Compare commits
1 Commits
master
...
refactor-y
Author | SHA1 | Date |
---|---|---|
James Elliott | 5013952bae |
|
@ -4,44 +4,44 @@
|
|||
# secret leaks.
|
||||
steps:
|
||||
# Blocking pipeline for master branch deployments (concurrency_group).
|
||||
- label: ":pipeline: Setup Pipeline"
|
||||
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
|
||||
- label: ':pipeline: Setup Pipeline'
|
||||
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
|
||||
concurrency: 1
|
||||
concurrency_group: "deployments"
|
||||
if: build.branch == "master"
|
||||
concurrency_group: 'deployments'
|
||||
if: 'build.branch == "master"'
|
||||
|
||||
# Non-blocking pipeline for all others (tagged commits/local branches/PRs).
|
||||
- label: ":pipeline: Setup Pipeline"
|
||||
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
|
||||
if: build.branch != "master"
|
||||
- label: ':pipeline: Setup Pipeline'
|
||||
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
|
||||
if: 'build.branch != "master"'
|
||||
|
||||
- wait: # yamllint disable-line rule:empty-values
|
||||
if: build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ # yamllint disable-line rule:line-length
|
||||
if: 'build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/' # yamllint disable-line rule:line-length
|
||||
|
||||
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
|
||||
- block: "Public fork needs approval"
|
||||
if: build.pull_request.repository.fork == true
|
||||
- block: 'Public fork needs approval'
|
||||
if: 'build.pull_request.repository.fork == true'
|
||||
|
||||
# Blocking deployment for master branch deployments (concurrency_group).
|
||||
- label: ":rocket: Setup Deployment"
|
||||
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
|
||||
- label: ':rocket: Setup Deployment'
|
||||
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
|
||||
concurrency: 1
|
||||
concurrency_group: "deployments"
|
||||
depends_on: ~
|
||||
if: build.branch == "master" && build.message !~ /^docs/
|
||||
concurrency_group: 'deployments'
|
||||
depends_on: '~'
|
||||
if: 'build.branch == "master" && build.message !~ /^docs/'
|
||||
|
||||
# Non-blocking deployment for all others (tagged commits/local branches).
|
||||
- label: ":rocket: Setup Deployment"
|
||||
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
|
||||
- label: ':rocket: Setup Deployment'
|
||||
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
|
||||
depends_on: ~
|
||||
if: build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true # yamllint disable-line rule:line-length
|
||||
if: 'build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true' # yamllint disable-line rule:line-length
|
||||
|
||||
# Removed dependency optimisation for forked PRs to enforce block step.
|
||||
- label: ":rocket: Setup Deployment"
|
||||
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
|
||||
if: build.message !~ /^docs/ && build.pull_request.repository.fork == true
|
||||
- label: ':rocket: Setup Deployment'
|
||||
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
|
||||
if: 'build.message !~ /^docs/ && build.pull_request.repository.fork == true'
|
||||
|
||||
notify:
|
||||
- webhook: "<REDACTED WEBHOOK_URL>"
|
||||
if: build.state == "blocked"
|
||||
- webhook: '<REDACTED WEBHOOK_URL>'
|
||||
if: 'build.state == "blocked"'
|
||||
...
|
||||
|
|
34
.codecov.yml
34
.codecov.yml
|
@ -3,42 +3,42 @@ codecov:
|
|||
require_ci_to_pass: true
|
||||
|
||||
comment:
|
||||
layout: "reach, diff, flags, files"
|
||||
behavior: default
|
||||
layout: 'reach, diff, flags, files'
|
||||
behavior: 'default'
|
||||
require_changes: false
|
||||
|
||||
coverage:
|
||||
precision: 2
|
||||
round: down
|
||||
range: "70...100"
|
||||
round: 'down'
|
||||
range: '70...100'
|
||||
status:
|
||||
project:
|
||||
default: false
|
||||
backend:
|
||||
base: auto
|
||||
threshold: 0.15%
|
||||
base: 'auto'
|
||||
threshold: '0.15%'
|
||||
flags:
|
||||
- backend
|
||||
- 'backend'
|
||||
frontend:
|
||||
base: auto
|
||||
threshold: 0.15%
|
||||
base: 'auto'
|
||||
threshold: '0.15%'
|
||||
flags:
|
||||
- frontend
|
||||
- 'frontend'
|
||||
|
||||
flags:
|
||||
backend:
|
||||
paths:
|
||||
- "cmd/authelia/"
|
||||
- "internal/"
|
||||
- "!internal/suites/"
|
||||
- 'cmd/authelia/'
|
||||
- 'internal/'
|
||||
- '!internal/suites/'
|
||||
frontend:
|
||||
paths:
|
||||
- "web/"
|
||||
- "!web/coverage/"
|
||||
- 'web/'
|
||||
- '!web/coverage/'
|
||||
|
||||
ignore:
|
||||
- "web/src/serviceWorker.ts"
|
||||
- "**/coverage.txt"
|
||||
- 'web/src/serviceWorker.ts'
|
||||
- '**/coverage.txt'
|
||||
|
||||
parsers:
|
||||
gcov:
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
name: Bug Report
|
||||
description: Report a bug
|
||||
name: 'Bug Report'
|
||||
description: 'Report a bug'
|
||||
labels:
|
||||
- type/bug/unconfirmed
|
||||
- status/needs-triage
|
||||
- priority/4/normal
|
||||
- 'type/bug/unconfirmed'
|
||||
- 'status/needs-triage'
|
||||
- 'priority/4/normal'
|
||||
body:
|
||||
- type: markdown
|
||||
- type: 'markdown'
|
||||
attributes:
|
||||
value: |
|
||||
Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first.
|
||||
|
@ -25,160 +25,190 @@ body:
|
|||
- Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section.
|
||||
- If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section.
|
||||
7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues.
|
||||
- type: dropdown
|
||||
id: version
|
||||
- type: 'dropdown'
|
||||
id: 'version'
|
||||
attributes:
|
||||
label: Version
|
||||
description: What version(s) of Authelia can you reproduce this bug on?
|
||||
label: |
|
||||
Version
|
||||
description: |
|
||||
What version(s) of Authelia can you reproduce this bug on?
|
||||
multiple: true
|
||||
options:
|
||||
- v4.37.5
|
||||
- v4.37.4
|
||||
- v4.37.3
|
||||
- v4.37.2
|
||||
- v4.37.1
|
||||
- v4.37.0
|
||||
- v4.36.9
|
||||
- v4.36.8
|
||||
- v4.36.7
|
||||
- v4.36.6
|
||||
- v4.36.5
|
||||
- v4.36.4
|
||||
- v4.36.3
|
||||
- v4.36.2
|
||||
- v4.36.1
|
||||
- v4.36.0
|
||||
- v4.35.6
|
||||
- v4.35.5
|
||||
- v4.35.4
|
||||
- v4.35.3
|
||||
- v4.35.2
|
||||
- v4.35.1
|
||||
- v4.35.0
|
||||
- v4.34.6
|
||||
- v4.34.5
|
||||
- v4.34.4
|
||||
- v4.34.3
|
||||
- v4.34.2
|
||||
- v4.34.1
|
||||
- v4.34.0
|
||||
- v4.33.2
|
||||
- v4.33.1
|
||||
- v4.33.0
|
||||
- v4.32.2
|
||||
- v4.32.1
|
||||
- v4.32.0
|
||||
- 'v4.37.5'
|
||||
- 'v4.37.4'
|
||||
- 'v4.37.3'
|
||||
- 'v4.37.2'
|
||||
- 'v4.37.1'
|
||||
- 'v4.37.0'
|
||||
- 'v4.36.9'
|
||||
- 'v4.36.8'
|
||||
- 'v4.36.7'
|
||||
- 'v4.36.6'
|
||||
- 'v4.36.5'
|
||||
- 'v4.36.4'
|
||||
- 'v4.36.3'
|
||||
- 'v4.36.2'
|
||||
- 'v4.36.1'
|
||||
- 'v4.36.0'
|
||||
- 'v4.35.6'
|
||||
- 'v4.35.5'
|
||||
- 'v4.35.4'
|
||||
- 'v4.35.3'
|
||||
- 'v4.35.2'
|
||||
- 'v4.35.1'
|
||||
- 'v4.35.0'
|
||||
- 'v4.34.6'
|
||||
- 'v4.34.5'
|
||||
- 'v4.34.4'
|
||||
- 'v4.34.3'
|
||||
- 'v4.34.2'
|
||||
- 'v4.34.1'
|
||||
- 'v4.34.0'
|
||||
- 'v4.33.2'
|
||||
- 'v4.33.1'
|
||||
- 'v4.33.0'
|
||||
- 'v4.32.2'
|
||||
- 'v4.32.1'
|
||||
- 'v4.32.0'
|
||||
validations:
|
||||
required: true
|
||||
- type: dropdown
|
||||
id: deployment
|
||||
- type: 'dropdown'
|
||||
id: 'deployment'
|
||||
attributes:
|
||||
label: Deployment Method
|
||||
description: How are you deploying Authelia?
|
||||
label: |
|
||||
Deployment Method
|
||||
description: |
|
||||
How are you deploying Authelia?
|
||||
options:
|
||||
- Docker
|
||||
- Kubernetes
|
||||
- Bare-metal
|
||||
- Other
|
||||
- 'Docker'
|
||||
- 'Kubernetes'
|
||||
- 'Bare-metal'
|
||||
- 'Other'
|
||||
validations:
|
||||
required: true
|
||||
- type: dropdown
|
||||
id: proxy
|
||||
- type: 'dropdown'
|
||||
id: 'proxy'
|
||||
attributes:
|
||||
label: Reverse Proxy
|
||||
description: What reverse proxy are you using?
|
||||
label: |
|
||||
Reverse Proxy
|
||||
description: |
|
||||
What reverse proxy are you using?
|
||||
options:
|
||||
- Caddy
|
||||
- Traefik
|
||||
- Envoy
|
||||
- Istio
|
||||
- NGINX
|
||||
- SWAG
|
||||
- NGINX Proxy Manager
|
||||
- HAProxy
|
||||
- 'Caddy'
|
||||
- 'Traefik'
|
||||
- 'Envoy'
|
||||
- 'Istio'
|
||||
- 'NGINX'
|
||||
- 'SWAG'
|
||||
- 'NGINX Proxy Manager'
|
||||
- 'HAProxy'
|
||||
validations:
|
||||
required: true
|
||||
- type: input
|
||||
id: proxy-version
|
||||
- type: 'input'
|
||||
id: 'proxy-version'
|
||||
attributes:
|
||||
label: Reverse Proxy Version
|
||||
description: What is the version of your reverse proxy?
|
||||
placeholder: x.x.x
|
||||
label: |
|
||||
Reverse Proxy Version
|
||||
description: |
|
||||
What is the version of your reverse proxy?
|
||||
placeholder: 'x.x.x'
|
||||
validations:
|
||||
required: false
|
||||
- type: textarea
|
||||
id: description
|
||||
- type: 'textarea'
|
||||
id: 'description'
|
||||
attributes:
|
||||
label: Description
|
||||
description: Describe the bug.
|
||||
label: |
|
||||
Description
|
||||
description: |
|
||||
Describe the bug.
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: reproduction
|
||||
- type: 'textarea'
|
||||
id: 'reproduction'
|
||||
attributes:
|
||||
label: Reproduction
|
||||
description: Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
|
||||
label: |
|
||||
Reproduction
|
||||
description: |
|
||||
Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: expectations
|
||||
- type: 'textarea'
|
||||
id: 'expectations'
|
||||
attributes:
|
||||
label: Expectations
|
||||
description: Describe the desired or expected results.
|
||||
label: |
|
||||
Expectations
|
||||
description: |
|
||||
Describe the desired or expected results.
|
||||
validations:
|
||||
required: false
|
||||
- type: textarea
|
||||
id: configuration
|
||||
- type: 'textarea'
|
||||
id: 'configuration'
|
||||
attributes:
|
||||
label: Configuration (Authelia)
|
||||
description: Provide a complete configuration file (the template will automatically put this content in a code block).
|
||||
render: yaml
|
||||
label: |
|
||||
Configuration (Authelia)
|
||||
description: |
|
||||
Provide a complete configuration file (the template will automatically put this content in a code block).
|
||||
render: 'yaml'
|
||||
validations:
|
||||
required: false
|
||||
- type: textarea
|
||||
id: logs
|
||||
- type: 'textarea'
|
||||
id: 'logs'
|
||||
attributes:
|
||||
label: Logs (Authelia)
|
||||
label: |
|
||||
Logs (Authelia)
|
||||
description: |
|
||||
Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide.
|
||||
|
||||
The template will automatically put this content in a code block so you can just paste it.
|
||||
render: shell
|
||||
render: 'shell'
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: logs-other
|
||||
- type: 'textarea'
|
||||
id: 'logs-other'
|
||||
attributes:
|
||||
label: Logs (Proxy / Application)
|
||||
description: Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
|
||||
render: shell
|
||||
label: |
|
||||
Logs (Proxy / Application)
|
||||
description: |
|
||||
Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
|
||||
render: 'shell'
|
||||
validations:
|
||||
required: false
|
||||
- type: textarea
|
||||
id: documentation
|
||||
- type: 'textarea'
|
||||
id: 'documentation'
|
||||
attributes:
|
||||
label: Documentation
|
||||
description: Provide any relevant specification or other documentation if applicable.
|
||||
label: |
|
||||
Documentation
|
||||
description: |
|
||||
Provide any relevant specification or other documentation if applicable.
|
||||
validations:
|
||||
required: false
|
||||
- type: checkboxes
|
||||
id: checklist
|
||||
- type: 'checkboxes'
|
||||
id: 'checklist'
|
||||
attributes:
|
||||
label: Pre-Submission Checklist
|
||||
description: By submitting this issue confirm all of the following.
|
||||
label: |
|
||||
Pre-Submission Checklist
|
||||
description: |
|
||||
By submitting this issue confirm all of the following.
|
||||
options:
|
||||
- label: I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
|
||||
- label: |
|
||||
I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
|
||||
required: true
|
||||
- label: This is a bug report and not a support request
|
||||
- label: |
|
||||
This is a bug report and not a support request
|
||||
required: true
|
||||
- label: I have read the security policy and this bug report is not a security issue or security related issue
|
||||
- label: |
|
||||
I have read the security policy and this bug report is not a security issue or security related issue
|
||||
required: true
|
||||
- label: I have either included the complete configuration file or I am sure it's unrelated to the configuration
|
||||
- label: |
|
||||
I have either included the complete configuration file or I am sure it's unrelated to the configuration
|
||||
required: true
|
||||
- label: I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
|
||||
- label: |
|
||||
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
|
||||
required: true
|
||||
- label: I have checked for related proxy or application logs and included them if available
|
||||
- label: |
|
||||
I have checked for related proxy or application logs and included them if available
|
||||
required: true
|
||||
- label: I have checked for related issues and checked the documentation
|
||||
- label: |
|
||||
I have checked for related issues and checked the documentation
|
||||
required: true
|
||||
...
