RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: use details shortcode (#3586) 

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
pull/3643/head
James Elliott 2022-06-30 14:02:00 +10:00 committed by GitHub
parent 0f7da4fd90
commit d9cfc401ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 76 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/content/en/integration/deployment/docker.md
View File

@ -54,7 +54,9 @@ It expects the following:
Use this [Standalone Example](#standalone-example) if you want to use Use this [Standalone Example](#standalone-example) if you want to use
[docker secrets](https://docs.docker.com/engine/swarm/secrets/). [docker secrets](https://docs.docker.com/engine/swarm/secrets/).
{{< details "docker-compose.yml" >}}
```yaml ```yaml
---
version: "3.8" version: "3.8"
secrets: secrets:
JWT_SECRET: JWT_SECRET:
@ -87,14 +89,18 @@ networks:
net: net:
external: true external: true
name: net name: net
...
``` ```
{{< /details >}}
#### Using a Secrets Volume #### Using a Secrets Volume
Use this [Standalone Example](#standalone-example) if you want to use a standard Use this [Standalone Example](#standalone-example) if you want to use a standard
[docker volume](https://docs.docker.com/storage/volumes/) or bind mount for your secrets. [docker volume](https://docs.docker.com/storage/volumes/) or bind mount for your secrets.
{{< details "docker-compose.yml" >}}
```yaml ```yaml
---
version: "3.8" version: "3.8"
services: services:
authelia: authelia:
@ -119,6 +125,8 @@ networks:
external: true external: true
name: net name: net
``` ```
...
{{< /details >}}
### Bundles ### Bundles
@ -184,7 +192,9 @@ The example below includes the additional `ports` option which must be added in
[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the [Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the
localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs. localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs.
{{< details "docker-compose.yml" >}}
```yaml ```yaml
---
services: services:
authelia: authelia:
container_name: authelia container_name: authelia
@ -197,7 +207,9 @@ services:
- 9091 - 9091
ports: ports:
- "127.0.0.1:9091:9091" - "127.0.0.1:9091:9091"
...
``` ```
{{< /details >}}
[Docker]: https://docker.com [Docker]: https://docker.com
[Docker Compose]: https://docs.docker.com/compose/ [Docker Compose]: https://docs.docker.com/compose/

5
docs/content/en/integration/kubernetes/introduction/index.md → docs/content/en/integration/kubernetes/introduction.md
View File

@ -14,7 +14,7 @@ aliases:
- /i/k8s - /i/k8s
--- ---
{{< figure src="kubernetes.png" alt="Kubernetes" width="100" style="padding-right: 10px" >}} {{< figure src="/images/logos/kubernetes.png" alt="Kubernetes" width="100" style="padding-right: 10px" >}}
## UNDER CONSTRUCTION ## UNDER CONSTRUCTION
@ -63,9 +63,6 @@ spec:
... ...
``` ```
## Secrets
## FAQ ## FAQ
### RAM usage ### RAM usage

BIN
docs/content/en/integration/kubernetes/introduction/kubernetes.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 27 KiB

12
docs/content/en/integration/kubernetes/secrets.md
View File

@ -40,6 +40,7 @@ can manually create a secret like this with `kubectl apply -f`.
##### secret.yaml ##### secret.yaml
{{< details "secret.yml" >}}
```yaml ```yaml
--- ---
kind: Secret kind: Secret
@ -97,10 +98,13 @@ stringData:
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
... ...
``` ```
{{< /details >}}
##### Base64 Data Example ##### Base64 Data Example
This is the same manifest as above but encoded in base64. This is the same manifest as above but encoded in base64.
{{< details "secret.yml" >}}
```yaml ```yaml
--- ---
kind: Secret kind: Secret
@ -122,14 +126,15 @@ data:
STORAGE_PASSWORD: Tk1IZjlaN0M1VVFZdUtLZ2g5QkpUS2VjY29adDZjNjQ3RlFxc0VIaGthcGtrbmRQa1B3M2Q4Ym52a3FMZ2laNQ== STORAGE_PASSWORD: Tk1IZjlaN0M1VVFZdUtLZ2g5QkpUS2VjY29adDZjNjQ3RlFxc0VIaGthcGtrbmRQa1B3M2Q4Ym52a3FMZ2laNQ==
... ...
