfiguration.
|
||||||
### Kubernetes
|
### Kubernetes
|
||||||
|
|
||||||
Please see the
|
Please see the
|
||||||
[Kubernetes Integration: Enable Service Links](../../integration/kubernetes/introduction/index.md#enable-service-links)
|
[Kubernetes Integration: Enable Service Links](../../integration/kubernetes/introduction.md#enable-service-links)
|
||||||
documentation for specific requirements for using *Authelia* with Kubernetes.
|
documentation for specific requirements for using *Authelia* with Kubernetes.
|
||||||
|
|
||||||
## Mapping
|
## Mapping
|
||||||
|
|
|
@ -55,15 +55,15 @@ other configuration using the environment but instead of loading a file the valu
|
||||||
{{% table-config-keys secrets="true" %}}
|
{{% table-config-keys secrets="true" %}}
|
||||||
|
|
||||||
[server.tls.key]: ../miscellaneous/server.md#key
|
[server.tls.key]: ../miscellaneous/server.md#key
|
||||||
[jwt_secret]: ../miscellaneous/introduction.md#jwt_secret
|
[jwt_secret]: ../miscellaneous/introduction.md#jwtsecret
|
||||||
[duo_api.integration_key]: ../second-factor/duo.md#integration_key
|
[duo_api.integration_key]: ../second-factor/duo.md#integrationkey
|
||||||
[duo_api.secret_key]: ../second-factor/duo.md#secret_key
|
[duo_api.secret_key]: ../second-factor/duo.md#secretkey
|
||||||
[session.secret]: ../session/introduction.md#secret
|
[session.secret]: ../session/introduction.md#secret
|
||||||
[session.redis.password]: ../session/redis.md#password
|
[session.redis.password]: ../session/redis.md#password
|
||||||
[session.redis.tls.certificate_chain]: ../session/redis.md#tls
|
[session.redis.tls.certificate_chain]: ../session/redis.md#tls
|
||||||
[session.redis.tls.private_key]: ../session/redis.md#tls
|
[session.redis.tls.private_key]: ../session/redis.md#tls
|
||||||
[session.redis.high_availability.sentinel_password]: ../session/redis.md#sentinel_password
|
[session.redis.high_availability.sentinel_password]: ../session/redis.md#sentinelpassword
|
||||||
[storage.encryption_key]: ../storage/introduction.md#encryption_key
|
[storage.encryption_key]: ../storage/introduction.md#encryptionkey
|
||||||
[storage.mysql.password]: ../storage/mysql.md#password
|
[storage.mysql.password]: ../storage/mysql.md#password
|
||||||
[storage.mysql.tls.certificate_chain]: ../storage/mysql.md#tls
|
[storage.mysql.tls.certificate_chain]: ../storage/mysql.md#tls
|
||||||
[storage.mysql.tls.private_key]: ../storage/mysql.md#tls
|
[storage.mysql.tls.private_key]: ../storage/mysql.md#tls
|
||||||
|
@ -77,9 +77,9 @@ other configuration using the environment but instead of loading a file the valu
|
||||||
[authentication_backend.ldap.password]: ../first-factor/ldap.md#password
|
[authentication_backend.ldap.password]: ../first-factor/ldap.md#password
|
||||||
[authentication_backend.ldap.tls.certificate_chain]: ../first-factor/ldap.md#tls
|
[authentication_backend.ldap.tls.certificate_chain]: ../first-factor/ldap.md#tls
|
||||||
[authentication_backend.ldap.tls.private_key]: ../first-factor/ldap.md#tls
|
[authentication_backend.ldap.tls.private_key]: ../first-factor/ldap.md#tls
|
||||||
[identity_providers.oidc.issuer_certificate_chain]: ../identity-providers/open-id-connect.md#issuer_certificate_chain
|
[identity_providers.oidc.issuer_certificate_chain]: ../identity-providers/open-id-connect.md#issuercertificatechain
|
||||||
[identity_providers.oidc.issuer_private_key]: ../identity-providers/open-id-connect.md#issuer_private_key
|
[identity_providers.oidc.issuer_private_key]: ../identity-providers/open-id-connect.md#issuerprivatekey
|
||||||
[identity_providers.oidc.hmac_secret]: ../identity-providers/open-id-connect.md#hmac_secret
|
[identity_providers.oidc.hmac_secret]: ../identity-providers/open-id-connect.md#hmacsecret
|
||||||
|
|
||||||
|
|
||||||
## Secrets in configuration file
|
## Secrets in configuration file
|
||||||
|
|
|
@ -73,7 +73,7 @@ default_2fa_method: totp
|
||||||
especially for containerized deployments.*
|
especially for containerized deployments.*
|
||||||
|
|
||||||
Defines the secret used to craft JWT tokens leveraged by the identity verification process. This can a random string.
|
Defines the secret used to craft JWT tokens leveraged by the identity verification process. This can a random string.
|
||||||
It's strongly recommended this is a [Random Alphanumeric String](../../reference/guides/generating-secure-values.md/#generating-a-random-alphanumeric-string) with
|
It's strongly recommended this is a [Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with
|
||||||
64 or more characters.
|
64 or more characters.
|
||||||
|
|
||||||
### theme
|
### theme
|
||||||
|
|
|
@ -68,4 +68,4 @@ Setting this to true will disable the startup check entirely.
|
||||||
|
|
||||||
Setting this to true will allow Authelia to start and just log an error instead of exiting. The default is that if
|
Setting this to true will allow Authelia to start and just log an error instead of exiting. The default is that if
|
||||||
Authelia can contact the NTP server successfully, and the time reported by the server is greater than what is configured
|
Authelia can contact the NTP server successfully, and the time reported by the server is greater than what is configured
|
||||||
in [max_desync](#max_desync) that Authelia fails to start and logs a fatal error.
|
in [max_desync](#maxdesync) that Authelia fails to start and logs a fatal error.
|
||||||
|
|
|
@ -123,7 +123,7 @@ require an IP address for the host of the backend service but want to verify a s
|
||||||
|
|
||||||
The key `skip_verify` completely negates validating the certificate of the backend service. This is not recommended,
|
The key `skip_verify` completely negates validating the certificate of the backend service. This is not recommended,
|
||||||
instead you should tweak the `server_name` option, and the global option
|
instead you should tweak the `server_name` option, and the global option
|
||||||
[certificates directory](../miscellaneous/introduction.md#certificates_directory).