|
||||
|
|
|
@ -10,14 +10,14 @@
|
|||
# the `language` matrix defined below to confirm you have the correct set of
|
||||
# supported CodeQL languages.
|
||||
#
|
||||
name: "CodeQL"
|
||||
name: 'CodeQL'
|
||||
|
||||
# yamllint disable-line rule:truthy
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
- gh-pages
|
||||
- 'master'
|
||||
- 'gh-pages'
|
||||
paths:
|
||||
- 'go.mod'
|
||||
- 'go.sum'
|
||||
|
@ -29,7 +29,7 @@ on:
|
|||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches:
|
||||
- master
|
||||
- 'master'
|
||||
paths:
|
||||
- 'go.mod'
|
||||
- 'go.sum'
|
||||
|
@ -43,12 +43,12 @@ on:
|
|||
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze
|
||||
runs-on: ubuntu-latest
|
||||
name: 'Analyze'
|
||||
runs-on: 'ubuntu-latest'
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
actions: 'read'
|
||||
contents: 'read'
|
||||
security-events: 'write'
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
@ -59,23 +59,23 @@ jobs:
|
|||
- 'javascript'
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
- name: 'Checkout repository'
|
||||
uses: 'actions/checkout@v3'
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v1
|
||||
- name: 'Initialize CodeQL'
|
||||
uses: 'github/codeql-action/init@v1'
|
||||
with:
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
# By default, queries listed here will override any specified in a config file.
|
||||
# Prefix the list here with "+" to use these queries and those in the config file.
|
||||
# queries: ./path/to/local/query, your-org/your-repo/queries@main
|
||||
languages: ${{ matrix.language }}
|
||||
languages: '${{ matrix.language }}'
|
||||
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||
# If this step fails, then you should remove it and run the build manually (see below)
|
||||
- name: Autobuild
|
||||
uses: github/codeql-action/autobuild@v1
|
||||
- name: 'Autobuild'
|
||||
uses: 'github/codeql-action/autobuild@v1'
|
||||
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 https://git.io/JvXDl
|
||||
|
@ -88,6 +88,6 @@ jobs:
|
|||
# make bootstrap
|
||||
# make release
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v1
|
||||
- name: 'Perform CodeQL Analysis'
|
||||
uses: 'github/codeql-action/analyze@v1'
|
||||
...
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
run:
|
||||
timeout: 3m
|
||||
timeout: '3m'
|
||||
|
||||
linters-settings:
|
||||
goconst:
|
||||
|
@ -11,40 +11,40 @@ linters-settings:
|
|||
godot:
|
||||
check-all: true
|
||||
goimports:
|
||||
local-prefixes: github.com/authelia/authelia
|
||||
local-prefixes: 'github.com/authelia/authelia'
|
||||
revive:
|
||||
confidence: 0.8
|
||||
|
||||
linters:
|
||||
enable:
|
||||
- asciicheck
|
||||
- goconst
|
||||
- gocritic
|
||||
- gocyclo
|
||||
- godot
|
||||
- gofmt
|
||||
- goimports
|
||||
- gosec
|
||||
- misspell
|
||||
- nolintlint
|
||||
- prealloc
|
||||
- revive
|
||||
- unconvert
|
||||
- unparam
|
||||
- whitespace
|
||||
- wsl
|
||||
- 'asciicheck'
|
||||
- 'goconst'
|
||||
- 'gocritic'
|
||||
- 'gocyclo'
|
||||
- 'godot'
|
||||
- 'gofmt'
|
||||
- 'goimports'
|
||||
- 'gosec'
|
||||
- 'misspell'
|
||||
- 'nolintlint'
|
||||
- 'prealloc'
|
||||
- 'revive'
|
||||
- 'unconvert'
|
||||
- 'unparam'
|
||||
- 'whitespace'
|
||||
- 'wsl'
|
||||
|
||||
issues:
|
||||
exclude:
|
||||
- Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked # yamllint disable-line rule:line-length
|
||||
- func name will be used as test\.Test.* by other packages, and that stutters; consider calling this
|
||||
- (possible misuse of unsafe.Pointer|should have signature)
|
||||
- ineffective break statement. Did you mean to break out of the outer loop
|
||||
- Use of unsafe calls should be audited
|
||||
- Subprocess launch(ed with variable|ing should be audited)
|
||||
- (G104|G307)
|
||||
- (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
|
||||
- Potential file inclusion via variable
|
||||
- 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked' # yamllint disable-line rule:line-length
|
||||
- 'func name will be used as test\.Test.* by other packages, and that stutters; consider calling this'
|
||||
- '(possible misuse of unsafe.Pointer|should have signature)'
|
||||
- 'ineffective break statement. Did you mean to break out of the outer loop'
|
||||
- 'Use of unsafe calls should be audited'
|
||||
- 'Subprocess launch(ed with variable|ing should be audited)'
|
||||
- '(G104|G307)'
|
||||
- '(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)'
|
||||
- 'Potential file inclusion via variable'
|
||||
exclude-use-default: false
|
||||
max-issues-per-linter: 0
|
||||
max-same-issues: 0
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
---
|
||||
runner:
|
||||
golangci:
|
||||
cmd: golangci-lint run
|
||||
cmd: 'golangci-lint run'
|
||||
errorformat:
|
||||
- '%E%f:%l:%c: %m'
|
||||
- '%E%f:%l: %m'
|
||||
- '%C%.%#'
|
||||
level: error
|
||||
level: 'error'
|
||||
eslint:
|
||||
cmd: cd web && eslint -f rdjson '*/**/*.{js,ts,tsx}'
|
||||
format: rdjson
|
||||
level: error
|
||||
cmd: 'cd web && eslint -f rdjson "*/**/*.{js,ts,tsx}"'
|
||||
format: 'rdjson'
|
||||
level: 'error'
|
||||
yamllint:
|
||||
cmd: yamllint --format parsable .
|
||||
cmd: 'yamllint --format parsable .'
|
||||
errorformat:
|
||||
- '%f:%l:%c: %m'
|
||||
level: warning
|
||||
level: 'warning'
|
||||
...
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
extends: default
|
||||
extends: 'default'
|
||||
|
||||
locale: en_US.UTF-8
|
||||
locale: 'en_US.UTF-8'
|
||||
|
||||
yaml-files:
|
||||
- '*.yaml'
|
||||
|
@ -19,13 +19,13 @@ ignore: |
|
|||
.github/ISSUE_TEMPLATE/bug-report.yml
|
||||
rules:
|
||||
document-end:
|
||||
level: warning
|
||||
level: 'warning'
|
||||
empty-values:
|
||||
level: warning
|
||||
level: 'warning'
|
||||
indentation:
|
||||
spaces: 2
|
||||
check-multi-line-strings: true
|
||||
line-length:
|
||||
max: 120
|
||||
octal-values: enable
|
||||
octal-values: 'enable'
|
||||
...
|
||||
|
|
|
@ -4,71 +4,70 @@
|
|||
###############################################################
|
||||
|
||||
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
|
||||
jwt_secret: a_very_important_secret
|
||||
default_redirection_url: https://public.example.com
|
||||
jwt_secret: 'a_very_important_secret'
|
||||
default_redirection_url: 'https://public.example.com'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
issuer: 'authelia.com'
|
||||
|
||||
# duo_api:
|
||||
# hostname: api-123456789.example.com
|
||||
# integration_key: ABCDEF
|
||||
# hostname: 'api-123456789.example.com'
|
||||
# integration_key: 'ABCDEF'
|
||||
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
|
||||
# secret_key: 1234567890abcdefghifjkl
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
path: '/config/users_database.yml'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: traefik.example.com
|
||||
policy: one_factor
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'traefik.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
||||
secret: unsecure_session_secret
|
||||
secret: 'unsecure_session_secret'
|
||||
|
||||
cookies:
|
||||
- name: authelia_session
|
||||
domain: example.com # Should match whatever your root protected domain is
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
- name: 'authelia_session'
|
||||
domain: 'example.com' # Should match whatever your root protected domain is
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
|
||||
redis:
|
||||
host: redis
|
||||
host: 'redis'
|
||||
port: 6379
|
||||
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
|
||||
# password: authelia
|
||||
# password: 'authelia'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
storage:
|
||||
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
||||
encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
username: test
|
||||
address: 'smtp://mail.example.com:25'
|
||||
username: 'test'
|
||||
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
||||
password: password
|
||||
host: mail.example.com
|
||||
port: 25
|
||||
sender: admin@example.com
|
||||
password: 'password'
|
||||
sender: 'admin@example.com'
|
||||
...
|
||||
|
|
|
@ -9,11 +9,11 @@
|
|||
users:
|
||||
authelia:
|
||||
disabled: false
|
||||
displayname: "Authelia User"
|
||||
displayname: 'Authelia User'
|
||||
# Password is authelia
|
||||
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
|
||||
email: authelia@authelia.com
|
||||
password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/' # yamllint disable-line rule:line-length
|
||||
email: 'authelia@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
...
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
---
|
||||
version: '3.3'
|
||||
version: '3.8'
|
||||
|
||||
networks:
|
||||
net:
|
||||
driver: bridge
|
||||
driver: 'bridge'
|
||||
|
||||
services:
|
||||
authelia:
|
||||
image: authelia/authelia
|
||||
container_name: authelia
|
||||
image: 'authelia/authelia'
|
||||
container_name: 'authelia'
|
||||
volumes:
|
||||
- ./authelia:/config
|
||||
- './authelia:/config'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
|
||||
|
@ -24,34 +24,34 @@ services:
|
|||
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
||||
expose:
|
||||
- 9091
|
||||
restart: unless-stopped
|
||||
restart: 'unless-stopped'
|
||||
healthcheck:
|
||||
## In production the healthcheck section should be commented.
|
||||
disable: true
|
||||
environment:
|
||||
- TZ=Australia/Melbourne
|
||||
TZ: 'Australia/Melbourne'
|
||||
|
||||
redis:
|
||||
image: redis:alpine
|
||||
container_name: redis
|
||||
image: 'redis:alpine'
|
||||
container_name: 'redis'
|
||||
volumes:
|
||||
- ./redis:/data
|
||||
- './redis:/data'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
expose:
|
||||
- 6379
|
||||
restart: unless-stopped
|
||||
restart: 'unless-stopped'
|
||||
environment:
|
||||
- TZ=Australia/Melbourne
|
||||
TZ: 'Australia/Melbourne'
|
||||
|
||||
traefik:
|
||||
image: traefik:v2.10.1
|
||||
container_name: traefik
|
||||
image: 'traefik:v2.10.1'
|
||||
container_name: 'traefik'
|
||||
volumes:
|
||||
- ./traefik:/etc/traefik
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- './traefik:/etc/traefik'
|
||||
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
|
||||
|
@ -80,10 +80,10 @@ services:
|
|||
- '--log.level=DEBUG'
|
||||
|
||||
secure:
|
||||
image: traefik/whoami
|
||||
container_name: secure
|
||||
image: 'traefik/whoami'
|
||||
container_name: 'secure'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
|
||||
|
@ -93,13 +93,13 @@ services:
|
|||
- 'traefik.http.routers.secure.middlewares=authelia@docker'
|
||||
expose:
|
||||
- 80
|
||||
restart: unless-stopped
|
||||
restart: 'unless-stopped'
|
||||
|
||||
public:
|
||||
image: traefik/whoami
|
||||
container_name: public
|
||||
image: 'traefik/whoami'
|
||||
container_name: 'public'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
|
||||
|
@ -109,5 +109,5 @@ services:
|
|||
- 'traefik.http.routers.public.middlewares=authelia@docker'
|
||||
expose:
|
||||
- 80
|
||||
restart: unless-stopped
|
||||
restart: 'unless-stopped'
|
||||
...
|
||||
|
|
|
@ -3,52 +3,52 @@
|
|||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: a_very_important_secret
|
||||
default_redirection_url: https://public.example.com
|
||||
jwt_secret: 'a_very_important_secret'
|
||||
default_redirection_url: 'https://public.example.com'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
issuer: 'authelia.com'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
path: '/config/users_database.yml'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: traefik.example.com
|
||||
policy: one_factor
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'traefik.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
secret: 'unsecure_session_secret'
|
||||
|
||||
cookies:
|
||||
- name: authelia_session
|
||||
domain: example.com # Should match whatever your root protected domain is
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
- name: 'authelia_session'
|
||||
domain: 'example.com' # Should match whatever your root protected domain is
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
storage:
|
||||
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
||||
encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /config/notification.txt
|
||||
filename: '/config/notification.txt'
|
||||
...
|
||||
|
|
|
@ -9,10 +9,10 @@
|
|||
users:
|
||||
<USERNAME>:
|
||||
disabled: false
|
||||
displayname: "<DISPLAYNAME>"
|
||||
password: "<PASSWORD>"
|
||||
email: <USERNAME>@example.com
|
||||
displayname: '<DISPLAYNAME>'
|
||||
password: '<PASSWORD>'
|
||||
email: '<USERNAME>@example.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
...
|
||||
|
|
|
@ -3,16 +3,16 @@ version: '3.3'
|
|||
|
||||
networks:
|
||||
net:
|
||||
driver: bridge
|
||||
driver: 'bridge'
|
||||
|
||||
services:
|
||||
authelia:
|
||||
image: authelia/authelia
|
||||
container_name: authelia
|
||||
image: 'authelia/authelia'
|
||||
container_name: 'authelia'
|
||||
volumes:
|
||||
- ./authelia:/config
|
||||
- './authelia:/config'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
|
||||
|
@ -24,21 +24,21 @@ services:
|
|||
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
||||
expose:
|
||||
- 9091
|
||||
restart: unless-stopped
|
||||
restart: 'unless-stopped'
|
||||
healthcheck:
|
||||
## In production the healthcheck section should be commented.
|
||||
disable: true
|
||||
environment:
|
||||
- TZ=Australia/Melbourne
|
||||
TZ: 'Australia/Melbourne'
|
||||
|
||||
traefik:
|
||||
image: traefik:v2.10.1
|
||||
container_name: traefik
|
||||
image: 'traefik:v2.10.1'
|
||||
container_name: 'traefik'
|
||||
volumes:
|
||||
- ./traefik:/etc/traefik
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- './traefik:/etc/traefik'
|
||||
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
|
||||
|
@ -65,10 +65,10 @@ services:
|
|||
- '--log.level=DEBUG'
|
||||
|
||||
secure:
|
||||
image: traefik/whoami
|
||||
container_name: secure
|
||||
image: 'traefik/whoami'
|
||||
container_name: 'secure'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
|
||||
|
@ -78,13 +78,13 @@ services:
|
|||
- 'traefik.http.routers.secure.middlewares=authelia@docker'
|
||||
expose:
|
||||
- 80
|
||||
restart: unless-stopped
|
||||
restart: 'unless-stopped'
|
||||
|
||||
public:
|
||||
image: traefik/whoami
|
||||
container_name: public
|
||||
image: 'traefik/whoami'
|
||||
container_name: 'public'
|
||||
networks:
|
||||
- net
|
||||
- 'net'
|
||||
labels:
|
||||
- 'traefik.enable=true'
|
||||
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
|
||||
|
@ -94,5 +94,5 @@ services:
|
|||
- 'traefik.http.routers.public.middlewares=authelia@docker'
|
||||
expose:
|
||||
- 80
|
||||
restart: unless-stopped
|
||||
restart: 'unless-stopped'
|
||||
...