``` ```
{{< /details >}}
### Kustomize ### Kustomize
The following example is a [Kustomize](https://kustomize.io/) example which can be utilized with `kubectl apply -k`. The The following example is a [Kustomize](https://kustomize.io/) example which can be utilized with `kubectl apply -k`. The
files listed in the `secretGenerator` section of the `kustomization.yaml` must exist and contain the contents of your files listed in the `secretGenerator` section of the `kustomization.yaml` must exist and contain the contents of your
desired secret value. desired secret value.
##### kustomization.yaml {{< details "kustomization.yaml" >}}
```yaml ```yaml
--- ---
generatorOptions: generatorOptions:
@ -153,6 +158,7 @@ secretGenerator:
- STORAGE_PASSWORD - STORAGE_PASSWORD
... ...
``` ```
{{< /details >}}
## Usage ## Usage
@ -162,6 +168,7 @@ details.
The example is an excerpt for a manifest which can mount volumes. Examples of these are the [Pod], [Deployment], The example is an excerpt for a manifest which can mount volumes. Examples of these are the [Pod], [Deployment],
[StatefulSet], and [DaemonSet]. [StatefulSet], and [DaemonSet].
{{< details "deployment.yml" >}}
```yaml ```yaml
--- ---
spec: spec:
@ -221,6 +228,7 @@ spec:
path: STORAGE_PASSWORD path: STORAGE_PASSWORD
... ...
``` ```
{{< /details >}}
[Kubernetes]: https://kubernetes.io/ [Kubernetes]: https://kubernetes.io/
[Pod]: https://kubernetes.io/docs/concepts/workloads/pods/ [Pod]: https://kubernetes.io/docs/concepts/workloads/pods/

12
docs/content/en/integration/kubernetes/traefik-ingress.md
View File

@ -45,7 +45,9 @@ configured it to be served on the URL `https://auth.example.com` and there is a
`authelia` in the `default` namespace with TCP port `80` configured to route to the Authelia pod's HTTP port and that `authelia` in the `default` namespace with TCP port `80` configured to route to the Authelia pod's HTTP port and that
your cluster is configured with the default DNS domain name of `cluster.local`. your cluster is configured with the default DNS domain name of `cluster.local`.
{{< details "middleware.yml" >}}
```yaml ```yaml
---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: Middleware kind: Middleware
metadata: metadata:
@ -63,7 +65,9 @@ spec:
- Remote-Name - Remote-Name
- Remote-Email - Remote-Email
- Remote-Groups - Remote-Groups
...
``` ```
{{< /details >}}
## Ingress ## Ingress
@ -71,7 +75,9 @@ This is an example Ingress manifest which uses the above [Middleware](#middlewar
application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the
`default` namespace with TCP port `80` configured to route to the application pod's HTTP port. `default` namespace with TCP port `80` configured to route to the application pod's HTTP port.
{{< details "ingress.yml" >}}
```yaml ```yaml
---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
@ -93,7 +99,9 @@ spec:
name: app name: app
port: port:
number: 80 number: 80
...
``` ```
{{< /details >}}
## IngressRoute ## IngressRoute
@ -101,7 +109,9 @@ This is an example IngressRoute manifest which uses the above [Middleware](#midd
application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the
`default` namespace with TCP port `80` configured to route to the application pod's HTTP port. `default` namespace with TCP port `80` configured to route to the application pod's HTTP port.
{{< details "ingressRoute.yml" >}}
```yaml ```yaml
---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
@ -124,7 +134,9 @@ spec:
scheme: http scheme: http
strategy: RoundRobin strategy: RoundRobin
weight: 10 weight: 10
...