|
[certificates directory](../miscellaneous/introduction.md#certificatesdirectory).
|
||||||
|
|
||||||
### minimum_version
|
### minimum_version
|
||||||
|
|
||||||
|
@ -147,7 +147,7 @@ this value. At the time of this writing `SSL3.0` will always produce errors.
|
||||||
|
|
||||||
{{< confkey type="string" required="no" >}}
|
{{< confkey type="string" required="no" >}}
|
||||||
|
|
||||||
The certificate chain/bundle to be used with the [private_key](#private_key) to perform mutual TLS authentication with
|
The certificate chain/bundle to be used with the [private_key](#privatekey) to perform mutual TLS authentication with
|
||||||
the server.
|
the server.
|
||||||
|
|
||||||
The value must be one or more certificates encoded in the DER base64 ([RFC4648]) encoded PEM format.
|
The value must be one or more certificates encoded in the DER base64 ([RFC4648]) encoded PEM format.
|
||||||
|
@ -159,7 +159,7 @@ The value must be one or more certificates encoded in the DER base64 ([RFC4648])
|
||||||
*__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__
|
*__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__
|
||||||
especially for containerized deployments.*
|
especially for containerized deployments.*
|
||||||
|
|
||||||
The private key to be used with the [certificate_chain](#certificate_chain) for mutual TLS authentication.
|
The private key to be used with the [certificate_chain](#certificatechain) for mutual TLS authentication.
|
||||||
|
|
||||||
The value must be one private key encoded in the DER base64 ([RFC4648]) encoded PEM format.
|
The value must be one private key encoded in the DER base64 ([RFC4648]) encoded PEM format.
|
||||||
|
|
||||||
|
|
|
@ -73,7 +73,7 @@ environment variable or other environment variables set. This also applies to ot
|
||||||
|
|
||||||
*__Please Note:__ if you're using Authelia with Kubernetes and are not using the provided
|
*__Please Note:__ if you're using Authelia with Kubernetes and are not using the provided
|
||||||
[helm chart](https://charts.authelia.com) you will be required to
|
[helm chart](https://charts.authelia.com) you will be required to
|
||||||
[configure the enableServiceLinks](../../integration/kubernetes/introduction/index.md#enable-service-links) option.*
|
[configure the enableServiceLinks](../../integration/kubernetes/introduction.md#enable-service-links) option.*
|
||||||
|
|
||||||
### 4.25.0
|
### 4.25.0
|
||||||
|
|
||||||
|
@ -99,7 +99,7 @@ The following changes occurred in 4.7.0:
|
||||||
| logs_level | log_level |
|
| logs_level | log_level |
|
||||||
| logs_file | log_file |
|
| logs_file | log_file |
|
||||||
|
|
||||||
*__Please Note:__ The new keys also changed in [4.30.0](#4.30.0) so you will need to update them to the new values if you
|
*__Please Note:__ The new keys also changed in [4.30.0](#4300) so you will need to update them to the new values if you
|
||||||
are using [4.30.0](#4.30.0) or newer instead of the new keys listed here.*
|
are using [4.30.0](#4300) or newer instead of the new keys listed here.*
|
||||||
|
|
||||||
[YAML]: https://yaml.org/
|
[YAML]: https://yaml.org/
|
||||||
|
|
|
@ -61,10 +61,12 @@ by Authelia from others.
|
||||||
|
|
||||||
*__Important Note:__ Many TOTP applications do not support this option. It is strongly advised you find out which
|
*__Important Note:__ Many TOTP applications do not support this option. It is strongly advised you find out which
|
||||||
applications your users use and test them before changing this option. It is insufficient to test that the application
|
applications your users use and test them before changing this option. It is insufficient to test that the application
|
||||||
can add the key, it must also authenticate with Authelia as some applications silently ignore these options. Bitwarden
|
can add the key, it must also authenticate with Authelia as some applications silently ignore these options. [Bitwarden]
|
||||||
is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option
|
is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option
|
||||||
please see [Issue 2650](https://github.com/authelia/authelia/issues/2650).*
|
please see [Issue 2650](https://github.com/authelia/authelia/issues/2650).*
|
||||||
|
|
||||||
|
[Bitwarden]: https://bitwarden.com/
|
||||||
|
|
||||||
The algorithm used for the TOTP key.
|
The algorithm used for the TOTP key.
|
||||||
|
|
||||||
Possible Values (case-insensitive):
|
Possible Values (case-insensitive):
|
||||||
|
@ -82,7 +84,7 @@ information.
|
||||||
|
|
||||||
*__Important Note:__ Some TOTP applications do not support this option. It is strongly advised you find out which
|
*__Important Note:__ Some TOTP applications do not support this option. It is strongly advised you find out which
|
||||||
applications your users use and test them before changing this option. It is insufficient to test that the application
|
applications your users use and test them before changing this option. It is insufficient to test that the application
|
||||||
can add the key, it must also authenticate with Authelia as some applications silently ignore these options. Bitwarden
|
can add the key, it must also authenticate with Authelia as some applications silently ignore these options. [Bitwarden]
|
||||||
is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option
|
is the only one that has been tested at this time. If you'd like to contribute to documenting support for this option
|
||||||
please see [Issue 2650](https://github.com/authelia/authelia/issues/2650).*
|
please see [Issue 2650](https://github.com/authelia/authelia/issues/2650).*
|
||||||
|
|
||||||
|
@ -160,7 +162,7 @@ check the clients.
|
||||||
|
|
||||||
## Encryption
|
## Encryption
|
||||||
|
|
||||||
The TOTP secret is [encrypted](../storage/introduction.md#encryption_key) in the database in version 4.33.0 and above.
|
The TOTP secret is [encrypted](../storage/introduction.md#encryptionkey) in the database in version 4.33.0 and above.
|
||||||
This is so a user having access to only the database cannot easily compromise your two-factor authentication method.
|
This is so a user having access to only the database cannot easily compromise your two-factor authentication method.
|
||||||
|
|
||||||
This may be inconvenient for some users who wish to export TOTP keys from Authelia to other services. As such there is
|
This may be inconvenient for some users who wish to export TOTP keys from Authelia to other services. As such there is
|
||||||
|
|
|
@ -198,7 +198,7 @@ When used in conjunction with [domain] the rule will match when either the [doma
|
||||||
|
|
||||||
In addition to standard regex patterns this criteria can match some [Named Regex Groups].
|
In addition to standard regex patterns this criteria can match some [Named Regex Groups].