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
tls:
|
||||
certificates:
|
||||
- certFile: /etc/traefik/certs/cert.pem
|
||||
keyFile: /etc/traefik/certs/key.pem
|
||||
- certFile: '/etc/traefik/certs/cert.pem'
|
||||
keyFile: '/etc/traefik/certs/key.pem'
|
||||
...
|
||||
|
|
|
@ -9,11 +9,11 @@
|
|||
users:
|
||||
authelia:
|
||||
disabled: false
|
||||
displayname: "Test User"
|
||||
password: "$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk" # Password is 'authelia'
|
||||
email: authelia@authelia.com
|
||||
displayname: 'Test User'
|
||||
password: '$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk' # Password is 'authelia'
|
||||
email: 'authelia@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
...
|
||||
# yamllint enable rule:line-length
|
||||
|
|
|
@ -1,37 +1,37 @@
|
|||
---
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: "tcp://127.0.0.1:9091"
|
||||
address: 'tcp://127.0.0.1:9091'
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: ForwardAuth
|
||||
implementation: 'ForwardAuth'
|
||||
authn_strategies:
|
||||
- name: HeaderProxyAuthorization
|
||||
- name: CookieSession
|
||||
- name: 'HeaderProxyAuthorization'
|
||||
- name: 'CookieSession'
|
||||
ext-authz:
|
||||
implementation: ExtAuthz
|
||||
implementation: 'ExtAuthz'
|
||||
authn_strategies:
|
||||
- name: HeaderProxyAuthorization
|
||||
- name: CookieSession
|
||||
- name: 'HeaderProxyAuthorization'
|
||||
- name: 'CookieSession'
|
||||
auth-request:
|
||||
implementation: AuthRequest
|
||||
implementation: 'AuthRequest'
|
||||
authn_strategies:
|
||||
- name: HeaderAuthRequestProxyAuthorization
|
||||
- name: CookieSession
|
||||
- name: 'HeaderAuthRequestProxyAuthorization'
|
||||
- name: 'CookieSession'
|
||||
legacy:
|
||||
implementation: Legacy
|
||||
implementation: 'Legacy'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
issuer: 'authelia.com'
|
||||
|
||||
duo_api:
|
||||
hostname: api-123456789.example.com
|
||||
integration_key: ABCDEF
|
||||
hostname: 'api-123456789.example.com'
|
||||
integration_key: 'ABCDEF'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
|
@ -65,109 +65,109 @@ authentication_backend:
|
|||
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
||||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
user: cn=admin,dc=example,dc=com
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: one_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'one_factor'
|
||||
# Network based rule, if not provided any network matches.
|
||||
networks:
|
||||
- 192.168.1.0/24
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- '192.168.1.0/24'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: [singlefactor.example.com, onefactor.example.com]
|
||||
policy: one_factor
|
||||
- domain: ['singlefactor.example.com', 'onefactor.example.com']
|
||||
policy: 'one_factor'
|
||||
|
||||
# Rules applied to 'admins' group
|
||||
- domain: "mx2.mail.example.com"
|
||||
subject: "group:admins"
|
||||
policy: deny
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'deny'
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/groups/dev/.*$"
|
||||
subject: "group:dev"
|
||||
policy: two_factor
|
||||
- '^/groups/dev/.*$'
|
||||
subject: 'group:dev'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'john'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group and user 'john'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/deny-all.*$"
|
||||
subject: ["group:dev", "user:john"]
|
||||
policy: deny
|
||||
- '^/deny-all.*$'
|
||||
subject: ['group:dev', 'user:john']
|
||||
policy: 'deny'
|
||||
|
||||
# Rules applied to user 'harry'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'bob'
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: "dev.example.com"
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
expiration: 3600000 # 1 hour
|
||||
inactivity: 300000 # 5 minutes
|
||||
domain: example.com
|
||||
name: 'authelia_session'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
domain: 'example.com'
|
||||
redis:
|
||||
host: 127.0.0.1
|
||||
host: '127.0.0.1'
|
||||
port: 6379
|
||||
high_availability:
|
||||
sentinel_name: test
|
||||
sentinel_name: 'test'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
storage:
|
||||
postgres:
|
||||
host: 127.0.0.1
|
||||
host: '127.0.0.1'
|
||||
port: 5432
|
||||
database: authelia
|
||||
username: authelia
|
||||
database: 'authelia'
|
||||
username: 'authelia'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
username: test
|
||||
host: 127.0.0.1
|
||||
username: 'test'
|
||||
host: '127.0.0.1'
|
||||
port: 1025
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -1,37 +1,37 @@
|
|||
---
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: "tcp://127.0.0.1:9091"
|
||||
address: 'tcp://127.0.0.1:9091'
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: ForwardAuth
|
||||
implementation: 'ForwardAuth'
|
||||
authn_strategies:
|
||||
- name: HeaderProxyAuthorization
|
||||
- name: CookieSession
|
||||
- name: 'HeaderProxyAuthorization'
|
||||
- name: 'CookieSession'
|
||||
ext-authz:
|
||||
implementation: ExtAuthz
|
||||
implementation: 'ExtAuthz'
|
||||
authn_strategies:
|
||||
- name: HeaderProxyAuthorization
|
||||
- name: CookieSession
|
||||
- name: 'HeaderProxyAuthorization'
|
||||
- name: 'CookieSession'
|
||||
auth-request:
|
||||
implementation: AuthRequest
|
||||
implementation: 'AuthRequest'
|
||||
authn_strategies:
|
||||
- name: HeaderAuthRequestProxyAuthorization
|
||||
- name: CookieSession
|
||||
- name: 'HeaderAuthRequestProxyAuthorization'
|
||||
- name: 'CookieSession'
|
||||
legacy:
|
||||
implementation: Legacy
|
||||
implementation: 'Legacy'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
issuer: 'authelia.com'
|
||||
|
||||
duo_api:
|
||||
hostname: api-123456789.example.com
|
||||
integration_key: ABCDEF
|
||||
hostname: 'api-123456789.example.com'
|
||||
integration_key: 'ABCDEF'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
|
@ -65,109 +65,109 @@ authentication_backend:
|
|||
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
||||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
user: cn=admin,dc=example,dc=com
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: one_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'one_factor'
|
||||
# Network based rule, if not provided any network matches.
|
||||
networks:
|
||||
- 192.168.1.0/24
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- '192.168.1.0/24'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: [singlefactor.example.com, onefactor.example.com]
|
||||
policy: one_factor
|
||||
- domain: ['singlefactor.example.com', 'onefactor.example.com']
|
||||
policy: 'one_factor'
|
||||
|
||||
# Rules applied to 'admins' group
|
||||
- domain: "mx2.mail.example.com"
|
||||
subject: "group:admins"
|
||||
policy: deny
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'deny'
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/groups/dev/.*$"
|
||||
subject: "group:dev"
|
||||
policy: two_factor
|
||||
- '^/groups/dev/.*$'
|
||||
subject: 'group:dev'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'john'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group and user 'john'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/deny-all.*$"
|
||||
subject: ["group:dev", "user:john"]
|
||||
policy: deny
|
||||
- '^/deny-all.*$'
|
||||
subject: ['group:dev', 'user:john']
|
||||
policy: 'deny'
|
||||
|
||||
# Rules applied to user 'harry'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'bob'
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: "dev.example.com"
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
expiration: 3600000 # 1 hour
|
||||
inactivity: 300000 # 5 minutes
|
||||
domain: example.com
|
||||
name: 'authelia_session'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
domain: 'example.com'
|
||||
redis:
|
||||
host: 127.0.0.1
|
||||
host: '127.0.0.1'
|
||||
port: 6379
|
||||
high_availability:
|
||||
sentinel_name: test
|
||||
sentinel_name: 'test'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
storage:
|
||||
mysql:
|
||||
host: 127.0.0.1
|
||||
host: '127.0.0.1'
|
||||
port: 3306
|
||||
database: authelia
|
||||
username: authelia
|
||||
database: 'authelia'
|
||||
username: 'authelia'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
username: test
|
||||
host: 127.0.0.1
|
||||
username: 'test'
|
||||
host: '127.0.0.1'
|
||||
port: 1025
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -5,14 +5,14 @@ server:
|
|||
address: 'tcp://{{ env "SERVICES_SERVER" }}:9091'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
issuer: 'authelia.com'
|
||||
|
||||
duo_api:
|
||||
hostname: 'api-123456789.{{ env "ROOT_DOMAIN" }}'
|
||||
integration_key: ABCDEF
|
||||
integration_key: 'ABCDEF'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
|
@ -46,51 +46,51 @@ authentication_backend:
|
|||
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
||||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
user: cn=admin,dc=example,dc=com
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain:
|
||||
- 'public.{{ env "ROOT_DOMAIN" }}'
|
||||
policy: bypass
|
||||
policy: 'bypass'
|
||||
|
||||
- domain:
|
||||
- 'secure.{{ env "ROOT_DOMAIN" }}'
|
||||
policy: one_factor
|
||||
policy: 'one_factor'
|
||||
# Network based rule, if not provided any network matches.
|
||||
networks:
|
||||
- 192.168.1.0/24
|
||||
- '192.168.1.0/24'
|
||||
- domain:
|
||||
- 'secure.{{ env "ROOT_DOMAIN" }}'
|
||||
policy: two_factor
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain:
|
||||
- 'singlefactor.{{ env "ROOT_DOMAIN" }}'
|
||||
- 'onefactor.{{ env "ROOT_DOMAIN" }}'
|
||||
policy: one_factor
|
||||
policy: 'one_factor'
|
||||
|
||||
# Rules applied to 'admins' group
|
||||
- domain:
|
||||
- 'mx2.mail.{{ env "ROOT_DOMAIN" }}'
|
||||
subject:
|
||||
- 'group:admins'
|
||||
policy: deny
|
||||
policy: 'deny'
|
||||
- domain:
|
||||
- '*.{{ env "ROOT_DOMAIN" }}'
|
||||
subject:
|
||||
- ['group:admins']
|
||||
policy: two_factor
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group
|
||||
- domain:
|
||||
|
@ -99,7 +99,7 @@ access_control:
|
|||
- '^/groups/dev/.*$'
|
||||
subject:
|
||||
- ['group:dev']
|
||||
policy: two_factor
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'john'
|
||||
- domain:
|
||||
|
@ -108,17 +108,17 @@ access_control:
|
|||
- '^/users/john/.*$'
|
||||
subject:
|
||||
- ['user:john']
|
||||
policy: two_factor
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group and user 'john'
|
||||
- domain:
|
||||
- 'dev.{{ env "ROOT_DOMAIN" }}'
|
||||
resources:
|
||||
- "^/deny-all.*$"
|
||||
- '^/deny-all.*$'
|
||||
subject:
|
||||
- ['group:dev']
|
||||
- ['user:john']
|
||||
policy: deny
|
||||
policy: 'deny'
|
||||
|
||||
# Rules applied to user 'harry'
|
||||
- domain:
|
||||
|
@ -127,47 +127,47 @@ access_control:
|
|||
- '^/users/harry/.*$'
|
||||
subject:
|
||||
- ['user:harry']
|
||||
policy: two_factor
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'bob'
|
||||
- domain:
|
||||
- '*.mail.{{ env "ROOT_DOMAIN" }}'
|
||||
subject:
|
||||
- ['user:bob']
|
||||
policy: two_factor
|
||||
policy: 'two_factor'
|
||||
- domain:
|
||||
- 'dev.{{ env "ROOT_DOMAIN" }}'
|
||||
resources:
|
||||
- '^/users/bob/.*$'
|
||||
subject:
|
||||
- ['user:bob']
|
||||
policy: two_factor
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
expiration: 3600000 # 1 hour
|
||||
inactivity: 300000 # 5 minutes
|
||||
name: 'authelia_session'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
domain: '{{ env "ROOT_DOMAIN" }}'
|
||||
redis:
|
||||
host: ${SERVICES_SERVER}
|
||||
host: '${SERVICES_SERVER}'
|
||||
port: 6379
|
||||
high_availability:
|
||||
sentinel_name: test
|
||||
sentinel_name: 'test'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
storage:
|
||||
mysql:
|
||||
address: 'tcp://{{ env "SERVICES_SERVER" }}:3306'
|
||||
database: authelia
|
||||
username: authelia
|
||||
database: 'authelia'
|
||||
username: 'authelia'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
username: test
|
||||
username: 'test'
|
||||
address: 'smtp://{{ env "SERVICES_SERVER" }}:1025'
|
||||
sender: 'admin@{{ env "ROOT_DOMAIN" }}'
|
||||
disable_require_tls: true
|
||||
|
@ -176,16 +176,16 @@ identity_providers:
|
|||
oidc:
|
||||
cors:
|
||||
allowed_origins:
|
||||
- https://google.com
|
||||
- https://example.com
|
||||
- 'https://google.com'
|
||||
- 'https://example.com'
|
||||
clients:
|
||||
- id: abc
|
||||
- id: 'abc'
|
||||
secret: '${ABC_CLIENT_SECRET}'
|
||||
consent_mode: explicit
|
||||
- id: xyz
|
||||
consent_mode: 'explicit'
|
||||
- id: 'xyz'
|
||||
secret: '$XYZ_CLIENT_SECRET'
|
||||
consent_mode: explicit
|
||||
consent_mode: 'explicit'
|
||||
- id: '123'
|
||||
secret: $ANOTHER_CLIENT_SECRET
|
||||
consent_mode: explicit
|
||||
secret: '$ANOTHER_CLIENT_SECRET'
|
||||
consent_mode: 'explicit'
|
||||
...