``` ```
{{< /details >}}
[Traefik Kubernetes Ingress]: https://doc.traefik.io/traefik/providers/kubernetes-ingress/ [Traefik Kubernetes Ingress]: https://doc.traefik.io/traefik/providers/kubernetes-ingress/
[Traefik Kubernetes CRD]: https://doc.traefik.io/traefik/providers/kubernetes-crd/ [Traefik Kubernetes CRD]: https://doc.traefik.io/traefik/providers/kubernetes-crd/

13
docs/content/en/integration/proxies/caddy.md
View File

@ -78,8 +78,7 @@ support to ensure the basic example covers your use case in a secure way.
#### Subdomain #### Subdomain
##### Caddyfile {{< details "Caddyfile" >}}
```caddyfile ```caddyfile
## It is important to read the following document before enabling this section: ## It is important to read the following document before enabling this section:
## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies ## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
@ -111,11 +110,11 @@ nextcloud.example.com {
} }
} }
``` ```
{{< /details >}}
#### Subpath #### Subpath
##### Caddyfile {{< details "Caddyfile" >}}
```caddyfile ```caddyfile
## It is important to read the following document before enabling this section: ## It is important to read the following document before enabling this section:
## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies ## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
@ -151,7 +150,7 @@ example.com {
} }
} }
``` ```
{{< /details >}}
### Advanced example ### Advanced example
The advanced example allows for more flexible customization, however the [basic example](#basic-examples) should be The advanced example allows for more flexible customization, however the [basic example](#basic-examples) should be
@ -159,8 +158,7 @@ preferred in *most* situations. If you are unsure of what you're doing please do
*__Important:__ Making a mistake when configuring the advanced example could lead to authentication bypass or errors.* *__Important:__ Making a mistake when configuring the advanced example could lead to authentication bypass or errors.*
##### Caddyfile {{< details "Caddyfile" >}}
```caddyfile ```caddyfile
## It is important to read the following document before enabling this section: ## It is important to read the following document before enabling this section:
## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies ## https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
@ -209,6 +207,7 @@ nextcloud.example.com {
} }
} }
``` ```
{{< /details >}}
## See Also ## See Also

34
docs/content/en/integration/proxies/nginx.md
View File

@ -74,10 +74,7 @@ This example is for using the __Authelia__ portal redirection flow on a specific
files exist in the `/config/nginx/` directory. The `/config/nginx/ssl.conf` snippet is expected to have files exist in the `/config/nginx/` directory. The `/config/nginx/ssl.conf` snippet is expected to have
the configuration for TLS or SSL but is not included as part of the examples. the configuration for TLS or SSL but is not included as part of the examples.
#### Authelia Portal {{< details "Authelia Portal (auth.example.com.conf)" >}}
##### auth.example.com.conf
```nginx ```nginx
server { server {
listen 80; listen 80;
@ -100,11 +97,9 @@ server {
} }
} }
``` ```
{{< /details >}}
#### Protected Endpoint {{< details "Protected Endpoint (nextcloud.example.com.conf)" >}}
##### nextcloud.example.com.conf
```nginx ```nginx
server { server {
listen 80; listen 80;
@ -129,6 +124,7 @@ server {
} }
} }
``` ```
{{< /details >}}
### HTTP Basic Authentication Example ### HTTP Basic Authentication Example
@ -138,10 +134,10 @@ to have the [authelia-location-basic.conf](#authelia-location-basicconf),
example these files exist in the `/config/nginx/` directory. The `/config/nginx/ssl.conf` snippet is expected to have example these files exist in the `/config/nginx/` directory. The `/config/nginx/ssl.conf` snippet is expected to have
the configuration for TLS or SSL but is not included as part of the examples. the configuration for TLS or SSL but is not included as part of the examples.
The [Authelia Portal](#authelia-portal) configuration can be reused for this example as such it isn't repeated. The Authelia Portal file from the [Standard Example](#standard-example) configuration can be reused for this example as
such it isn't repeated.