|
||||||
|
|
||||||
[domain_regex]: #domain_regex
|
[domain_regex]: #domainregex
|
||||||
|
|
||||||
##### Examples
|
##### Examples
|
||||||
|
|
||||||
|
@ -339,7 +339,7 @@ access_control:
|
||||||
{{< confkey type="list(string)" required="no" >}}
|
{{< confkey type="list(string)" required="no" >}}
|
||||||
|
|
||||||
This criteria is a list of values which can be an IP Address, network address range in CIDR notation, or an alias from
|
This criteria is a list of values which can be an IP Address, network address range in CIDR notation, or an alias from
|
||||||
the [global](#networks-global) section. It matches against the first address in the `X-Forwarded-For` header, or if there
|
the [global](#networks--global-) section. It matches against the first address in the `X-Forwarded-For` header, or if there
|
||||||
are none it will fall back to the IP address of the packet TCP source IP address. For this reason it's important for you
|
are none it will fall back to the IP address of the packet TCP source IP address. For this reason it's important for you
|
||||||
to configure the proxy server correctly in order to accurately match requests with this criteria. *__Note:__ you may
|
to configure the proxy server correctly in order to accurately match requests with this criteria. *__Note:__ you may
|
||||||
combine CIDR networks with the alias rules as you please.*
|
combine CIDR networks with the alias rules as you please.*
|
||||||
|
@ -360,7 +360,7 @@ for administrators to tune the security to their specific needs if desired.
|
||||||
|
|
||||||
##### Examples
|
##### Examples
|
||||||
|
|
||||||
*Require [two_factor](#two_factor) for all clients other than internal clients and `112.134.145.167`. The first two
|
*Require [two_factor](#twofactor) for all clients other than internal clients and `112.134.145.167`. The first two
|
||||||
rules in this list are effectively the same rule just expressed in different ways.*
|
rules in this list are effectively the same rule just expressed in different ways.*
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -485,7 +485,7 @@ access_control:
|
||||||
## Policies
|
## Policies
|
||||||
|
|
||||||
The policy of the first matching rule in the configured list decides the policy applied to the request, if no rule
|
The policy of the first matching rule in the configured list decides the policy applied to the request, if no rule
|
||||||
matches the request the [default_policy](#default_policy) is applied.
|
matches the request the [default_policy](#defaultpolicy) is applied.
|
||||||
|
|
||||||
[policies]: #policies
|
[policies]: #policies
|
||||||
|
|
||||||
|
@ -510,14 +510,14 @@ about the subject is [one_factor]. See [Rule Matching Concept 2] for more inform
|
||||||
This policy requires the user at minimum complete 1FA successfully (username and password). This means if they have
|
This policy requires the user at minimum complete 1FA successfully (username and password). This means if they have
|
||||||
performed 2FA then they will be allowed to access the resource.
|
performed 2FA then they will be allowed to access the resource.
|
||||||
|
|
||||||
[one_factor]: #one_factor
|
[one_factor]: #onefactor
|
||||||
|
|
||||||
### two_factor
|
### two_factor
|
||||||
|
|
||||||
This policy requires the user to complete 2FA successfully. This is currently the highest level of authentication
|
This policy requires the user to complete 2FA successfully. This is currently the highest level of authentication
|
||||||
policy available.
|
policy available.
|
||||||
|
|
||||||
[two_factor]: #two_factor
|
[two_factor]: #twofactor
|
||||||
|
|
||||||
## Rule Matching
|
## Rule Matching
|
||||||
|
|
||||||
|
@ -554,7 +554,7 @@ a match for that request.
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
```
|
```
|
||||||
|
|
||||||
[Rule Matching Concept 1]: #rule-matching-concept-1-sequential-order
|
[Rule Matching Concept 1]: #rule-matching-concept-1--sequential-order
|
||||||
|
|
||||||
### Rule Matching Concept 2: Subject Criteria Requires Authentication
|
### Rule Matching Concept 2: Subject Criteria Requires Authentication
|
||||||
|
|
||||||
|
@ -569,7 +569,7 @@ for authentication if no prior rules match the request per [Rule Matching Concep
|
||||||
identical rules, and one of them has a subject based reliant criteria, and the other one is a [bypass] rule then the
|
identical rules, and one of them has a subject based reliant criteria, and the other one is a [bypass] rule then the
|
||||||
[bypass] rule should generally come first.
|
[bypass] rule should generally come first.
|
||||||
|
|
||||||
[Rule Matching Concept 2]: #rule-matching-concept-2-subject-criteria-requires-authentication
|
[Rule Matching Concept 2]: #rule-matching-concept-2--subject-criteria-requires-authentication
|
||||||
|
|
||||||
## Named Regex Groups
|
## Named Regex Groups
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ There are currently two providers for session storage (three if you count Redis
|
||||||
|
|
||||||
* Memory (default, stateful, no additional configuration)
|
* Memory (default, stateful, no additional configuration)
|
||||||
* [Redis](redis.md) (stateless).
|
* [Redis](redis.md) (stateless).
|
||||||
* [Redis Sentinel](redis.md#high_availability) (stateless, highly available).
|
* [Redis Sentinel](redis.md#highavailability) (stateless, highly available).
|
||||||
|
|
||||||
### Kubernetes or High Availability
|
### Kubernetes or High Availability
|
||||||
|
|
||||||
|
@ -99,7 +99,7 @@ characters.
|
||||||
the [common options](../prologue/common.md#duration-notation-format) documentation for information on this format.*
|
the [common options](../prologue/common.md#duration-notation-format) documentation for information on this format.*
|
||||||
|
|
||||||
The period of time before the cookie expires and the session is destroyed. This is overriden by
|
The period of time before the cookie expires and the session is destroyed. This is overriden by
|
||||||
[remember_me_duration](#remember_me_duration) when the remember me box is checked.
|
[remember_me_duration](#remembermeduration) when the remember me box is checked.
|
||||||
|
|
||||||
### inactivity
|
### inactivity
|
||||||
|
|
||||||
|
|
|
@ -35,7 +35,7 @@ storage:
|
||||||
|
|
||||||
### encryption_key
|
### encryption_key
|
||||||
|
|
||||||
See the [encryption_key docs](introduction.md#encryption_key).
|
See the [encryption_key docs](introduction.md#encryptionkey).