|
||||
|
|
|
@ -3,69 +3,69 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
theme: grey
|
||||
jwt_secret: very_important_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
theme: 'grey'
|
||||
jwt_secret: 'very_important_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldap://sambaldap'
|
||||
implementation: activedirectory
|
||||
implementation: 'activedirectory'
|
||||
tls:
|
||||
skip_verify: true
|
||||
start_tls: true
|
||||
base_dn: DC=example,DC=com
|
||||
additional_users_dn: OU=Users
|
||||
additional_groups_dn: OU=Groups
|
||||
user: CN=Administrator,CN=Users,DC=example,DC=com
|
||||
password: password
|
||||
base_dn: 'DC=example,DC=com'
|
||||
additional_users_dn: 'OU=Users'
|
||||
additional_groups_dn: 'OU=Groups'
|
||||
user: 'CN=Administrator,CN=Users,DC=example,DC=com'
|
||||
password: 'password'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 300
|
||||
ban_time: 900
|
||||
find_time: '5m'
|
||||
ban_time: '15m'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -6,49 +6,49 @@
|
|||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
# The Duo Push Notification API configuration
|
||||
duo_api:
|
||||
hostname: duo.example.com
|
||||
integration_key: ABCDEFGHIJKL
|
||||
secret_key: abcdefghijklmnopqrstuvwxyz123456789
|
||||
hostname: 'duo.example.com'
|
||||
integration_key: 'ABCDEFGHIJKL'
|
||||
secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
disable_require_tls: true
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: 'true'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -6,61 +6,61 @@
|
|||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
secret: 'unsecure_session_secret'
|
||||
cookies:
|
||||
- name: 'authelia_session'
|
||||
domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /tmp/db.sqlite
|
||||
path: '/tmp/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: "resources.example.com"
|
||||
policy: one_factor
|
||||
resources: ["^/resources"]
|
||||
- domain: "method.example.com"
|
||||
policy: one_factor
|
||||
methods: ["POST"]
|
||||
- domain: "network.example.com"
|
||||
policy: one_factor
|
||||
networks: ["192.168.1.0/24"]
|
||||
- domain: "group.example.com"
|
||||
policy: one_factor
|
||||
subject: ["group:basic"]
|
||||
- domain: "user.example.com"
|
||||
policy: one_factor
|
||||
subject: ["user:john"]
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: 'resources.example.com'
|
||||
policy: 'one_factor'
|
||||
resources: ['^/resources']
|
||||
- domain: 'method.example.com'
|
||||
policy: 'one_factor'
|
||||
methods: ['POST']
|
||||
- domain: 'network.example.com'
|
||||
policy: 'one_factor'
|
||||
networks: ['192.168.1.0/24']
|
||||
- domain: 'group.example.com'
|
||||
policy: 'one_factor'
|
||||
subject: ['group:basic']
|
||||
- domain: 'user.example.com'
|
||||
policy: 'one_factor'
|
||||
subject: ['user:john']
|
||||
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /tmp/notification.txt
|
||||
filename: '/tmp/notification.txt'
|
||||
...
|
||||
|
|
|
@ -8,5 +8,5 @@ services:
|
|||
- './CLI/users.yml:/config/users.yml'
|
||||
- './common/pki:/pki:ro'
|
||||
- '/tmp:/tmp'
|
||||
user: ${USER_ID}:${GROUP_ID}
|
||||
user: '${USER_ID}:${GROUP_ID}'
|
||||
...
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /tmp/db.sqlite3
|
||||
path: '/tmp/db.sqlite3'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,56 +3,56 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
asset_path: '/config/assets/'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
endpoints:
|
||||
authz:
|
||||
caddy:
|
||||
implementation: ForwardAuth
|
||||
implementation: 'ForwardAuth'
|
||||
authn_strategies: []
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,89 +3,89 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: very_important_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
jwt_secret: 'very_important_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
regulation:
|
||||
# Set it to 0 to disable max_retries.
|
||||
max_retries: 3
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 300
|
||||
find_time: '5m'
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 900
|
||||
ban_time: '15m'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,49 +3,49 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: very_important_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
jwt_secret: 'very_important_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: trace
|
||||
level: 'trace'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /tmp/db.sqlite3
|
||||
path: '/tmp/db.sqlite3'
|
||||
|
||||
# TOTP Issuer Name
|
||||
#
|
||||
# This will be the issuer name displayed in Google Authenticator
|
||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||
# See: 'https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names'
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
# The Duo Push Notification API configuration
|
||||
duo_api:
|
||||
hostname: duo.example.com
|
||||
integration_key: ABCDEFGHIJKL
|
||||
secret_key: abcdefghijklmnopqrstuvwxyz123456789
|
||||
hostname: 'duo.example.com'
|
||||
integration_key: 'ABCDEFGHIJKL'
|
||||
secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
|
||||
enable_self_enrollment: true
|
||||
|
||||
# Access Control
|
||||
|
@ -54,43 +54,43 @@ duo_api:
|
|||
# resources.
|
||||
access_control:
|
||||
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
||||
default_policy: two_factor
|
||||
default_policy: 'two_factor'
|
||||
|
||||
rules:
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
regulation:
|
||||
|
@ -98,12 +98,12 @@ regulation:
|
|||
max_retries: 3
|
||||
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 300
|
||||
find_time: '5m'
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 900
|
||||
ban_time: '15m'
|
||||
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /tmp/notifier.html
|
||||
filename: '/tmp/notifier.html'
|
||||
...
|
||||
|
|
|
@ -7,5 +7,5 @@ services:
|
|||
- './DuoPush/users.yml:/config/users.yml'
|
||||
- './common/pki:/pki:ro'
|
||||
- '/tmp:/tmp'
|
||||
user: ${USER_ID}:${GROUP_ID}
|
||||
user: '${USER_ID}:${GROUP_ID}'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,59 +3,59 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
asset_path: '/config/assets/'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
endpoints:
|
||||
authz:
|
||||
ext-authz:
|
||||
implementation: ExtAuthz
|
||||
implementation: 'ExtAuthz'
|
||||
authn_strategies: []
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- name: 'authelia_session'
|
||||
domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080/'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "login.example.com"
|
||||
policy: bypass
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'login.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,50 +3,50 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,125 +3,125 @@
|
|||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
issuer: 'authelia.com'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldap://openldap'
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: cn=admin,dc=example,dc=com
|
||||
password: password
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
display_name_attribute: 'displayName'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
password: 'password'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
# Rules applied to 'admins' group
|
||||
- domain: mx2.mail.example.com
|
||||
subject: "group:admins"
|
||||
policy: deny
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'deny'
|
||||
|
||||
# Rules applied to user 'john'
|
||||
- domain: "*.example.com"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- domain: '*.example.com'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/groups/dev/.*$"
|
||||
subject: "group:dev"
|
||||
policy: two_factor
|
||||
- '^/groups/dev/.*$'
|
||||
subject: 'group:dev'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'harry'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'bob'
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: "dev.example.com"
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
name: 'authelia_session'
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
redis:
|
||||
username: authelia
|
||||
password: redis-user-password
|
||||
username: 'authelia'
|
||||
password: 'redis-user-password'
|
||||
high_availability:
|
||||
sentinel_name: authelia
|
||||
sentinel_password: sentinel-server-password
|
||||
sentinel_name: 'authelia'
|
||||
sentinel_password: 'sentinel-server-password'
|
||||
nodes:
|
||||
- host: redis-sentinel-0
|
||||
- host: 'redis-sentinel-0'
|
||||
port: 26379
|
||||
- host: redis-sentinel-1
|
||||
- host: 'redis-sentinel-1'
|
||||
port: 26379
|
||||
- host: redis-sentinel-2
|
||||
- host: 'redis-sentinel-2'
|
||||
port: 26379
|
||||
|
||||
remember_me: 1y
|
||||
remember_me: '1y'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 8
|
||||
find_time: '8s'
|
||||
ban_time: 10
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
mysql:
|
||||
address: 'tcp://mariadb:3306'
|
||||
database: authelia
|
||||
username: admin
|
||||
password: password
|
||||
database: 'authelia'
|
||||
username: 'admin'
|
||||
password: 'password'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -3,73 +3,73 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
theme: dark
|
||||
jwt_secret: very_important_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
theme: 'dark'
|
||||
jwt_secret: 'very_important_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldaps://openldap'
|
||||
tls:
|
||||
skip_verify: true
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson)) # yamllint disable-line rule:line-length
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: cn=pwmanager,dc=example,dc=com
|
||||
password: password
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson))' # yamllint disable-line rule:line-length
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
display_name_attribute: 'displayName'
|
||||
user: 'cn=pwmanager,dc=example,dc=com'
|
||||
password: 'password'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 300
|
||||
ban_time: 900
|
||||
find_time: '5m'
|
||||
ban_time: '15m'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
disable_require_tls: true
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: 'true'
|
||||
...
|
||||
|
|
|
@ -3,58 +3,58 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: very_important_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
jwt_secret: 'very_important_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
mysql:
|
||||
address: 'tcp://mariadb:3306'
|
||||
database: authelia
|
||||
username: admin
|
||||
password: password
|
||||
database: 'authelia'
|
||||
username: 'admin'
|
||||
password: 'password'
|
||||
|
||||
# TOTP Issuer Name
|
||||
#
|
||||
# This will be the issuer name displayed in Google Authenticator
|
||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
regulation:
|
||||
|
@ -62,7 +62,7 @@ regulation:
|
|||
max_retries: 3
|
||||
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 8
|
||||
find_time: '8s'
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 10
|
||||
|
@ -71,6 +71,6 @@ notifier:
|
|||
# Use a SMTP server for sending notifications
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,14 +3,14 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
theme: auto
|
||||
jwt_secret: 'unsecure_secret'
|
||||
theme: 'auto'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
telemetry:
|
||||
metrics:
|
||||
|
@ -18,17 +18,17 @@ telemetry:
|
|||
address: 'tcp://:9959'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600
|
||||
inactivity: 300
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h'
|
||||
inactivity: '5m'
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- name: 'authelia_session'
|
||||
domain: 'example.com'
|
||||
|
@ -42,153 +42,153 @@ session:
|
|||
authelia_url: 'https://login.example3.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
# First cookie domain
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: bypass
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'bypass'
|
||||
methods:
|
||||
- OPTIONS
|
||||
- 'OPTIONS'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Second cookie domain
|
||||
- domain: singlefactor.example2.com
|
||||
policy: one_factor
|
||||
- domain: 'singlefactor.example2.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: public.example2.com
|
||||
policy: bypass
|
||||
- domain: 'public.example2.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example2.com
|
||||
policy: bypass
|
||||
- domain: 'secure.example2.com'
|
||||
policy: 'bypass'
|
||||
methods:
|
||||
- OPTIONS
|
||||
- 'OPTIONS'
|
||||
|
||||
- domain: secure.example2.com
|
||||
policy: two_factor
|
||||
- domain: 'secure.example2.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.example2.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example2.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example2.com
|
||||
- domain: 'dev.example2.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example2.com
|
||||
- domain: 'dev.example2.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.mail.example2.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: '*.mail.example2.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example2.com
|
||||
- domain: 'dev.example2.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Third cookie domain
|
||||
- domain: singlefactor.example3.com
|
||||
policy: one_factor
|
||||
- domain: 'singlefactor.example3.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: public.example3.com
|
||||
policy: bypass
|
||||
- domain: 'public.example3.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example3.com
|
||||
policy: bypass
|
||||
- domain: 'secure.example3.com'
|
||||
policy: 'bypass'
|
||||
methods:
|
||||
- OPTIONS
|
||||
- 'OPTIONS'
|
||||
|
||||
- domain: secure.example3.com
|
||||
policy: two_factor
|
||||
- domain: 'secure.example3.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.example3.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example3.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example3.com
|
||||
- domain: 'dev.example3.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example3.com
|
||||
- domain: 'dev.example3.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.mail.example3.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: '*.mail.example3.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example3.com
|
||||
- domain: 'dev.example3.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
|
||||
regulation:
|
||||
# Set it to 0 to disable max_retries.
|
||||
max_retries: 3
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 300
|
||||
find_time: '5m'
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 900
|
||||
ban_time: '15m'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
ntp:
|
||||
## NTP server address
|
||||
|
@ -196,7 +196,7 @@ ntp:
|
|||
## ntp version
|
||||
version: 4
|
||||
## "maximum desynchronization" is the allowed offset time between the host and the ntp server
|
||||
max_desync: 3s
|
||||
max_desync: '3s'
|
||||
## You can enable or disable the NTP synchronization check on startup
|
||||
disable_startup_check: false
|
||||
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -6,32 +6,32 @@
|
|||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
jwt_secret: very_important_secret
|
||||
jwt_secret: 'very_important_secret'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
mysql:
|
||||
address: 'tcp://mysql:3306'
|
||||
database: 'authelia'
|
||||
|
@ -43,19 +43,19 @@ storage:
|
|||
# This will be the issuer name displayed in Google Authenticator
|
||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
regulation:
|
||||
|
@ -63,7 +63,7 @@ regulation:
|
|||
max_retries: 3
|
||||
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 8
|
||||
find_time: '8s'
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 10
|
||||
|
@ -72,6 +72,6 @@ notifier:
|
|||
# Use a SMTP server for sending notifications
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
disable_require_tls: true
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: 'true'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,26 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
|
||||
- 'dev'
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -6,71 +6,71 @@
|
|||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
jwt_secret: unsecure_password
|
||||
jwt_secret: 'unsecure_password'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
# Access Control
|
||||
#
|
||||
# Access control is a set of rules you can use to restrict user access to certain
|
||||
# resources.
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
networks:
|
||||
- name: Clients
|
||||
- name: 'Clients'
|
||||
networks:
|
||||
- 192.168.240.202/32
|
||||
- 192.168.240.203/32
|
||||
rules:
|
||||
- domain: secure.example.com
|
||||
policy: one_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'one_factor'
|
||||
networks:
|
||||
- 192.168.240.201/32
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: bypass
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'bypass'
|
||||
networks:
|
||||
- Clients
|
||||
- 'Clients'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
regulation:
|
||||
# Set it to 0 to disable max_retries.
|
||||
max_retries: 3
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 300
|
||||
find_time: '5m'
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 900
|
||||
ban_time: '15m'
|
||||
|
||||
notifier:
|
||||
# Use a SMTP server for sending notifications
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -2,78 +2,78 @@
|
|||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
secret: 'unsecure_session_secret'
|
||||
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
|
||||
# We use redis here to keep the users authenticated when Authelia restarts
|
||||
# It eases development.
|
||||
redis:
|
||||
host: redis
|
||||
host: 'redis'
|
||||
port: 6379
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: "home.example.com"
|
||||
policy: bypass
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: "oidc.example.com"
|
||||
policy: two_factor
|
||||
- domain: "oidc-public.example.com"
|
||||
policy: bypass
|
||||
- domain: 'home.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: 'oidc.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'oidc-public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
|
||||
identity_providers:
|
||||
oidc:
|
||||
enable_client_debug_messages: true
|
||||
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
|
||||
hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
|
||||
clients:
|
||||
- id: oidc-tester-app
|
||||
secret: foobar
|
||||
authorization_policy: two_factor
|
||||
- id: 'oidc-tester-app'
|
||||
secret: 'foobar'
|
||||
authorization_policy: 'two_factor'
|
||||
redirect_uris:
|
||||
- https://oidc.example.com:8080/oauth2/callback
|
||||
# This client is used for testing purpose. As of now, the app must be protected by ACLs
|
||||
# otherwise it won't work properly.
|
||||
- id: oidc-tester-app-public
|
||||
secret: foobar
|
||||
authorization_policy: one_factor
|
||||
- id: 'oidc-tester-app-public'
|
||||
secret: 'foobar'
|
||||
authorization_policy: 'one_factor'
|
||||
redirect_uris:
|
||||
- https://oidc-public.example.com:8080/oauth2/callback
|
||||
...