#### HTTP Basic Authentication Protected Endpoint
{{< details "Protected Endpoint (nextcloud.example.com.conf)" >}}
```nginx ```nginx
server { server {
listen 80; listen 80;
@ -166,6 +162,7 @@ server {
} }
} }
``` ```
{{< /details >}}
### Supporting Configuration Snippets ### Supporting Configuration Snippets
@ -181,6 +178,7 @@ The following is an example `proxy.conf`. The important directives include the `
[Trusted Proxies](#trusted-proxies) section to understand, or set the `X-Forwarded-Proto`, `X-Forwarded-Host`, [Trusted Proxies](#trusted-proxies) section to understand, or set the `X-Forwarded-Proto`, `X-Forwarded-Host`,
`X-Forwarded-Uri`, and `X-Forwarded-For` headers. `X-Forwarded-Uri`, and `X-Forwarded-For` headers.
{{< details "proxy.conf" >}}
```nginx ```nginx
## Headers ## Headers
proxy_set_header Host $host; proxy_set_header Host $host;
@ -217,11 +215,14 @@ proxy_read_timeout 360;
proxy_send_timeout 360; proxy_send_timeout 360;
proxy_connect_timeout 360; proxy_connect_timeout 360;
``` ```
{{< /details >}}
#### authelia-location.conf #### authelia-location.conf
*The following snippet is used within the `server` block of a virtual host as a supporting endpoint used by *The following snippet is used within the `server` block of a virtual host as a supporting endpoint used by
`auth_request` and is paired with [authelia-authrequest.conf](#authelia-authrequestconf).* `auth_request` and is paired with [authelia-authrequest.conf](#authelia-authrequestconf).*
{{< details "authelia-location.conf" >}}
```nginx ```nginx
set $upstream_authelia http://authelia:9091/api/verify; set $upstream_authelia http://authelia:9091/api/verify;
@ -259,12 +260,14 @@ location /authelia {
proxy_connect_timeout 240; proxy_connect_timeout 240;
} }
``` ```
{{< /details >}}
#### authelia-authrequest.conf #### authelia-authrequest.conf
*The following snippet is used within a `location` block of a virtual host which uses the appropriate location block *The following snippet is used within a `location` block of a virtual host which uses the appropriate location block
and is paired with [authelia-location.conf](#authelia-locationconf).* and is paired with [authelia-location.conf](#authelia-locationconf).*
{{< details "authelia-authrequest.conf" >}}
```nginx ```nginx
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia; auth_request /authelia;
@ -287,6 +290,7 @@ proxy_set_header Remote-Email $email;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://auth.example.com/?rd=$target_url; error_page 401 =302 https://auth.example.com/?rd=$target_url;
``` ```
{{< /details >}}
#### authelia-location-basic.conf #### authelia-location-basic.conf
@ -296,6 +300,7 @@ snippet is rarely required. It's only used if you want to only allow
[HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular [HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular
endpoint. It's recommended to use [authelia-location.conf](#authelia-locationconf) instead.* endpoint. It's recommended to use [authelia-location.conf](#authelia-locationconf) instead.*
{{< details "authelia-location-basic.conf" >}}
```nginx ```nginx
set $upstream_authelia http://authelia:9091/api/verify?auth=basic; set $upstream_authelia http://authelia:9091/api/verify?auth=basic;
@ -333,6 +338,7 @@ location /authelia-basic {
proxy_connect_timeout 240; proxy_connect_timeout 240;
} }
``` ```
{{< /details >}}
#### authelia-authrequest-basic.conf #### authelia-authrequest-basic.conf
@ -342,6 +348,7 @@ required. It's only used if you want to only allow
[HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular [HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular
endpoint. It's recommended to use [authelia-authrequest.conf](#authelia-authrequestconf) instead.* endpoint. It's recommended to use [authelia-authrequest.conf](#authelia-authrequestconf) instead.*
{{< details "authelia-authrequest-basic.conf" >}}
```nginx ```nginx
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia-basic; auth_request /authelia-basic;
@ -361,6 +368,7 @@ proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name; proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email; proxy_set_header Remote-Email $email;
``` ```
{{< /details >}}