|
||||||
|
|
||||||
### path
|
### path
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ toc: true
|
||||||
---
|
---
|
||||||
|
|
||||||
*Authelia* allows collecting telemetry for the purpose of monitoring it. At the present time we only allow collecting
|
*Authelia* allows collecting telemetry for the purpose of monitoring it. At the present time we only allow collecting
|
||||||
[metrics](./metrics.md). These [metrics](./metrics.md) are stored in memory and must be scraped manually by the
|
[metrics](metrics.md). These [metrics](metrics.md) are stored in memory and must be scraped manually by the
|
||||||
administrator.
|
administrator.
|
||||||
|
|
||||||
No metrics or telemetry are reported from an *Authelia* binary to any location the administrator doesn't explicitly
|
No metrics or telemetry are reported from an *Authelia* binary to any location the administrator doesn't explicitly
|
||||||
|
|
|
@ -24,7 +24,7 @@ was not prompted by any bug bounty program as we do not have one, but we hope to
|
||||||
|
|
||||||
Potential usage for the money, ranked in order of priority:
|
Potential usage for the money, ranked in order of priority:
|
||||||
|
|
||||||
1. Put Authelia through a comprehensive [Security Audit](../../../information/security.md#help-wanted).
|
1. Put Authelia through a comprehensive [Security Audit](../../policies/security.md#help-wanted).
|
||||||
1. Audit of Code Security via Analysis.
|
1. Audit of Code Security via Analysis.
|
||||||
2. Audit via Penetration Testing.
|
2. Audit via Penetration Testing.
|
||||||
2. Bug Bounty Program.
|
2. Bug Bounty Program.
|
||||||
|
@ -38,11 +38,11 @@ Please visit [Open Collective] in order to financially contribute to Authelia.
|
||||||
Authelia is sponsored by several companies via indirect means. These companies deserve a special mention since their
|
Authelia is sponsored by several companies via indirect means. These companies deserve a special mention since their
|
||||||
contributions are very important to us but not easily visible.
|
contributions are very important to us but not easily visible.
|
||||||
|
|
||||||
If you feel you have a product or service that Authelia could benefit from please feel free to [contact](../../../information/contact.md) us.
|
If you feel you have a product or service that Authelia could benefit from please feel free to [contact](../../information/contact.md) us.
|
||||||
|
|
||||||
We are currently directly looking for someone to sponsor:
|
We are currently directly looking for someone to sponsor:
|
||||||
|
|
||||||
* [Security Audit](../../../information/security.md#help-wanted)
|
* [Security Audit](../../policies/security.md#help-wanted)
|
||||||
|
|
||||||
### Balto
|
### Balto
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,7 @@ If the language you wish to translate is not on [Crowdin] then you have a few op
|
||||||
## Overrides
|
## Overrides
|
||||||
|
|
||||||
Users can override translations easily locally using the
|
Users can override translations easily locally using the
|
||||||
[assets](../../configuration/miscellaneous/server.md#asset_path) directory. This is useful if you wish to perform a
|
[assets](../../configuration/miscellaneous/server.md#assetpath) directory. This is useful if you wish to perform a
|
||||||
translation and see if it looks correct in the browser.
|
translation and see if it looks correct in the browser.
|
||||||
|
|
||||||
[Crowdin]: https://translate.authelia.com
|
[Crowdin]: https://translate.authelia.com
|
||||||
|
|
|
@ -11,8 +11,8 @@ aliases:
|
||||||
|
|
||||||
## Security
|
## Security
|
||||||
|
|
||||||
If you believe you have identified a security related bug with Authelia please visit the [security policy](security.md)
|
If you believe you have identified a security related bug with Authelia please visit the
|
||||||
documentation.
|
[security policy](../policies/security.md) documentation.
|
||||||
|
|
||||||
## GitHub
|
## GitHub
|
||||||
|
|
||||||
|
|
|
@ -42,10 +42,10 @@ It expects the following:
|
||||||
|
|
||||||
* The file `data/authelia/config/configuration.yml` is present and the configuration file.
|
* The file `data/authelia/config/configuration.yml` is present and the configuration file.
|
||||||
* The directory `data/authelia/secrets/` exists and contain the relevant [secret](../../configuration/methods/secrets.md) files:
|
* The directory `data/authelia/secrets/` exists and contain the relevant [secret](../../configuration/methods/secrets.md) files:
|
||||||
* A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwt_secret)
|
* A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwtsecret)
|
||||||
* A file named `SESSION_SECRET` for the [session secret](../../configuration/session/introduction.md#secret)
|
* A file named `SESSION_SECRET` for the [session secret](../../configuration/session/introduction.md#secret)
|
||||||
* A file named `STORAGE_PASSWORD` for the [PostgreSQL password secret](../../configuration/storage/postgres.md#password)
|
* A file named `STORAGE_PASSWORD` for the [PostgreSQL password secret](../../configuration/storage/postgres.md#password)
|
||||||
* A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryption_key)
|
* A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryptionkey)
|
||||||
* You're using PostgreSQL.
|
* You're using PostgreSQL.
|
||||||
* You have an external network named `net` which is in bridge mode.
|
* You have an external network named `net` which is in bridge mode.
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ toc: true
|
||||||
There are three main methods to deploy *Authelia*.
|
There are three main methods to deploy *Authelia*.
|
||||||
|
|
||||||
1. [Docker](docker.md)
|
1. [Docker](docker.md)
|
||||||
2. [Kubernetes](../kubernetes/introduction/index.md)
|
2. [Kubernetes](../kubernetes/introduction.md)
|
||||||
3. [Bare-Metal](bare-metal.md)
|
3. [Bare-Metal](bare-metal.md)
|
||||||
|
|
||||||
## Get Started
|
## Get Started
|
||||||
|
|
|
@ -15,4 +15,4 @@ search:
|
||||||
index: false
|
index: false
|
||||||
---
|
---
|
||||||
|
|
||||||
Please see the dedicated [Kubernetes Documentation](../kubernetes/introduction/index.md).
|
Please see the dedicated [Kubernetes Documentation](../kubernetes/introduction.md).
|
||||||
|
|
|
@ -30,7 +30,7 @@ Users are welcome to reach out directly by using any of our various [contact opt
|
||||||
## Get Started
|
## Get Started
|
||||||
|
|
||||||
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
[Get Started](../../prologue/get-started) guide. This takes you through various steps which are essential to
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
bootstrapping *Authelia*.