|
||||
|
|
|
@ -3,8 +3,8 @@ version: '3'
|
|||
services:
|
||||
authelia-backend:
|
||||
environment:
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
|
||||
volumes:
|
||||
- './OIDC/configuration.yml:/config/configuration.yml:ro'
|
||||
- './OIDC/users.yml:/config/users.yml'
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -2,23 +2,23 @@
|
|||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
@ -26,55 +26,55 @@ session:
|
|||
# We use redis here to keep the users authenticated when Authelia restarts
|
||||
# It eases development.
|
||||
redis:
|
||||
host: redis
|
||||
host: 'redis'
|
||||
port: 6379
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: "home.example.com"
|
||||
policy: bypass
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: "oidc.example.com"
|
||||
policy: two_factor
|
||||
- domain: "oidc-public.example.com"
|
||||
policy: bypass
|
||||
- domain: "traefik.example.com"
|
||||
policy: bypass
|
||||
- domain: 'home.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: 'oidc.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'oidc-public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'traefik.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
|
||||
identity_providers:
|
||||
oidc:
|
||||
enable_client_debug_messages: true
|
||||
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
|
||||
hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
|
||||
clients:
|
||||
- id: oidc-tester-app
|
||||
secret: foobar
|
||||
authorization_policy: two_factor
|
||||
- id: 'oidc-tester-app'
|
||||
secret: 'foobar'
|
||||
authorization_policy: 'two_factor'
|
||||
redirect_uris:
|
||||
- https://oidc.example.com:8080/oauth2/callback
|
||||
# This client is used for testing purpose. As of now, the app must be protected by ACLs
|
||||
# otherwise it won't work properly.
|
||||
- id: oidc-tester-app-public
|
||||
secret: foobar
|
||||
authorization_policy: one_factor
|
||||
- id: 'oidc-tester-app-public'
|
||||
secret: 'foobar'
|
||||
authorization_policy: 'one_factor'
|
||||
redirect_uris:
|
||||
- https://oidc-public.example.com:8080/oauth2/callback
|
||||
...
|
||||
|
|
|
@ -3,8 +3,8 @@ version: '3'
|
|||
services:
|
||||
authelia-backend:
|
||||
environment:
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
|
||||
volumes:
|
||||
- './OIDCTraefik/configuration.yml:/config/configuration.yml:ro'
|
||||
- './OIDCTraefik/users.yml:/config/users.yml'
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,49 +3,49 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
jwt_secret: 'unsecure_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: home.example.com
|
||||
policy: bypass
|
||||
- domain: unsafe.local
|
||||
policy: bypass
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'home.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'unsafe.local'
|
||||
policy: 'bypass'
|
||||
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /config/notifier.html
|
||||
filename: '/config/notifier.html'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,51 +3,51 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
path: 'auth'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080/auth/'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
disable_require_tls: true
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: 'true'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,34 +3,34 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: very_important_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
jwt_secret: 'very_important_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
postgres:
|
||||
address: 'tcp://postgres:5432'
|
||||
database: 'authelia'
|
||||
|
@ -42,19 +42,19 @@ storage:
|
|||
# This will be the issuer name displayed in Google Authenticator
|
||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
regulation:
|
||||
|
@ -62,7 +62,7 @@ regulation:
|
|||
max_retries: 3
|
||||
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 8
|
||||
find_time: '8s'
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 10
|
||||
|
@ -71,6 +71,6 @@ notifier:
|
|||
# Use a SMTP server for sending notifications
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
disable_require_tls: true
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: 'true'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,81 +3,81 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
jwt_secret: 'unsecure_secret'
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
secret: 'unsecure_session_secret'
|
||||
cookies:
|
||||
- name: 'authelia_sessin'
|
||||
domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
inactivity: 5
|
||||
expiration: 8
|
||||
remember_me: 1y
|
||||
expiration: '8s'
|
||||
remember_me: '1y'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 5
|
||||
find_time: '5s'
|
||||
ban_time: 10
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,103 +3,103 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
theme: auto
|
||||
theme: 'auto'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
telemetry:
|
||||
metrics:
|
||||
enabled: true
|
||||
address: tcp://0.0.0.0:9959
|
||||
address: 'tcp://:9959'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
expiration: 3600
|
||||
inactivity: 300
|
||||
remember_me: 1y
|
||||
expiration: '1h'
|
||||
inactivity: '5m'
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /tmp/db.sqlite3
|
||||
path: '/tmp/db.sqlite3'
|
||||
|
||||
totp:
|
||||
issuer: example.com
|
||||
issuer: 'example.com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: bypass
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'bypass'
|
||||
methods:
|
||||
- OPTIONS
|
||||
- 'OPTIONS'
|
||||
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
|
||||
regulation:
|
||||
# Set it to 0 to disable max_retries.
|
||||
max_retries: 3
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 300
|
||||
find_time: '5m'
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 900
|
||||
ban_time: '15m'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
ntp:
|
||||
## NTP server address
|
||||
address: "time.cloudflare.com:123"
|
||||
address: 'time.cloudflare.com:123'
|
||||
## ntp version
|
||||
version: 4
|
||||
## "maximum desynchronization" is the allowed offset time between the host and the ntp server
|
||||
|
|
|
@ -3,12 +3,12 @@ version: '3'
|
|||
services:
|
||||
authelia-backend:
|
||||
environment:
|
||||
- AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt
|
||||
- AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session
|
||||
- 'AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt'
|
||||
- 'AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session'
|
||||
volumes:
|
||||
- './Standalone/configuration.yml:/config/configuration.yml:ro'
|
||||
- './Standalone/users.yml:/config/users.yml'
|
||||
- './common/pki:/pki:ro'
|
||||
- '/tmp:/tmp'
|
||||
user: ${USER_ID}:${GROUP_ID}
|
||||
user: '${USER_ID}:${GROUP_ID}'
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,51 +3,51 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
asset_path: '/config/assets/'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -3,58 +3,58 @@
|
|||
# Authelia minimal configuration #
|
||||
###############################################################
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
jwt_secret: 'unsecure_secret'
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091'
|
||||
asset_path: '/config/assets/'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: ForwardAuth
|
||||
implementation: 'ForwardAuth'
|
||||
authn_strategies: []
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yml
|
||||
path: '/config/users.yml'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
secret: 'unsecure_session_secret'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
redis:
|
||||
host: redis
|
||||
host: 'redis'
|
||||
port: 6379
|
||||
username: authelia
|
||||
password: redis-user-password
|
||||
username: 'authelia'
|
||||
password: 'redis-user-password'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
encryption_key: 'a_not_so_secure_encryption_key'
|
||||
local:
|
||||
path: /config/db.sqlite
|
||||
path: '/config/db.sqlite'
|
||||
|
||||
access_control:
|
||||
default_policy: bypass
|
||||
default_policy: 'bypass'
|
||||
rules:
|
||||
- domain: "public.example.com"
|
||||
policy: bypass
|
||||
- domain: "admin.example.com"
|
||||
policy: two_factor
|
||||
- domain: "secure.example.com"
|
||||
policy: two_factor
|
||||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'admin.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
ntp:
|
||||
version: 3
|
||||
|
@ -62,6 +62,6 @@ ntp:
|
|||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp:1025'
|
||||
sender: admin@example.com
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
...
|
||||
|
|
|
@ -8,28 +8,28 @@
|
|||
# List of users
|
||||
users:
|
||||
john:
|
||||
displayname: "John Doe"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: john.doe@authelia.com
|
||||
displayname: 'John Doe'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'john.doe@authelia.com'
|
||||
groups:
|
||||
- admins
|
||||
- dev
|
||||
- 'admins'
|
||||
- 'dev'
|
||||
|
||||
harry:
|
||||
displayname: "Harry Potter"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: harry.potter@authelia.com
|
||||
displayname: 'Harry Potter'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'harry.potter@authelia.com'
|
||||
groups: []
|
||||
|
||||
bob:
|
||||
displayname: "Bob Dylan"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: bob.dylan@authelia.com
|
||||
displayname: 'Bob Dylan'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'bob.dylan@authelia.com'
|
||||
groups:
|
||||
- dev
|
||||
- 'dev'
|
||||
|
||||
james:
|
||||
displayname: "James Dean"
|
||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
||||
email: james.dean@authelia.com
|
||||
displayname: 'James Dean'
|
||||
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||
email: 'james.dean@authelia.com'
|
||||
...
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
networks:
|
||||
authelianet:
|
||||
driver: bridge
|
||||
driver: 'bridge'
|
||||
ipam:
|
||||
config:
|
||||
- subnet: 192.168.240.0/24
|
||||
|
|
|
@ -3,18 +3,18 @@ version: '3'
|
|||
services:
|
||||
authelia-backend:
|
||||
build:
|
||||
context: example/compose/authelia
|
||||
dockerfile: Dockerfile.backend
|
||||
context: 'example/compose/authelia'
|
||||
dockerfile: 'Dockerfile.backend'
|
||||
args:
|
||||
USER_ID: ${USER_ID}
|
||||
GROUP_ID: ${GROUP_ID}
|
||||
USER_ID: '${USER_ID}'
|
||||
GROUP_ID: '${GROUP_ID}'
|
||||
security_opt:
|
||||
- seccomp:unconfined
|
||||
- apparmor:unconfined
|
||||
command: /resources/entrypoint-backend.sh
|
||||
working_dir: /app
|
||||
command: '/resources/entrypoint-backend.sh'
|
||||
working_dir: '/app'
|
||||
cap_add:
|
||||
- SYS_PTRACE
|
||||
- 'SYS_PTRACE'
|
||||
volumes:
|
||||
- './example/compose/authelia/resources/:/resources'
|
||||
- '../..:/app'
|
||||
|
@ -30,7 +30,7 @@ services:
|
|||
- 'traefik.http.routers.authelia_backend.tls=true'
|
||||
- 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https'
|
||||
environment:
|
||||
- ENVIRONMENT=dev
|
||||
ENVIRONMENT: 'dev'
|
||||
networks:
|
||||
authelianet:
|
||||
ipv4_address: 192.168.240.50
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
authelia-backend:
|
||||
image: authelia:dist
|
||||
image: 'authelia:dist'
|
||||
labels:
|
||||
# Traefik 1.x
|
||||
- 'traefik.frontend.rule=Host:login.example.com'
|
||||
|
@ -18,8 +18,8 @@ services:
|
|||
volumes:
|
||||
- '../..:/authelia'
|
||||
environment:
|
||||
- ENVIRONMENT=dev
|
||||
restart: always
|
||||
ENVIRONMENT: 'dev'
|
||||
restart: 'always'
|
||||
networks:
|
||||
authelianet:
|
||||
ipv4_address: 192.168.240.50
|
||||
|
|
|
@ -3,13 +3,13 @@ version: '3'
|
|||
services:
|
||||
authelia-frontend:
|
||||
build:
|
||||
context: example/compose/authelia
|
||||
dockerfile: Dockerfile.frontend
|
||||
context: 'example/compose/authelia'
|
||||
dockerfile: 'Dockerfile.frontend'
|
||||
args:
|
||||
USER_ID: ${USER_ID}
|
||||
GROUP_ID: ${GROUP_ID}
|
||||
USER_ID: '${USER_ID}'
|
||||
GROUP_ID: '${GROUP_ID}'
|
||||
command: '/resources/entrypoint-frontend.sh'
|
||||
working_dir: /app
|
||||
working_dir: '/app'
|
||||
stdin_open: true
|
||||
volumes:
|
||||
- './example/compose/authelia/resources/:/resources'
|
||||
|
@ -24,7 +24,7 @@ services:
|
|||
- 'traefik.http.routers.authelia_frontend.entrypoints=https'
|
||||
- 'traefik.http.routers.authelia_frontend.tls=true'
|
||||
environment:
|
||||
- VITE_BASEPATH=${PathPrefix}
|
||||
VITE_BASEPATH: '${PathPrefix}'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
authelia-frontend:
|
||||
image: nginx:alpine
|
||||
image: 'nginx:alpine'
|
||||
volumes:
|
||||
- './example/compose/authelia/resources/nginx.conf:/etc/nginx/nginx.conf'
|
||||
labels:
|
||||
|
@ -15,7 +15,7 @@ services:
|
|||
- 'traefik.http.routers.authelia_frontend.tls=true'
|
||||
- 'traefik.http.services.authelia_frontend.loadbalancer.server.port=3000'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
expose:
|
||||
- 3000
|
||||
...
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
version: '3'
|
||||
services:
|
||||
caddy:
|
||||
# build: ./example/compose/caddy/ # used for debugging
|
||||
image: caddy:2.6.4-alpine
|
||||
# build: './example/compose/caddy/ # used for debugging'
|
||||
image: 'caddy:2.6.4-alpine'
|
||||
volumes:
|
||||
- ./example/compose/caddy/Caddyfile:/etc/caddy/Caddyfile
|
||||
networks:
|
||||
|
|
|
@ -2,9 +2,9 @@
|
|||
version: '3'
|
||||
services:
|
||||
duo-api:
|
||||
image: authelia/integration-duo
|
||||
image: 'authelia/integration-duo'
|
||||
volumes:
|
||||
- ./example/compose/duo-api/duo_api.js:/usr/app/src/duo_api.js
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
envoy:
|
||||
image: envoyproxy/envoy:v1.26.1
|
||||
image: 'envoyproxy/envoy:v1.26.1'
|
||||
volumes:
|
||||
- ./example/compose/envoy/envoy.yaml:/etc/envoy/envoy.yaml
|
||||
- ./common/pki:/pki
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
haproxy:
|
||||
image: authelia/integration-haproxy
|
||||
image: 'authelia/integration-haproxy'
|
||||
volumes:
|
||||
- ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
|
||||
- ./example/compose/haproxy/http.lua:/usr/local/etc/haproxy/haproxy-lua-http/http.lua
|
||||
|
|
|
@ -2,9 +2,9 @@
|
|||
version: '3'
|
||||
services:
|
||||
httpbin:
|
||||
image: citizenstig/httpbin
|
||||
image: 'citizenstig/httpbin'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
labels:
|
||||
# Traefik 1.x
|
||||
- 'traefik.frontend.rule=Host:public.example.com;Path:/headers'
|
||||
|
|
|
@ -2,25 +2,25 @@
|
|||
version: '3'
|
||||
services:
|
||||
k3d:
|
||||
image: ghcr.io/k3d-io/k3d:5.4.9-dind
|
||||
image: 'ghcr.io/k3d-io/k3d:5.4.9-dind'
|
||||
volumes:
|
||||
- './example/kube:/authelia'
|
||||
- './example/kube/authelia/configs/configuration.yml:/configmaps/authelia/configuration.yml'
|
||||
- './common/pki:/configmaps/authelia/ssl'
|
||||
- './example/compose/ldap/ldif:/configmaps/ldap'
|
||||
- './example/compose/nginx/backend:/configmaps/nginx-backend'
|
||||
privileged: true
|
||||
privileged: 'true'
|
||||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- public.example.com
|
||||
- secure.example.com
|
||||
- login.example.com
|
||||
- admin.example.com
|
||||
- dev.example.com
|
||||
- mail.example.com
|
||||
- kubernetes.example.com
|
||||
- traefik.example.com
|
||||
- 'public.example.com'
|
||||
- 'secure.example.com'
|
||||
- 'login.example.com'
|
||||
- 'admin.example.com'
|
||||
- 'dev.example.com'
|
||||
- 'mail.example.com'
|
||||
- 'kubernetes.example.com'
|
||||
- 'traefik.example.com'
|
||||
# Set the IP to be able to query on port 443
|
||||
ipv4_address: 192.168.240.100
|
||||
...