#### authelia-location-detect.conf #### authelia-location-detect.conf
@ -370,6 +378,7 @@ snippet is rarely required. It's only used if you want to conditionally require
[HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular [HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular
endpoint. It's recommended to use [authelia-location.conf](#authelia-locationconf) instead.* endpoint. It's recommended to use [authelia-location.conf](#authelia-locationconf) instead.*
{{< details "authelia-location-detect.conf" >}}
```nginx ```nginx
include /config/nginx/authelia-location.conf; include /config/nginx/authelia-location.conf;
@ -398,6 +407,7 @@ location /authelia-detect {
return 302 https://auth.example.com/$is_args$args; return 302 https://auth.example.com/$is_args$args;
} }
``` ```
{{< /details >}}
#### authelia-authrequest-detect.conf #### authelia-authrequest-detect.conf
@ -407,6 +417,7 @@ required. It's only used if you want to conditionally require
[HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular [HTTP Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) for a particular
endpoint. It's recommended to use [authelia-authrequest.conf](#authelia-authrequestconf) instead.* endpoint. It's recommended to use [authelia-authrequest.conf](#authelia-authrequestconf) instead.*
{{< details "authelia-authrequest-detect.conf" >}}
```nginx ```nginx
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia; auth_request /authelia;
@ -429,6 +440,7 @@ proxy_set_header Remote-Email $email;
## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 /authelia-detect?rd=$target_url; error_page 401 =302 /authelia-detect?rd=$target_url;
``` ```
{{< /details >}}
## See Also ## See Also

19
docs/content/en/integration/proxies/traefik.md
View File

@ -80,9 +80,9 @@ Please ensure that you also setup the respective [ACME configuration](https://do
This is an example configuration using [docker compose] labels: This is an example configuration using [docker compose] labels:
##### docker-compose.yml {{< details "docker-compose.yml" >}}
```yaml ```yaml
---
version: "3.8" version: "3.8"
networks: networks:
net: net:
@ -199,7 +199,9 @@ services:
- 'traefik.http.routers.heimdall.entryPoints=https' - 'traefik.http.routers.heimdall.entryPoints=https'
- 'traefik.http.routers.heimdall.tls=true' - 'traefik.http.routers.heimdall.tls=true'
- 'traefik.http.routers.heimdall.middlewares=authelia-basic@docker' - 'traefik.http.routers.heimdall.middlewares=authelia-basic@docker'
...
``` ```
{{< /details >}}
### YAML ### YAML
@ -215,9 +217,9 @@ This example uses a `docker-compose.yml` similar to the one above however it has
all `forwardAuth` middlewares, adjusting the `authelia` router in the `http.routers` section to use the all `forwardAuth` middlewares, adjusting the `authelia` router in the `http.routers` section to use the
`authelia-net@docker` service, and commenting the `authelia` service in the `http.service` section. `authelia-net@docker` service, and commenting the `authelia` service in the `http.service` section.
##### docker-compose.yml {{< details "docker-compose.yml" >}}
```yaml ```yaml
---
version: "3.8" version: "3.8"
networks: networks:
net: net:
@ -319,16 +321,17 @@ services:
TZ: "Australia/Melbourne" TZ: "Australia/Melbourne"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
...
``` ```
{{< /details >}}
##### traefik.yml
This file is part of the dynamic configuration and should have the path This file is part of the dynamic configuration and should have the path
`${PWD}/data/traefik/config/dynamic/traefik.yml`. Please see the [Traefik] service and the volume that mounts the `${PWD}/data/traefik/config/dynamic/traefik.yml`. Please see the [Traefik] service and the volume that mounts the
`${PWD}/data/traefik/config` in the docker compose above. `${PWD}/data/traefik/config` in the docker compose above.
{{< details "traefik.yml" >}}
```yaml ```yaml
---
entryPoints: entryPoints:
web: web:
proxyProtocol: proxyProtocol:
@ -462,7 +465,9 @@ http:
keyFile: /certificates/traefik.private.pem keyFile: /certificates/traefik.private.pem
rootCAs: rootCAs:
- /certificates/ca.public.crt - /certificates/ca.public.crt
...
``` ```
{{< /details >}}
## FAQ ## FAQ