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Important Notes
|
## Important Notes
|
||||||
|
@ -70,7 +70,7 @@ spec:
|
||||||
If using file-based authentication, the argon2id provider will by default use 1GB of RAM for password generation. This
|
If using file-based authentication, the argon2id provider will by default use 1GB of RAM for password generation. This
|
||||||
means you should allow for at least this amount in your deployment/daemonset spec and have this much available on your
|
means you should allow for at least this amount in your deployment/daemonset spec and have this much available on your
|
||||||
node, alternatively you can
|
node, alternatively you can
|
||||||
[tweak the providers settings](../../../configuration/first-factor/file.md#memory). Otherwise,
|
[tweak the providers settings](../../configuration/first-factor/file.md#memory). Otherwise,
|
||||||
your Authelia may OOM during login. See [here](https://github.com/authelia/authelia/issues/1234#issuecomment-663910799)
|
your Authelia may OOM during login. See [here](https://github.com/authelia/authelia/issues/1234#issuecomment-663910799)
|
||||||
for more info.
|
for more info.
|
||||||
|
|
||||||
|
|
|
@ -86,7 +86,7 @@ metadata:
|
||||||
name: app
|
name: app
|
||||||
namespace: default
|
namespace: default
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
traefik.ingress.kubernetes.io/router.entryPoints: websecure
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: default-forwardauth-authelia@kubernetescrd
|
traefik.ingress.kubernetes.io/router.middlewares: default-forwardauth-authelia@kubernetescrd
|
||||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -111,7 +111,7 @@ Below is a list of the potential values we place in the [Claim] and their meanin
|
||||||
## User Information Signing Algorithm
|
## User Information Signing Algorithm
|
||||||
|
|
||||||
The following table describes the response from the [UserInfo] endpoint depending on the
|
The following table describes the response from the [UserInfo] endpoint depending on the
|
||||||
[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfo_signing_algorithm).
|
[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfosigningalgorithm).
|
||||||
|
|
||||||
| Signing Algorithm | Encoding | Content Type |
|
| Signing Algorithm | Encoding | Content Type |
|
||||||
|:-----------------:|:------------:|:-----------------------------------:|
|
|:-----------------:|:------------:|:-----------------------------------:|
|
||||||
|
|
|
@ -38,9 +38,9 @@ used as a basis for configuration.
|
||||||
|
|
||||||
The important sections to consider in initial configuration are as follows:
|
The important sections to consider in initial configuration are as follows:
|
||||||
|
|
||||||
1. [jwt_secret](../../configuration/miscellaneous/introduction.md#jwt_secret) which is used to sign identity
|
1. [jwt_secret](../../configuration/miscellaneous/introduction.md#jwtsecret) which is used to sign identity
|
||||||
verification emails
|
verification emails
|
||||||
2. [default_redirection_url](../../configuration/miscellaneous/introduction.md#default_redirection_url) which is the
|
2. [default_redirection_url](../../configuration/miscellaneous/introduction.md#defaultredirectionurl) which is the
|
||||||
default URL users will be redirected to when visiting *Authelia* directly
|
default URL users will be redirected to when visiting *Authelia* directly
|
||||||
3. [authentication_backend](../../configuration/first-factor/introduction.md) which you must pick between
|
3. [authentication_backend](../../configuration/first-factor/introduction.md) which you must pick between
|
||||||
[LDAP](../../configuration/first-factor/ldap.md) and a [YAML File](../../configuration/first-factor/file.md) and is
|
[LDAP](../../configuration/first-factor/ldap.md) and a [YAML File](../../configuration/first-factor/file.md) and is
|
||||||
|
@ -76,8 +76,8 @@ There are several methods of deploying *Authelia* and we recommend reading the
|
||||||
The default method of utilizing *Authelia* is via the [Proxy Integrations](../proxies/introduction.md). It's
|
The default method of utilizing *Authelia* is via the [Proxy Integrations](../proxies/introduction.md). It's
|
||||||
recommended that you read the relevant [Proxy Integration Documentation](../proxies/introduction.md).
|
recommended that you read the relevant [Proxy Integration Documentation](../proxies/introduction.md).
|
||||||
|
|
||||||
*__Important Note:__ When your [Deployment](#deployment) is on [Kubernetes](../kubernetes/introduction/index.md) we
|
*__Important Note:__ When your [Deployment](#deployment) is on [Kubernetes](../kubernetes/introduction.md) we
|
||||||
recommend viewing the dedicated [Kubernetes Documentation](../kubernetes/introduction/index.md) prior to viewing the
|
recommend viewing the dedicated [Kubernetes Documentation](../kubernetes/introduction.md) prior to viewing the
|
||||||
[Proxy Integration Documentation](../proxies/introduction.md).*
|
[Proxy Integration Documentation](../proxies/introduction.md).*
|
||||||
|
|
||||||
## Moving to Production
|
## Moving to Production
|
||||||
|
|
|
@ -24,12 +24,12 @@ throughout this documentation and in the [See Also](#see-also) section.*
|
||||||
## Get Started
|
## Get Started
|
||||||
|
|
||||||
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
[Get Started](../../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
bootstrapping *Authelia*.
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
[NGINX Proxy Manager] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box.
|
[NGINX Proxy Manager] supports the required [NGINX](../nginx.md#requirements) requirements for __Authelia__ out-of-the-box.
|
||||||
|
|
||||||
## Trusted Proxies
|
## Trusted Proxies
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ bootstrapping *Authelia*.
|
||||||
Especially if you have never read it before.*
|
Especially if you have never read it before.*
|
||||||
|
|
||||||
To configure trusted proxies for [NGINX Proxy Manager] see the [NGINX] section on
|
To configure trusted proxies for [NGINX Proxy Manager] see the [NGINX] section on
|
||||||
[Trusted Proxies](nginx.md#trusted-proxies). Adapting this to [NGINX Proxy Manager] is beyond the scope of
|
[Trusted Proxies](../nginx.md#trusted-proxies). Adapting this to [NGINX Proxy Manager] is beyond the scope of
|
||||||
this documentation.
|
this documentation.