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
version: '3'
|
||||
services:
|
||||
openldap-admin:
|
||||
image: osixia/phpldapadmin:0.9.0
|
||||
image: 'osixia/phpldapadmin:0.9.0'
|
||||
ports:
|
||||
- 9090:80
|
||||
environment:
|
||||
- PHPLDAPADMIN_LDAP_HOSTS=openldap
|
||||
- PHPLDAPADMIN_HTTPS=false
|
||||
PHPLDAPADMIN_LDAP_HOSTS: 'openldap'
|
||||
PHPLDAPADMIN_HTTPS: 'false'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,17 +2,17 @@
|
|||
version: '3'
|
||||
services:
|
||||
openldap:
|
||||
image: osixia/openldap:1.5.0
|
||||
hostname: ldap.example.com
|
||||
image: 'osixia/openldap:1.5.0'
|
||||
hostname: 'ldap.example.com'
|
||||
environment:
|
||||
- LDAP_ORGANISATION=MyCompany
|
||||
- LDAP_DOMAIN=example.com
|
||||
- LDAP_ADMIN_PASSWORD=password
|
||||
- LDAP_CONFIG_PASSWORD=password
|
||||
- LDAP_ADDITIONAL_MODULES=memberof
|
||||
- LDAP_ADDITIONAL_SCHEMAS=openldap
|
||||
- LDAP_FORCE_RECONFIGURE=true
|
||||
- LDAP_TLS_VERIFY_CLIENT=try
|
||||
LDAP_ORGANISATION: 'MyCompany'
|
||||
LDAP_DOMAIN: 'example.com'
|
||||
LDAP_ADMIN_PASSWORD: 'password'
|
||||
LDAP_CONFIG_PASSWORD: 'password'
|
||||
LDAP_ADDITIONAL_MODULES: 'memberof'
|
||||
LDAP_ADDITIONAL_SCHEMAS: 'openldap'
|
||||
LDAP_FORCE_RECONFIGURE: 'true'
|
||||
LDAP_TLS_VERIFY_CLIENT: 'try'
|
||||
volumes:
|
||||
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
|
||||
command:
|
||||
|
@ -20,5 +20,5 @@ services:
|
|||
- '--loglevel'
|
||||
- 'debug'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
version: '3'
|
||||
services:
|
||||
mariadb:
|
||||
image: mariadb:10.11.2
|
||||
image: 'mariadb:10.11.2'
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=rootpassword
|
||||
- MYSQL_USER=admin
|
||||
- MYSQL_PASSWORD=password
|
||||
- MYSQL_DATABASE=authelia
|
||||
MYSQL_ROOT_PASSWORD: 'rootpassword'
|
||||
MYSQL_USER: 'admin'
|
||||
MYSQL_PASSWORD: 'password'
|
||||
MYSQL_DATABASE: 'authelia'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
version: '3'
|
||||
services:
|
||||
mysql:
|
||||
image: mysql:8.0
|
||||
image: 'mysql:8.0'
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=rootpassword
|
||||
- MYSQL_USER=admin
|
||||
- MYSQL_PASSWORD=password
|
||||
- MYSQL_DATABASE=authelia
|
||||
MYSQL_ROOT_PASSWORD: 'rootpassword'
|
||||
MYSQL_USER: 'admin'
|
||||
MYSQL_PASSWORD: 'password'
|
||||
MYSQL_DATABASE: 'authelia'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
nginx-backend:
|
||||
image: nginx:alpine
|
||||
image: 'nginx:alpine'
|
||||
labels:
|
||||
# Traefik 1.x
|
||||
- 'traefik.frontend.rule=Host:home.example.com,public.example.com,secure.example.com,admin.example.com,singlefactor.example.com' # yamllint disable-line rule:line-length
|
||||
|
@ -20,5 +20,5 @@ services:
|
|||
- ./example/compose/nginx/backend/html:/usr/share/nginx/html
|
||||
- ./example/compose/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,17 +2,17 @@
|
|||
version: '3'
|
||||
services:
|
||||
nginx-portal:
|
||||
image: nginx:alpine
|
||||
image: 'nginx:alpine'
|
||||
volumes:
|
||||
- ./example/compose/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
|
||||
- ./common/pki:/pki
|
||||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- public.example.com
|
||||
- secure.example.com
|
||||
- login.example.com
|
||||
- duo.example.com
|
||||
- 'public.example.com'
|
||||
- 'secure.example.com'
|
||||
- 'login.example.com'
|
||||
- 'duo.example.com'
|
||||
# Set the IP to be able to query on port 443
|
||||
ipv4_address: 192.168.240.100
|
||||
...
|
||||
|
|
|
@ -2,10 +2,10 @@
|
|||
version: '3'
|
||||
services:
|
||||
oidc-client:
|
||||
image: ghcr.io/authelia/oidc-tester-app:master-aeac7f4
|
||||
command: /entrypoint.sh
|
||||
image: 'ghcr.io/authelia/oidc-tester-app:master-aeac7f4'
|
||||
command: '/entrypoint.sh'
|
||||
depends_on:
|
||||
- authelia-backend
|
||||
- 'authelia-backend'
|
||||
volumes:
|
||||
- ./example/compose/oidc-client/entrypoint.sh:/entrypoint.sh
|
||||
expose:
|
||||
|
@ -17,5 +17,5 @@ services:
|
|||
- 'traefik.http.routers.oidc.tls=true'
|
||||
- 'traefik.http.routers.oidc.middlewares=authelia@docker'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
version: "3"
|
||||
version: '3'
|
||||
services:
|
||||
postgres:
|
||||
image: postgres:15
|
||||
image: 'postgres:15'
|
||||
environment:
|
||||
- POSTGRES_PASSWORD=password
|
||||
- POSTGRES_USER=admin
|
||||
- POSTGRES_DB=authelia
|
||||
POSTGRES_PASSWORD: 'password'
|
||||
POSTGRES_USER: 'admin'
|
||||
POSTGRES_DB: 'authelia'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,10 +2,10 @@
|
|||
version: '3'
|
||||
services:
|
||||
redis-node-0:
|
||||
image: redis:7.0-alpine
|
||||
command: /entrypoint.sh master
|
||||
image: 'redis:7.0-alpine'
|
||||
command: '/entrypoint.sh master'
|
||||
expose:
|
||||
- "6379"
|
||||
- '6379'
|
||||
volumes:
|
||||
- ./example/compose/redis/templates:/templates
|
||||
- ./example/compose/redis/users.acl:/data/users.acl
|
||||
|
@ -13,15 +13,15 @@ services:
|
|||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- redis-node-0.example.com
|
||||
- 'redis-node-0.example.com'
|
||||
ipv4_address: 192.168.240.110
|
||||
redis-node-1:
|
||||
image: redis:7.0-alpine
|
||||
command: /entrypoint.sh slave
|
||||
image: 'redis:7.0-alpine'
|
||||
command: '/entrypoint.sh slave'
|
||||
depends_on:
|
||||
- redis-node-0
|
||||
- 'redis-node-0'
|
||||
expose:
|
||||
- "6379"
|
||||
- '6379'
|
||||
volumes:
|
||||
- ./example/compose/redis/templates:/templates
|
||||
- ./example/compose/redis/users.acl:/data/users.acl
|
||||
|
@ -29,15 +29,15 @@ services:
|
|||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- redis-node-1.example.com
|
||||
- 'redis-node-1.example.com'
|
||||
ipv4_address: 192.168.240.111
|
||||
redis-node-2:
|
||||
image: redis:7.0-alpine
|
||||
command: /entrypoint.sh slave
|
||||
image: 'redis:7.0-alpine'
|
||||
command: '/entrypoint.sh slave'
|
||||
depends_on:
|
||||
- redis-node-0
|
||||
- 'redis-node-0'
|
||||
expose:
|
||||
- "6379"
|
||||
- '6379'
|
||||
volumes:
|
||||
- ./example/compose/redis/templates:/templates
|
||||
- ./example/compose/redis/users.acl:/data/users.acl
|
||||
|
@ -45,54 +45,54 @@ services:
|
|||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- redis-node-2.example.com
|
||||
- 'redis-node-2.example.com'
|
||||
ipv4_address: 192.168.240.112
|
||||
redis-sentinel-0:
|
||||
image: redis:7.0-alpine
|
||||
command: /entrypoint.sh sentinel
|
||||
image: 'redis:7.0-alpine'
|
||||
command: '/entrypoint.sh sentinel'
|
||||
depends_on:
|
||||
- redis-node-1
|
||||
- redis-node-2
|
||||
- 'redis-node-1'
|
||||
- 'redis-node-2'
|
||||
expose:
|
||||
- "26379"
|
||||
- '26379'
|
||||
volumes:
|
||||
- ./example/compose/redis/templates:/templates
|
||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- redis-sentinel-0.example.com
|
||||
- 'redis-sentinel-0.example.com'
|
||||
ipv4_address: 192.168.240.120
|
||||
redis-sentinel-1:
|
||||
image: redis:7.0-alpine
|
||||
command: /entrypoint.sh sentinel
|
||||
image: 'redis:7.0-alpine'
|
||||
command: '/entrypoint.sh sentinel'
|
||||
depends_on:
|
||||
- redis-node-1
|
||||
- redis-node-2
|
||||
- 'redis-node-1'
|
||||
- 'redis-node-2'
|
||||
expose:
|
||||
- "26379"
|
||||
- '26379'
|
||||
volumes:
|
||||
- ./example/compose/redis/templates:/templates
|
||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- redis-sentinel-1.example.com
|
||||
- 'redis-sentinel-1.example.com'
|
||||
ipv4_address: 192.168.240.121
|
||||
redis-sentinel-2:
|
||||
image: redis:7.0-alpine
|
||||
command: /entrypoint.sh sentinel
|
||||
image: 'redis:7.0-alpine'
|
||||
command: '/entrypoint.sh sentinel'
|
||||
depends_on:
|
||||
- redis-node-1
|
||||
- redis-node-2
|
||||
- 'redis-node-1'
|
||||
- 'redis-node-2'
|
||||
expose:
|
||||
- "26379"
|
||||
- '26379'
|
||||
volumes:
|
||||
- ./example/compose/redis/templates:/templates
|
||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- redis-sentinel-2.example.com
|
||||
- 'redis-sentinel-2.example.com'
|
||||
ipv4_address: 192.168.240.122
|
||||
...
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
version: '3'
|
||||
services:
|
||||
redis:
|
||||
image: redis:7.0-alpine
|
||||
command: /entrypoint.sh master
|
||||
image: 'redis:7.0-alpine'
|
||||
command: '/entrypoint.sh master'
|
||||
expose:
|
||||
- "6379"
|
||||
- '6379'
|
||||
volumes:
|
||||
- ./example/compose/redis/templates:/templates
|
||||
- ./example/compose/redis/users.acl:/data/users.acl
|
||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,16 +2,16 @@
|
|||
version: '3'
|
||||
services:
|
||||
sambaldap:
|
||||
image: authelia/integration-samba
|
||||
image: 'authelia/integration-samba'
|
||||
volumes:
|
||||
- ./example/compose/samba/init.sh:/init.sh
|
||||
cap_add:
|
||||
- SYS_ADMIN
|
||||
hostname: ldap.example.com
|
||||
- 'SYS_ADMIN'
|
||||
hostname: 'ldap.example.com'
|
||||
environment:
|
||||
- DOMAIN=example.com
|
||||
- DOMAINPASS=Password1
|
||||
- NOCOMPLEXITY=true
|
||||
DOMAIN: 'example.com'
|
||||
DOMAINPASS: 'Password1'
|
||||
NOCOMPLEXITY: 'true'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
smtp:
|
||||
image: schickling/mailcatcher
|
||||
image: 'schickling/mailcatcher'
|
||||
ports:
|
||||
- '1025:1025'
|
||||
labels:
|
||||
|
@ -14,5 +14,5 @@ services:
|
|||
- 'traefik.http.routers.mail.tls=true'
|
||||
- 'traefik.http.services.mail.loadbalancer.server.port=1080'
|
||||
networks:
|
||||
- authelianet
|
||||
- 'authelianet'
|
||||
...
|
||||
|
|
|
@ -3,7 +3,7 @@ version: '3'
|
|||
services:
|
||||
# Simulates client 1.
|
||||
client-1:
|
||||
image: sameersbn/squid:3.5.27-1
|
||||
image: 'sameersbn/squid:3.5.27-1'
|
||||
volumes:
|
||||
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
|
||||
networks:
|
||||
|
@ -11,7 +11,7 @@ services:
|
|||
# Set the IP to be able to query on port 443
|
||||
ipv4_address: 192.168.240.201
|
||||
client-2:
|
||||
image: sameersbn/squid:3.5.27-1
|
||||
image: 'sameersbn/squid:3.5.27-1'
|
||||
volumes:
|
||||
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
|
||||
networks:
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v1.7.34-alpine
|
||||
image: 'traefik:v1.7.34-alpine'
|
||||
volumes:
|
||||
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||
labels:
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v2.10.1
|
||||
image: 'traefik:v2.10.1'
|
||||
volumes:
|
||||
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||
labels:
|
||||
|
@ -29,9 +29,9 @@ services:
|
|||
networks:
|
||||
authelianet:
|
||||
aliases:
|
||||
- public.example.com
|
||||
- secure.example.com
|
||||
- login.example.com
|
||||
- 'public.example.com'
|
||||
- 'secure.example.com'
|
||||
- 'login.example.com'
|
||||
# Set the IP to be able to query on port 8080
|
||||
ipv4_address: 192.168.240.100
|
||||
...
|
||||
|
|
|
@ -1,138 +1,138 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
apiVersion: 'apps/v1'
|
||||
kind: 'Deployment'
|
||||
metadata:
|
||||
name: nginx-backend
|
||||
namespace: authelia
|
||||
name: 'nginx-backend'
|
||||
namespace: 'authelia'
|
||||
labels:
|
||||
app: nginx-backend
|
||||
app: 'nginx-backend'
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx-backend
|
||||
app: 'nginx-backend'
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx-backend
|
||||
app: 'nginx-backend'
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx-backend
|
||||
image: nginx:alpine
|
||||
- name: 'nginx-backend'
|
||||
image: 'nginx:alpine'
|
||||
ports:
|
||||
- containerPort: 80
|
||||
volumeMounts:
|
||||
- name: nginx-config
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
- name: nginx-html
|
||||
mountPath: /usr/share/nginx/html
|
||||
- name: 'nginx-config'
|
||||
mountPath: '/etc/nginx/nginx.conf'
|
||||
- name: 'nginx-html'
|
||||
mountPath: '/usr/share/nginx/html'
|
||||
volumes:
|
||||
- name: nginx-config
|
||||
- name: 'nginx-config'
|
||||
hostPath:
|
||||
path: /configmaps/nginx-backend/nginx.conf
|
||||
type: File
|
||||
- name: nginx-html
|
||||
path: '/configmaps/nginx-backend/nginx.conf'
|
||||
type: 'File'
|
||||
- name: 'nginx-html'
|
||||
hostPath:
|
||||
path: /configmaps/nginx-backend/html
|
||||
type: Directory
|
||||
path: '/configmaps/nginx-backend/html'
|
||||
type: 'Directory'
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
apiVersion: 'v1'
|
||||
kind: 'Service'
|
||||
metadata:
|
||||
name: nginx-backend-service
|
||||
namespace: authelia
|
||||
name: 'nginx-backend-service'
|
||||
namespace: 'authelia'
|
||||
labels:
|
||||
app: nginx-backend
|
||||
app: 'nginx-backend'
|
||||
spec:
|
||||
selector:
|
||||
app: nginx-backend
|
||||
app: 'nginx-backend'
|
||||
ports:
|
||||
- port: 80
|
||||
name: http
|
||||
name: 'http'
|
||||
- port: 443
|
||||
name: https
|
||||
name: 'https'
|
||||
...
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
apiVersion: 'networking.k8s.io/v1'
|
||||
kind: 'Ingress'
|
||||
metadata:
|
||||
name: nginx-backend-ingress
|
||||
namespace: authelia
|
||||
name: 'nginx-backend-ingress'
|
||||
namespace: 'authelia'
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.middlewares: authelia-forwardauth-authelia@kubernetescrd
|
||||
kubernetes.io/ingress.class: 'traefik'
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
|
||||
traefik.ingress.kubernetes.io/router.middlewares: 'authelia-forwardauth-authelia@kubernetescrd'
|
||||
spec:
|
||||
rules:
|
||||
- host: home.example.com
|
||||
- host: 'home.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: nginx-backend-service
|
||||
name: 'nginx-backend-service'
|
||||
port:
|
||||
number: 80
|
||||
- host: public.example.com
|
||||
- host: 'public.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: nginx-backend-service
|
||||
name: 'nginx-backend-service'
|
||||
port:
|
||||
number: 80
|
||||
- host: admin.example.com
|
||||
- host: 'admin.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: nginx-backend-service
|
||||
name: 'nginx-backend-service'
|
||||
port:
|
||||
number: 80
|
||||
- host: dev.example.com
|
||||
- host: 'dev.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: nginx-backend-service
|
||||
name: 'nginx-backend-service'
|
||||
port:
|
||||
number: 80
|
||||
- host: mx1.mail.example.com
|
||||
- host: 'mx1.mail.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: nginx-backend-service
|
||||
name: 'nginx-backend-service'
|
||||
port:
|
||||
number: 80
|
||||
- host: mx2.mail.example.com
|
||||
- host: 'mx2.mail.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: nginx-backend-service
|
||||
name: 'nginx-backend-service'
|
||||
port:
|
||||
number: 80
|
||||
- host: singlefactor.example.com
|
||||
- host: 'singlefactor.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: nginx-backend-service
|
||||
name: 'nginx-backend-service'
|
||||
port:
|
||||
number: 80
|
||||
...
|
||||
|
|
|
@ -1,145 +1,145 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
apiVersion: 'apps/v1'
|
||||
kind: 'Deployment'
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: authelia
|
||||
name: 'authelia'
|
||||
namespace: 'authelia'
|
||||
labels:
|
||||
app: authelia
|
||||
app: 'authelia'
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: authelia
|
||||
app: 'authelia'
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: authelia
|
||||
app: 'authelia'
|
||||
spec:
|
||||
containers:
|
||||
- name: authelia
|
||||
image: authelia:dist
|
||||
- name: 'authelia'
|
||||
image: 'authelia:dist'
|
||||
ports:
|
||||
- containerPort: 443
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
scheme: HTTPS
|
||||
path: /api/health
|
||||
scheme: 'HTTPS'
|
||||
path: '/api/health'
|
||||
port: 443
|
||||
initialDelaySeconds: 3
|
||||
periodSeconds: 3
|
||||
volumeMounts:
|
||||
- name: authelia-config
|
||||
mountPath: /config/configuration.yml
|
||||
- name: 'authelia-config'
|
||||
mountPath: '/config/configuration.yml'
|
||||
readOnly: true
|
||||
- name: authelia-ssl
|
||||
mountPath: /pki
|
||||
- name: 'authelia-ssl'
|
||||
mountPath: '/pki'
|
||||
readOnly: true
|
||||
- name: secrets
|
||||
mountPath: /config/secrets
|
||||
- name: 'secrets'
|
||||
mountPath: '/config/secrets'
|
||||
readOnly: true
|
||||
env:
|
||||
# We set secrets directly here for ease of deployment but all secrets
|
||||
# should be stored in the Kube Vault in production.
|
||||
- name: AUTHELIA_JWT_SECRET_FILE
|
||||
value: /config/secrets/jwt_secret
|
||||
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
||||
value: /config/secrets/ldap_password
|
||||
- name: AUTHELIA_SESSION_SECRET_FILE
|
||||
value: /config/secrets/session
|
||||
- name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
|
||||
value: /config/secrets/sql_password
|
||||
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
||||
value: /config/secrets/encryption_key
|
||||
- name: ENVIRONMENT
|
||||
value: dev
|
||||
- name: 'AUTHELIA_JWT_SECRET_FILE'
|
||||
value: '/config/secrets/jwt_secret'
|
||||
- name: 'AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE'
|
||||
value: '/config/secrets/ldap_password'
|
||||
- name: 'AUTHELIA_SESSION_SECRET_FILE'
|
||||
value: '/config/secrets/session'
|
||||
- name: 'AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE'
|
||||
value: '/config/secrets/sql_password'
|
||||
- name: 'AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE'
|
||||
value: '/config/secrets/encryption_key'
|
||||
- name: 'ENVIRONMENT'
|
||||
value: 'dev'
|
||||
volumes:
|
||||
- name: authelia-config
|
||||
- name: 'authelia-config'
|
||||
hostPath:
|
||||
path: /configmaps/authelia/configuration.yml
|
||||
type: File
|
||||
- name: authelia-ssl
|
||||
path: '/configmaps/authelia/configuration.yml'
|
||||
type: 'File'
|
||||
- name: 'authelia-ssl'
|
||||
hostPath:
|
||||
path: /configmaps/authelia/ssl
|
||||
type: Directory
|
||||
- name: secrets
|
||||
path: '/configmaps/authelia/ssl'
|
||||
type: 'Directory'
|
||||
- name: 'secrets'
|
||||
secret:
|
||||
secretName: authelia
|
||||
secretName: 'authelia'
|
||||
items:
|
||||
- key: jwt_secret
|
||||
path: jwt_secret
|
||||
- key: session
|
||||
path: session
|
||||
- key: sql_password
|
||||
path: sql_password
|
||||
- key: ldap_password
|
||||
path: ldap_password
|
||||
- key: encryption_key
|
||||
path: encryption_key
|
||||
- key: 'jwt_secret'
|
||||
path: 'jwt_secret'
|
||||
- key: 'session'
|
||||
path: 'session'
|
||||
- key: 'sql_password'
|
||||
path: 'sql_password'
|
||||
- key: 'ldap_password'
|
||||
path: 'ldap_password'
|
||||
- key: 'encryption_key'
|
||||
path: 'encryption_key'
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
apiVersion: 'v1'
|
||||
kind: 'Service'
|
||||
metadata:
|
||||
name: authelia-service
|
||||
namespace: authelia
|
||||
name: 'authelia-service'
|
||||
namespace: 'authelia'
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/service.serverstransport: authelia-skipverify@kubernetescrd
|
||||
traefik.ingress.kubernetes.io/service.serverstransport: 'authelia-skipverify@kubernetescrd'
|
||||
spec:
|
||||
selector:
|
||||
app: authelia
|
||||
app: 'authelia'
|
||||
ports:
|
||||
- protocol: TCP
|
||||
- protocol: 'TCP'
|
||||
port: 443
|
||||
targetPort: 443
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
apiVersion: 'v1'
|
||||
kind: 'Secret'
|
||||
type: 'Opaque'
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: authelia
|
||||
name: 'authelia'
|
||||
namespace: 'authelia'
|
||||
labels:
|
||||
app: authelia
|
||||
app: 'authelia'
|
||||
data:
|
||||
jwt_secret: YW5fdW5zZWN1cmVfc2VjcmV0 # an_unsecure_secret
|
||||
ldap_password: cGFzc3dvcmQ= # password
|
||||
session: dW5zZWN1cmVfcGFzc3dvcmQ= # unsecure_password
|
||||
sql_password: cGFzc3dvcmQ= # password
|
||||
encryption_key: YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5
|
||||
jwt_secret: 'YW5fdW5zZWN1cmVfc2VjcmV0' # an_unsecure_secret
|
||||
ldap_password: 'cGFzc3dvcmQ=' # password
|
||||
session: 'dW5zZWN1cmVfcGFzc3dvcmQ=' # unsecure_password
|
||||
sql_password: 'cGFzc3dvcmQ=' # password
|
||||
encryption_key: 'YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5'
|
||||
...
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
apiVersion: 'networking.k8s.io/v1'
|
||||
kind: 'Ingress'
|
||||
metadata:
|
||||
name: authelia-ingress
|
||||
namespace: authelia
|
||||
name: 'authelia-ingress'
|
||||
namespace: 'authelia'
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
kubernetes.io/ingress.class: 'traefik'
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
|
||||
spec:
|
||||
rules:
|
||||
- host: login.example.com
|
||||
- host: 'login.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: authelia-service
|
||||
name: 'authelia-service'
|
||||
port:
|
||||
number: 443
|
||||
...
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||
kind: 'Middleware'
|
||||
metadata:
|
||||
name: forwardauth-authelia
|
||||
namespace: authelia
|
||||
name: 'forwardauth-authelia'
|
||||
namespace: 'authelia'
|
||||
labels:
|
||||
app.kubernetes.io/instance: authelia
|
||||
app.kubernetes.io/name: authelia
|
||||
app.kubernetes.io/instance: 'authelia'
|
||||
app.kubernetes.io/name: 'authelia'
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth'
|
||||
|
|
|
@ -3,108 +3,108 @@
|
|||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
default_redirection_url: https://home.example.com:8080
|
||||
default_redirection_url: 'https://home.example.com:8080'
|
||||
|
||||
server:
|
||||
address: 'tcp://:443'
|
||||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
certificate: '/pki/public.backend.crt'
|
||||
key: '/pki/private.backend.pem'
|
||||
|
||||
log:
|
||||
level: debug
|
||||
level: 'debug'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldaps://ldap-service'
|
||||
tls:
|
||||
skip_verify: true
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: cn=admin,dc=example,dc=com
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
display_name_attribute: 'displayName'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: home.example.com
|
||||
policy: bypass
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
- domain: singlefactor.example.com
|
||||
policy: one_factor
|
||||
- domain: 'home.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- domain: 'singlefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
# Rules applied to 'admins' group
|
||||
- domain: "mx2.mail.example.com"
|
||||
subject: "group:admins"
|
||||
policy: deny
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'deny'
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/groups/dev/.*$"
|
||||
subject: "group:dev"
|
||||
policy: two_factor
|
||||
- '^/groups/dev/.*$'
|
||||
subject: 'group:dev'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'john'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'harry'
|
||||
- domain: dev.example.com
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'bob'
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: "dev.example.com"
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
remember_me: 1y
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
remember_me: '1y'
|
||||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
|
||||
redis:
|
||||
host: redis-service
|
||||
host: 'redis-service'
|
||||
port: 6379
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
storage:
|
||||
mysql:
|
||||
address: 'tcp://mariadb-service:3306'
|
||||
database: authelia
|
||||
username: admin
|
||||
database: 'authelia'
|
||||
username: 'admin'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
|
|
|
@ -1,194 +1,194 @@
|
|||
# Kubernetes Dashboard
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
apiVersion: 'v1'
|
||||
kind: 'Namespace'
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
name: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
apiVersion: 'v1'
|
||||
kind: 'ServiceAccount'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
kind: 'Service'
|
||||
apiVersion: 'v1'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
spec:
|
||||
ports:
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
selector:
|
||||
k8s-app: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
apiVersion: 'v1'
|
||||
kind: 'Secret'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard-certs
|
||||
namespace: kubernetes-dashboard
|
||||
type: Opaque
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard-certs'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
type: 'Opaque'
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
apiVersion: 'v1'
|
||||
kind: 'Secret'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard-csrf
|
||||
namespace: kubernetes-dashboard
|
||||
type: Opaque
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard-csrf'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
type: 'Opaque'
|
||||
data:
|
||||
csrf: ""
|
||||
csrf: ''
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
apiVersion: 'v1'
|
||||
kind: 'Secret'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard-key-holder
|
||||
namespace: kubernetes-dashboard
|
||||
type: Opaque
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard-key-holder'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
type: 'Opaque'
|
||||
...
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
kind: 'ConfigMap'
|
||||
apiVersion: 'v1'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard-settings
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard-settings'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: 'Role'
|
||||
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
rules:
|
||||
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
|
||||
verbs: ["get", "update", "delete"]
|
||||
resources: ['secrets']
|
||||
resourceNames: ['kubernetes-dashboard-key-holder', 'kubernetes-dashboard-certs', 'kubernetes-dashboard-csrf']
|
||||
verbs: ['get', 'update', 'delete']
|
||||
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
resourceNames: ["kubernetes-dashboard-settings"]
|
||||
verbs: ["get", "update"]
|
||||
resources: ['configmaps']
|
||||
resourceNames: ['kubernetes-dashboard-settings']
|
||||
verbs: ['get', 'update']
|
||||
# Allow Dashboard to get metrics.
|
||||
- apiGroups: [""]
|
||||
resources: ["services"]
|
||||
resourceNames: ["heapster", "dashboard-metrics-scraper"]
|
||||
verbs: ["proxy"]
|
||||
resources: ['services']
|
||||
resourceNames: ['heapster', 'dashboard-metrics-scraper']
|
||||
verbs: ['proxy']
|
||||
- apiGroups: [""]
|
||||
resources: ["services/proxy"]
|
||||
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] # yamllint disable-line rule:line-length
|
||||
verbs: ["get"]
|
||||
resources: ['services/proxy']
|
||||
resourceNames: ['heapster', 'http:heapster:', 'https:heapster:', 'dashboard-metrics-scraper', 'http:dashboard-metrics-scraper'] # yamllint disable-line rule:line-length
|
||||
verbs: ['get']
|
||||
...