|
||||||
|
|
||||||
## Docker Compose
|
## Docker Compose
|
||||||
|
@ -137,9 +137,9 @@ either most likely require an adjustment, or may require an adjustment if you're
|
||||||
### Snippets
|
### Snippets
|
||||||
|
|
||||||
The examples assume you've mounted a volume containing the relevant
|
The examples assume you've mounted a volume containing the relevant
|
||||||
[NGINX Snippets](nginx.md#supporting-configuration-snippets) from the [NGINX Integration Guide](nginx.md). The suggested
|
[NGINX Snippets](../nginx.md#supporting-configuration-snippets) from the [NGINX Integration Guide](../nginx.md). The
|
||||||
snippets are the `proxy.conf`, `authelia-location.conf`, and `authelia-authrequest.conf`. It may be fine to substitute
|
suggested snippets are the `proxy.conf`, `authelia-location.conf`, and `authelia-authrequest.conf`. It may be fine to
|
||||||
the standard variant of the `proxy.conf` for the headers only variant but this is untested.
|
substitute the standard variant of the `proxy.conf` for the headers only variant but this is untested.
|
||||||
|
|
||||||
These snippets make the addition of a protected proxy host substantially easier.
|
These snippets make the addition of a protected proxy host substantially easier.
|
||||||
|
|
||||||
|
|
|
@ -62,7 +62,7 @@ required modules including the `http_set_misc` module.
|
||||||
It also includes the [nginx-proxy-confs](https://github.com/linuxserver/docker-mods/tree/nginx-proxy-confs) mod where
|
It also includes the [nginx-proxy-confs](https://github.com/linuxserver/docker-mods/tree/nginx-proxy-confs) mod where
|
||||||
they have several configuration examples in the `/config/nginx/proxy-confs` directory. This can be omitted if desired.
|
they have several configuration examples in the `/config/nginx/proxy-confs` directory. This can be omitted if desired.
|
||||||
|
|
||||||
If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](./swag.md)
|
If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](swag.md)
|
||||||
which includes ACME and various other useful utilities.
|
which includes ACME and various other useful utilities.
|
||||||
|
|
||||||
{{< details "docker-compose.yaml" >}}
|
{{< details "docker-compose.yaml" >}}
|
||||||
|
|
|
@ -76,7 +76,7 @@ For example the nginx ngx_http_auth_request_module does not seem to support this
|
||||||
|
|
||||||
Authelia detects the upstream request method using the X-Forwarded-Method header. Some proxies set this out of the box,
|
Authelia detects the upstream request method using the X-Forwarded-Method header. Some proxies set this out of the box,
|
||||||
some require you to configure this manually. At the present time all proxies that have
|
some require you to configure this manually. At the present time all proxies that have
|
||||||
[Standard Support](#standard-support) do support this.
|
[Standard Support](#standard) do support this.
|
||||||
|
|
||||||
## Specific proxy notes
|
## Specific proxy notes
|
||||||
|
|
||||||
|
|
|
@ -77,7 +77,7 @@ required modules including the `http_set_misc` module.
|
||||||
It also includes the [nginx-proxy-confs](https://github.com/linuxserver/docker-mods/tree/nginx-proxy-confs) mod where
|
It also includes the [nginx-proxy-confs](https://github.com/linuxserver/docker-mods/tree/nginx-proxy-confs) mod where
|
||||||
they have several configuration examples in the `/config/nginx/proxy-confs` directory. This can be omitted if desired.
|
they have several configuration examples in the `/config/nginx/proxy-confs` directory. This can be omitted if desired.
|
||||||
|
|
||||||
If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](./swag.md)
|
If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](swag.md)
|
||||||
which includes ACME and various other useful utilities.
|
which includes ACME and various other useful utilities.
|
||||||
|
|
||||||
{{< details "docker-compose.yaml" >}}
|
{{< details "docker-compose.yaml" >}}
|
||||||
|
|
|
@ -25,8 +25,8 @@ unreliable and simple usernames and passwords are not sufficient for security.
|
||||||
|
|
||||||
__Authelia__ enables primarily two-factor authentication. These methods offered come in two forms:
|
__Authelia__ enables primarily two-factor authentication. These methods offered come in two forms:
|
||||||
|
|
||||||
* 1FA or first-factor authentication which is handled by a username and password. This falls into the *something you know*
|
* 1FA or first-factor authentication which is handled by a username and password. This falls into the
|
||||||
categorization.
|
*something you know* categorization.
|
||||||
* 2FA or second-factor authentication which is handled by several methods including one-time passwords, authentication
|
* 2FA or second-factor authentication which is handled by several methods including one-time passwords, authentication
|
||||||
keys, etc. This falls into the *something you have* categorization.
|
keys, etc. This falls into the *something you have* categorization.
|
||||||
|
|
||||||
|
|
|
@ -28,14 +28,7 @@ the user must match the name of the user in Authelia, or must have an alias that
|
||||||
|
|
||||||
Then, in Duo interface, click on *Applications* and *Protect an Application*. Select the option *Partner Auth API*. This
|
Then, in Duo interface, click on *Applications* and *Protect an Application*. Select the option *Partner Auth API*. This
|
||||||
will generate an integration key, a secret key and a hostname. You can set the name of the application to __Authelia__
|
will generate an integration key, a secret key and a hostname. You can set the name of the application to __Authelia__
|
||||||
and then you must add the generated information to Authelia [configuration](../../deployment/index.md) as shown below:
|
and then you must add the generated information to Authelia [configuration](../../../configuration/second-factor/duo.md).
|
||||||
|
|
||||||
```yaml
|
|
||||||
duo_api:
|
|
||||||
hostname: api-123456789.example.com
|
|
||||||
integration_key: ABCDEF
|
|
||||||
secret_key: 1234567890abcdefghifjkl
|
|
||||||
```
|
|
||||||
|
|
||||||
See the [configuration documentation](../../../configuration/second-factor/duo.md) for more details.
|
See the [configuration documentation](../../../configuration/second-factor/duo.md) for more details.
|
||||||
|
|
||||||
|
|
|
@ -53,6 +53,6 @@ Authelia only works for websites served over HTTPS because the session cookie ca
|
||||||
connections. Please note that it has been decided that we won't support websites served over HTTP in order to avoid any
|
connections. Please note that it has been decided that we won't support websites served over HTTP in order to avoid any
|
||||||
risk due to misconfiguration (see [#590](https://github.com/authelia/authelia/issues/590)).
|
risk due to misconfiguration (see [#590](https://github.com/authelia/authelia/issues/590)).
|
||||||
|
|
||||||
If a self-signed certificate is required, the
|
If a self-signed certificate is required, the [Generating an RSA Self-Signed Certificate] guide should be followed.
|
||||||
[Generating an RSA Self-Signed Certificate](../../../reference/guides/generating-secure-values.md#generating-an-rsa-self-signed-certificate)
|
|
||||||
guide should be followed.
|
[Generating an RSA Self-Signed Certificate]: ../../../reference/guides/generating-secure-values.md#generating-an-rsa-self-signed-certificate
|
||||||
|
|
|
@ -73,7 +73,7 @@ attacker obtains the file, each password has to be brute forced individually.
|
||||||
|
|
||||||
Lastly Authelia's implementation of Argon2id is highly tunable. You can tune the key length, salt used, iterations
|
Lastly Authelia's implementation of Argon2id is highly tunable. You can tune the key length, salt used, iterations
|
||||||
(time), parallelism, and memory usage. To read more about this please read how to
|
(time), parallelism, and memory usage. To read more about this please read how to
|
||||||
[configure](../configuration/authentication/file.md) file authentication.
|
[configure](../../configuration/first-factor/file.md) file authentication.
|
||||||
|
|
||||||
## User profile and group membership always kept up-to-date (LDAP authentication provider)
|
## User profile and group membership always kept up-to-date (LDAP authentication provider)
|
||||||
|
|
||||||
|
@ -163,33 +163,34 @@ preferable:
|
||||||
|
|
||||||
### Configuration Option: certificates_directory
|
### Configuration Option: certificates_directory
|
||||||
|
|
||||||
You can [configure a directory](../../configuration/miscellaneous/introduction.md#certificates_directory) of
|
You can configure a [certificates_directory] option which contains certificates for Authelia to trust. These certificates
|
||||||
certificates for Authelia
|
can either be CA's or individual public certificates that should be trusted. These are added in addition to the
|
||||||
to trust. These certificates can either be CA's or individual public certificates that should be trusted. These
|
environments PKI trusted certificates if available. This is useful for trusting a certificate that is self-signed without
|
||||||
are added in addition to the environments PKI trusted certificates if available. This is useful for trusting a
|
drastically reducing security. This is the most recommended workaround to not having a valid PKI trusted certificate as
|
||||||
certificate that is self-signed without drastically reducing security. This is the most recommended workaround to not
|
it gives you complete control over which ones are trusted without disabling critically needed validation of the identity
|
||||||
having a valid PKI trusted certificate as it gives you complete control over which ones are trusted without disabling
|
of the target service.
|
||||||
critically needed validation of the identity of the target service.
|
|
||||||
|
|
||||||
Read more in the [documentation](../../configuration/miscellaneous/introduction.md#certificates_directory) for this
|
Read more in the [certificates_directory] documentation for this option.
|
||||||
option.
|
|
||||||
|
[certificates_directory]: ../../configuration/miscellaneous/introduction.md#certificatesdirectory
|
||||||
|
[certificates directory]: #configuration-option--certificatesdirectory
|
||||||
|
|
||||||
### Configuration Option: tls.skip_verify
|
### Configuration Option: tls.skip_verify
|
||||||
|
|
||||||
The [tls.skip_verify](../../configuration/notifications/smtp.md#tls) option allows you to skip verifying the certificate
|
The [tls.skip_verify](../../configuration/notifications/smtp.md#tls) option allows you to skip verifying the certificate
|
||||||
entirely which is why [certificates_directory](#configuration-option-certificates_directory) is preferred over this.
|
entirely which is why [certificates directory] is preferred over this. This will effectively mean you cannot be sure the
|
||||||
This will effectively mean you cannot be sure the certificate is valid which means an attacker via DNS poisoning or MITM
|
certificate is valid which means an attacker via DNS poisoning or MITM attacks could intercept emails from Authelia
|
||||||
attacks could intercept emails from Authelia compromising a user's security without their knowledge.
|
compromising a user's security without their knowledge.
|
||||||
|
|
||||||
### Configuration Option: disable_require_tls
|
### Configuration Option: disable_require_tls
|
||||||
|
|
||||||
Authelia by default ensures that the SMTP server connection is secured via TLS prior to sending sensitive information.
|
Authelia by default ensures that the SMTP server connection is secured via TLS prior to sending sensitive information.
|
||||||
|
|
||||||
The [disable_require_tls](../../configuration/notifications/smtp.md#disable_require_tls) option disables this
|
The [disable_require_tls](../../configuration/notifications/smtp.md#disablerequiretls) option disables this
|
||||||
requirement which means the emails may be sent in cleartext. This is the least secure option as it effectively removes
|
requirement which means the emails may be sent in cleartext. This is the least secure option as it effectively removes
|
||||||
the validation of SMTP certificates and makes using an encrypted connection with TLS optional.
|
the validation of SMTP certificates and makes using an encrypted connection with TLS optional.
|
||||||
|
|
||||||
This means not only can the vulnerabilities of the [skip_verify](#configuration-option-tlsskip_verify) option be
|
This means not only can the vulnerabilities of the [skip_verify](#configuration-option--tlsskipverify) option be
|
||||||
exploited, but any router or switch along the route of the email which receives the packets could be used to silently
|
exploited, but any router or switch along the route of the email which receives the packets could be used to silently
|
||||||
exploit the cleartext nature of the connection to manipulate the email in transit.
|
exploit the cleartext nature of the connection to manipulate the email in transit.
|
||||||
|
|
||||||
|
@ -237,7 +238,7 @@ would not even be able to create a TCP connection. This measure is recommended i
|
||||||
configured some kind of ACLs specifically allowing the communication between proxies and Authelia instances like in a
|
configured some kind of ACLs specifically allowing the communication between proxies and Authelia instances like in a
|
||||||
service mesh or some kind of network overlay.
|
service mesh or some kind of network overlay.
|
||||||
|
|
||||||
To configure mutual TLS, please refer to [this document](../../configuration/miscellaneous/server.md#client_certificates)
|
To configure mutual TLS, please refer to [this document](../../configuration/miscellaneous/server.md#clientcertificates)
|
||||||
|
|
||||||
## Additional security
|
## Additional security
|
||||||
|
|
||||||
|
@ -255,7 +256,7 @@ database. The value of this option should be long and as random as possible. See
|
||||||
[documentation](../../configuration/session/introduction.md#secret) for this option.
|
[documentation](../../configuration/session/introduction.md#secret) for this option.
|
||||||
|
|
||||||
The validity period of session is highly configurable. For example in a highly security conscious domain you could
|
The validity period of session is highly configurable. For example in a highly security conscious domain you could
|
||||||
set the session [remember_me_duration](../../configuration/session/introduction.md#remember_me_duration) to 0 to disable this
|
set the session [remember_me_duration](../../configuration/session/introduction.md#remembermeduration) to 0 to disable this
|
||||||
feature, and set the [expiration](../../configuration/session/introduction.md#expiration) to 2 hours and the
|
feature, and set the [expiration](../../configuration/session/introduction.md#expiration) to 2 hours and the
|
||||||
[inactivity](../../configuration/session/introduction.md#inactivity) of 10 minutes. Configuring the session security in this
|
[inactivity](../../configuration/session/introduction.md#inactivity) of 10 minutes. Configuring the session security in this
|
||||||
manner would mean if the cookie age was more than 2 hours or if the user was inactive for more than 10 minutes the
|
manner would mean if the cookie age was more than 2 hours or if the user was inactive for more than 10 minutes the
|
||||||
|
|
|
@ -37,11 +37,11 @@ This is the preferred method of reporting.
|
||||||
|
|
||||||
### Chat
|
### Chat
|
||||||
|
|
||||||
If you wish to chat directly instead of sending an email please use one of the [chat options](../information/contact.md#chat) but it
|
If you wish to chat directly instead of sending an email please use one of the
|
||||||
is vital that when you do that you only do so privately with one of the maintainers. In order to start a private
|
[chat options](../information/contact.md#chat) but it is vital that when you do that you only do so privately with one
|
||||||
discussion you should ask to have a private discussion with a team member without mentioning the reason why you wish to
|
of the maintainers. In order to start a private discussion you should ask to have a private discussion with a team
|
||||||
have a private discussion so that provided the bug is confirmed we can coordinate the release of fixes and information
|
member without mentioning the reason why you wish to have a private discussion so that provided the bug is confirmed we
|
||||||
responsibly.
|
can coordinate the release of fixes and information responsibly.
|
||||||
|
|
||||||
## Credit
|
## Credit
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ The most insecure method is unauthenticated binds. They are generally considered
|
||||||
at all ensures anyone with any level of network access can easily obtain objects and their attributes.
|
at all ensures anyone with any level of network access can easily obtain objects and their attributes.
|
||||||
|
|
||||||
Authelia does support unauthenticated binds but it is not by default, you must configure the
|
Authelia does support unauthenticated binds but it is not by default, you must configure the
|
||||||
[permit_unauthenticated_bind](../../configuration/first-factor/ldap.md#permit_unauthenticated_bind) configuration
|
[permit_unauthenticated_bind](../../configuration/first-factor/ldap.md#permitunauthenticatedbind) configuration
|
||||||
option.
|
option.
|
||||||
|
|
||||||
### End-User Binding
|
### End-User Binding
|
||||||
|
|
|
@ -16,7 +16,7 @@ Authelia uses templates to generate the HTML and plaintext emails sent via the n
|
||||||
two extensions; `.html` for HTML templates, and `.txt` for plaintext templates.
|
two extensions; `.html` for HTML templates, and `.txt` for plaintext templates.
|
||||||
|
|
||||||
This guide effectively documents the usage of the
|
This guide effectively documents the usage of the
|
||||||
[template_path](../../configuration/notifications/introduction.md#template_path) notification configuration option.
|
[template_path](../../configuration/notifications/introduction.md#templatepath) notification configuration option.
|
||||||
|
|
||||||
## Important Notes
|
## Important Notes
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ This guide effectively documents the usage of the
|
||||||
| PasswordReset | Used to render notifications sent when password has successfully been reset |
|
| PasswordReset | Used to render notifications sent when password has successfully been reset |
|
||||||
|
|
||||||
For example, to modify the `IdentityVerification` HTML template, if your
|
For example, to modify the `IdentityVerification` HTML template, if your
|
||||||
[template_path](../../configuration/notifications/introduction.md#template_path) was configured as
|
[template_path](../../configuration/notifications/introduction.md#templatepath) was configured as
|
||||||
`/config/email_templates`, you would create the `/config/email_templates/IdentityVerification.html` file to override the
|
`/config/email_templates`, you would create the `/config/email_templates/IdentityVerification.html` file to override the
|
||||||
HTML `IdentityVerification` template.
|
HTML `IdentityVerification` template.
|
||||||
|
|
||||||
|
|
|
@ -156,7 +156,7 @@ See the [Crypt (C) Wiki page](https://en.wikipedia.org/wiki/Crypt_(C)) for more
|
||||||
#### Tuning
|
#### Tuning
|
||||||
|
|
||||||
The configuration variables are unique to the file authentication provider, thus they all exist in a key under the file
|
The configuration variables are unique to the file authentication provider, thus they all exist in a key under the file
|
||||||
authentication configuration key called [password](../../configuration/first-factor/file.md#password). The defaults are
|
authentication configuration key called [password](../../configuration/first-factor/file.md#password-options). The defaults are
|
||||||
considered as sane for a reasonable system however we still recommend taking time to figure out the best values to
|
considered as sane for a reasonable system however we still recommend taking time to figure out the best values to
|
||||||
adequately determine the [cost](#cost).
|
adequately determine the [cost](#cost).
|
||||||
|
|
||||||
|
|
|
@ -26,10 +26,10 @@ This guide effectively documents the usage of the
|
||||||
|
|
||||||
## Assets
|
## Assets
|
||||||
|
|
||||||
| Asset | File Name | Directory | Notes |
|
| Asset | File Name | Directory | Notes |
|
||||||
|:-------------------:|:-----------:|:---------:|:-------------:|
|
|:-------------------:|:-----------:|:---------:|:-----------------------:|
|
||||||
| Favicon | favicon.ico | No | N/A |
|
| Favicon | favicon.ico | No | N/A |
|
||||||
| Logo | logo.png | No | N/A |
|
| Logo | logo.png | No | N/A |
|
||||||
| Translation Locales | locales | Yes | see [locales](#locales) |
|
| Translation Locales | locales | Yes | see [locales](#locales) |
|
||||||
|
|
||||||
## locales
|
## locales
|
||||||
|
|
|
@ -12,7 +12,6 @@ weight: 220
|
||||||
toc: true
|
toc: true
|
||||||
aliases:
|
aliases:
|
||||||
- /r/sanitize
|
- /r/sanitize
|
||||||
- /reference/guides/domain-sanitizaiton
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Some users may wish to hide their domain in files provided during troubleshooting. While this is discouraged, if a user
|
Some users may wish to hide their domain in files provided during troubleshooting. While this is discouraged, if a user
|
||||||
|
|
Loading…
Reference in New Issue