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: 'ClusterRole'
|
||||
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard'
|
||||
rules:
|
||||
# Allow Metrics Scraper to get metrics from the Metrics server
|
||||
- apiGroups: ["metrics.k8s.io"]
|
||||
resources: ["pods", "nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ['metrics.k8s.io']
|
||||
resources: ['pods', 'nodes']
|
||||
verbs: ['get', 'list', 'watch']
|
||||
...
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||
kind: 'RoleBinding'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: kubernetes-dashboard
|
||||
apiGroup: 'rbac.authorization.k8s.io'
|
||||
kind: 'Role'
|
||||
name: 'kubernetes-dashboard'
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard
|
||||
namespace: kubernetes-dashboard
|
||||
- kind: 'ServiceAccount'
|
||||
name: 'kubernetes-dashboard'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||
kind: 'ClusterRoleBinding'
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
name: 'kubernetes-dashboard'
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kubernetes-dashboard
|
||||
apiGroup: 'rbac.authorization.k8s.io'
|
||||
kind: 'ClusterRole'
|
||||
name: 'kubernetes-dashboard'
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard
|
||||
namespace: kubernetes-dashboard
|
||||
- kind: 'ServiceAccount'
|
||||
name: 'kubernetes-dashboard'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
kind: 'Deployment'
|
||||
apiVersion: 'apps/v1'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
name: 'kubernetes-dashboard'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 10
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
k8s-app: 'kubernetes-dashboard'
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
type: 'RuntimeDefault'
|
||||
containers:
|
||||
- name: kubernetes-dashboard
|
||||
image: kubernetesui/dashboard:v2.7.0
|
||||
imagePullPolicy: Always
|
||||
- name: 'kubernetes-dashboard'
|
||||
image: 'kubernetesui/dashboard:v2.7.0'
|
||||
imagePullPolicy: 'Always'
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
protocol: TCP
|
||||
protocol: 'TCP'
|
||||
args:
|
||||
- --auto-generate-certificates
|
||||
- --namespace=kubernetes-dashboard
|
||||
- '--auto-generate-certificates'
|
||||
- '--namespace=kubernetes-dashboard'
|
||||
# Uncomment the following line to manually specify Kubernetes API server Host
|
||||
# If not specified, Dashboard will attempt to auto discover the API server and connect
|
||||
# to it. Uncomment only if the default does not work.
|
||||
# - --apiserver-host=http://my-address:port
|
||||
volumeMounts:
|
||||
- name: kubernetes-dashboard-certs
|
||||
mountPath: /certs
|
||||
- name: 'kubernetes-dashboard-certs'
|
||||
mountPath: '/certs'
|
||||
# Create on-disk volume to store exec logs
|
||||
- mountPath: /tmp
|
||||
name: tmp-volume
|
||||
- mountPath: '/tmp'
|
||||
name: 'tmp-volume'
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: HTTPS
|
||||
path: /
|
||||
scheme: 'HTTPS'
|
||||
path: '/'
|
||||
port: 8443
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
|
@ -198,149 +198,149 @@ spec:
|
|||
runAsUser: 1001
|
||||
runAsGroup: 2001
|
||||
volumes:
|
||||
- name: kubernetes-dashboard-certs
|
||||
- name: 'kubernetes-dashboard-certs'
|
||||
secret:
|
||||
secretName: kubernetes-dashboard-certs
|
||||
- name: tmp-volume
|
||||
secretName: 'kubernetes-dashboard-certs'
|
||||
- name: 'tmp-volume'
|
||||
emptyDir: {}
|
||||
serviceAccountName: kubernetes-dashboard
|
||||
serviceAccountName: 'kubernetes-dashboard'
|
||||
nodeSelector:
|
||||
"kubernetes.io/os": linux
|
||||
"kubernetes.io/os": 'linux'
|
||||
# Comment the following tolerations if Dashboard must not be deployed on master
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
- key: 'node-role.kubernetes.io/master'
|
||||
effect: 'NoSchedule'
|
||||
...
|
||||
---
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
kind: 'Service'
|
||||
apiVersion: 'v1'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
name: dashboard-metrics-scraper
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'dashboard-metrics-scraper'
|
||||
name: 'dashboard-metrics-scraper'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
spec:
|
||||
ports:
|
||||
- port: 8000
|
||||
targetPort: 8000
|
||||
selector:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
k8s-app: 'dashboard-metrics-scraper'
|
||||
...
|
||||
---
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
kind: 'Deployment'
|
||||
apiVersion: 'apps/v1'
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
name: dashboard-metrics-scraper
|
||||
namespace: kubernetes-dashboard
|
||||
k8s-app: 'dashboard-metrics-scraper'
|
||||
name: 'dashboard-metrics-scraper'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 10
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
k8s-app: 'dashboard-metrics-scraper'
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
k8s-app: 'dashboard-metrics-scraper'
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
type: 'RuntimeDefault'
|
||||
containers:
|
||||
- name: dashboard-metrics-scraper
|
||||
image: kubernetesui/metrics-scraper:v1.0.9
|
||||
- name: 'dashboard-metrics-scraper'
|
||||
image: 'kubernetesui/metrics-scraper:v1.0.9'
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
protocol: TCP
|
||||
protocol: 'TCP'
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: HTTP
|
||||
path: /
|
||||
scheme: 'HTTP'
|
||||
path: '/'
|
||||
port: 8000
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
volumeMounts:
|
||||
- mountPath: /tmp
|
||||
name: tmp-volume
|
||||
- mountPath: '/tmp'
|
||||
name: 'tmp-volume'
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 2001
|
||||
serviceAccountName: kubernetes-dashboard
|
||||
serviceAccountName: 'kubernetes-dashboard'
|
||||
nodeSelector:
|
||||
"kubernetes.io/os": linux
|
||||
"kubernetes.io/os": 'linux'
|
||||
# Comment the following tolerations if Dashboard must not be deployed on master
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
- key: 'node-role.kubernetes.io/master'
|
||||
effect: 'NoSchedule'
|
||||
volumes:
|
||||
- name: tmp-volume
|
||||
- name: 'tmp-volume'
|
||||
emptyDir: {}
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
apiVersion: 'v1'
|
||||
kind: 'ServiceAccount'
|
||||
metadata:
|
||||
name: admin-user
|
||||
namespace: kubernetes-dashboard
|
||||
name: 'admin-user'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||
kind: 'ClusterRoleBinding'
|
||||
metadata:
|
||||
name: admin-user
|
||||
name: 'admin-user'
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
apiGroup: 'rbac.authorization.k8s.io'
|
||||
kind: 'ClusterRole'
|
||||
name: 'cluster-admin'
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: admin-user
|
||||
namespace: kubernetes-dashboard
|
||||
- kind: 'ServiceAccount'
|
||||
name: 'admin-user'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
...
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||
kind: 'IngressRouteTCP'
|
||||
metadata:
|
||||
name: kubernetes-dashboard-ingress
|
||||
namespace: kubernetes-dashboard
|
||||
name: 'kubernetes-dashboard-ingress'
|
||||
namespace: 'kubernetes-dashboard'
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
- 'websecure'
|
||||
routes:
|
||||
- match: HostSNI(`kubernetes.example.com`)
|
||||
- match: 'HostSNI(`kubernetes.example.com`)'
|
||||
services:
|
||||
- name: kubernetes-dashboard
|
||||
- name: 'kubernetes-dashboard'
|
||||
port: 443
|
||||
tls:
|
||||
passthrough: true
|
||||
...
|
||||
# Traefik Dashboard
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||
kind: 'IngressRoute'
|
||||
metadata:
|
||||
name: traefik-dashboard-ingress
|
||||
namespace: authelia
|
||||
name: 'traefik-dashboard-ingress'
|
||||
namespace: 'authelia'
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
- 'websecure'
|
||||
routes:
|
||||
- match: Host(`traefik.example.com`)
|
||||
kind: Rule
|
||||
- match: 'Host(`traefik.example.com`)'
|
||||
kind: 'Rule'
|
||||
services:
|
||||
- name: api@internal
|
||||
kind: TraefikService
|
||||
- name: 'api@internal'
|
||||
kind: 'TraefikService'
|
||||
...
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: ServersTransport
|
||||
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||
kind: 'ServersTransport'
|
||||
metadata:
|
||||
name: skipverify
|
||||
namespace: authelia
|
||||
name: 'skipverify'
|
||||
namespace: 'authelia'
|
||||
spec:
|
||||
insecureSkipVerify: true
|
||||
...
|
||||
|
|
|
@ -1,64 +1,64 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
apiVersion: 'apps/v1'
|
||||
kind: 'Deployment'
|
||||
metadata:
|
||||
name: ldap
|
||||
namespace: authelia
|
||||
name: 'ldap'
|
||||
namespace: 'authelia'
|
||||
labels:
|
||||
app: ldap
|
||||
app: 'ldap'
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ldap
|
||||
app: 'ldap'
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ldap
|
||||
app: 'ldap'
|
||||
spec:
|
||||
containers:
|
||||
- name: ldap
|
||||
image: osixia/openldap:1.5.0
|
||||
- name: 'ldap'
|
||||
image: 'osixia/openldap:1.5.0'
|
||||
ports:
|
||||
- containerPort: 389
|
||||
- containerPort: 636
|
||||
args: ["--copy-service", "--loglevel", "debug"]
|
||||
args: ['--copy-service', '--loglevel', 'debug']
|
||||
env:
|
||||
- name: LDAP_ORGANISATION
|
||||
value: MyCompany
|
||||
- name: LDAP_DOMAIN
|
||||
value: example.com
|
||||
- name: LDAP_ADMIN_PASSWORD
|
||||
value: password
|
||||
- name: LDAP_CONFIG_PASSWORD
|
||||
value: password
|
||||
- name: LDAP_ADDITIONAL_MODULES
|
||||
value: memberof
|
||||
- name: LDAP_ADDITIONAL_SCHEMAS
|
||||
value: openldap
|
||||
- name: LDAP_FORCE_RECONFIGURE
|
||||
value: "true"
|
||||
- name: LDAP_TLS_VERIFY_CLIENT
|
||||
value: try
|
||||
- name: 'LDAP_ORGANISATION'
|
||||
value: 'MyCompany'
|
||||
- name: 'LDAP_DOMAIN'
|
||||
value: 'example.com'
|
||||
- name: 'LDAP_ADMIN_PASSWORD'
|
||||
value: 'password'
|
||||
- name: 'LDAP_CONFIG_PASSWORD'
|
||||
value: 'password'
|
||||
- name: 'LDAP_ADDITIONAL_MODULES'
|
||||
value: 'memberof'
|
||||
- name: 'LDAP_ADDITIONAL_SCHEMAS'
|
||||
value: 'openldap'
|
||||
- name: 'LDAP_FORCE_RECONFIGURE'
|
||||
value: 'true'
|
||||
- name: 'LDAP_TLS_VERIFY_CLIENT'
|
||||
value: 'try'
|
||||
volumeMounts:
|
||||
- name: ldap-config
|
||||
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
|
||||
- name: 'ldap-config'
|
||||
mountPath: '/container/service/slapd/assets/config/bootstrap/ldif/custom'
|
||||
volumes:
|
||||
- name: ldap-config
|
||||
- name: 'ldap-config'
|
||||
hostPath:
|
||||
path: /configmaps/ldap
|
||||
type: Directory
|
||||
path: '/configmaps/ldap'
|
||||
type: 'Directory'
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
apiVersion: 'v1'
|
||||
kind: 'Service'
|
||||
metadata:
|
||||
name: ldap-service
|
||||
namespace: authelia
|
||||
name: 'ldap-service'
|
||||
namespace: 'authelia'
|
||||
spec:
|
||||
selector:
|
||||
app: ldap
|
||||
app: 'ldap'
|
||||
ports:
|
||||
- protocol: TCP
|
||||
- protocol: 'TCP'
|
||||
port: 636
|
||||
...
|
||||
|
|
|
@ -1,64 +1,64 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
apiVersion: 'apps/v1'
|
||||
kind: 'Deployment'
|
||||
metadata:
|
||||
name: mailcatcher
|
||||
namespace: authelia
|
||||
name: 'mailcatcher'
|
||||
namespace: 'authelia'
|
||||
labels:
|
||||
app: mailcatcher
|
||||
app: 'mailcatcher'
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: mailcatcher
|
||||
app: 'mailcatcher'
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: mailcatcher
|
||||
app: 'mailcatcher'
|
||||
spec:
|
||||
containers:
|
||||
- name: mailcatcher
|
||||
image: schickling/mailcatcher
|
||||
- name: 'mailcatcher'
|
||||
image: 'schickling/mailcatcher'
|
||||
ports:
|
||||
- containerPort: 1025
|
||||
- containerPort: 1080
|
||||
...
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
apiVersion: 'v1'
|
||||
kind: 'Service'
|
||||
metadata:
|
||||
name: mailcatcher-service
|
||||
namespace: authelia
|
||||
name: 'mailcatcher-service'
|
||||
namespace: 'authelia'
|
||||
spec:
|
||||
selector:
|
||||
app: mailcatcher
|
||||
app: 'mailcatcher'
|
||||
ports:
|
||||
- protocol: TCP
|
||||
- protocol: 'TCP'
|
||||
port: 1080
|
||||
name: ui
|
||||
- protocol: TCP
|
||||
name: 'ui'
|
||||
- protocol: 'TCP'
|
||||
port: 1025
|
||||
name: smtp
|
||||
name: 'smtp'
|
||||
...
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
apiVersion: 'networking.k8s.io/v1'
|
||||
kind: 'Ingress'
|
||||
metadata:
|
||||
name: mailcatcher-ingress
|
||||
namespace: authelia
|
||||
name: 'mailcatcher-ingress'
|
||||
namespace: 'authelia'
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
kubernetes.io/ingress.class: 'traefik'
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
|
||||
spec:
|
||||
rules:
|
||||
- host: mail.example.com
|
||||
- host: 'mail.example.com'
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- path: '/'
|
||||
pathType: 'Prefix'
|
||||
backend:
|
||||
service:
|
||||
name: mailcatcher-service
|
||||
name: 'mailcatcher-service'
|
||||
port:
|
||||
number: 1080
|
||||
...
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
apiVersion: 'v1'
|
||||
kind: 'Namespace'
|
||||
metadata:
|
||||
name: authelia
|
||||
name: 'authelia'
|
||||
...
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue