--- default_redirection_url: 'https://home.example.com:8080/' server: address: 'tcp://127.0.0.1:9091' endpoints: authz: forward-auth: implementation: 'ForwardAuth' authn_strategies: - name: 'HeaderProxyAuthorization' - name: 'CookieSession' ext-authz: implementation: 'ExtAuthz' authn_strategies: - name: 'HeaderProxyAuthorization' - name: 'CookieSession' auth-request: implementation: 'AuthRequest' authn_strategies: - name: 'HeaderAuthRequestProxyAuthorization' - name: 'CookieSession' legacy: implementation: 'Legacy' log: level: 'debug' totp: issuer: 'authelia.com' duo_api: hostname: 'api-123456789.example.com' integration_key: 'ABCDEF' authentication_backend: ldap: address: 'ldap://127.0.0.1' tls: private_key: | -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA6z1LOg1ZCqb0lytXWZ+MRBpMHEXOoTOLYgfZXt1IYyE3Z758 cyalk0NYQhY5cZDsXPYWPvAHiPMUxutWkoxFwby56S+AbIMa3/Is+ILrHRJs8Exn ZkpyrYFxPX12app2kErdmAkHSx0Z5/kuXiz96PHs8S8/ZbyZolLHzdfLtSzjvRm5 Zue5iFzsf19NJz5CIBfv8g5lRwtE8wNJoRSpn1xq7fqfuA0weDNFPzjlNWRLy6aa rK7qJexRkmkCs4sLgyl+9NODYJpvmN8E1yhyC27E0joI6rBFVW7Ihv+cSPCdDzGp EWe81x3AeqAa3mjVqkiq4u4Z2i8JDgBaPboqJwIDAQABAoIBAAFdLZ58jVOefDSU L8F5R1rtvBs93GDa56f926jNJ6pLewLC+/2+757W+SAI+PRLntM7Kg3bXm/Q2QH+ Q1Y+MflZmspbWCdI61L5GIGoYKyeers59i+FpvySj5GHtLQRiTZ0+Kv1AXHSDWBm 9XneUOqU3IbZe0ifu1RRno72/VtjkGXbW8Mkkw+ohyGbIeTx/0/JQ6sSNZTT3Vk7 8i4IXptq3HSF0/vqZuah8rShoeNq72pD1YLM9YPdL5by1QkDLnqATDiCpLBTCaNV I8sqYEun+HYbQzBj8ZACG2JVZpEEidONWQHw5BPWO95DSZYrVnEkuCqeH+u5vYt7 CHuJ3AECgYEA+W3v5z+j91w1VPHS0VB3SCDMouycAMIUnJPAbt+0LPP0scUFsBGE hPAKddC54pmMZRQ2KIwBKiyWfCrJ8Xz8Yogn7fJgmwTHidJBr2WQpIEkNGlK3Dzi jXL2sh0yC7sHvn0DqiQ79l/e7yRbSnv2wrTJEczOOH2haD7/tBRyCYECgYEA8W+q E9YyGvEltnPFaOxofNZ8LHVcZSsQI5b6fc0iE7fjxFqeXPXEwGSOTwqQLQRiHn9b CfPmIG4Vhyq0otVmlPvUnfBZ2OK+tl5X2/mQFO3ROMdvpi0KYa994uqfJdSTaqLn jjoKFB906UFHnDQDLZUNiV1WwnkTglgLc+xrd6cCgYEAqqthyv6NyBTM3Tm2gcio Ra9Dtntl51LlXZnvwy3IkDXBCd6BHM9vuLKyxZiziGx+Vy90O1xI872cnot8sINQ Am+dur/tAEVN72zxyv0Y8qb2yfH96iKy9gxi5s75TnOEQgAygLnYWaWR2lorKRUX bHTdXBOiS58S0UzCFEslGIECgYBqkO4SKWYeTDhoKvuEj2yjRYyzlu28XeCWxOo1 otiauX0YSyNBRt2cSgYiTzhKFng0m+QUJYp63/wymB/5C5Zmxi0XtWIDADpLhqLj HmmBQ2Mo26alQ5YkffBju0mZyhVzaQop1eZi8WuKFV1FThPlB7hc3E0SM5zv2Grd tQnOWwKBgQC40yZY0PcjuILhy+sIc0Wvh7LUA7taSdTye149kRvbvsCDN7Jh75lM USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0 1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw== -----END RSA PRIVATE KEY----- base_dn: 'dc=example,dc=com' additional_users_dn: 'ou=users' users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))' additional_groups_dn: 'ou=groups' groups_filter: '(&(member={dn})(objectClass=groupOfNames))' user: 'cn=admin,dc=example,dc=com' attributes: username: 'uid' group_name: 'cn' mail: 'mail' access_control: default_policy: 'deny' rules: # Rules applied to everyone - domain: 'public.example.com' policy: 'bypass' - domain: 'secure.example.com' policy: 'one_factor' # Network based rule, if not provided any network matches. networks: - '192.168.1.0/24' - domain: 'secure.example.com' policy: 'two_factor' - domain: ['singlefactor.example.com', 'onefactor.example.com'] policy: 'one_factor' # Rules applied to 'admins' group - domain: 'mx2.mail.example.com' subject: 'group:admins' policy: 'deny' - domain: '*.example.com' subject: 'group:admins' policy: 'two_factor' # Rules applied to 'dev' group - domain: 'dev.example.com' resources: - '^/groups/dev/.*$' subject: 'group:dev' policy: 'two_factor' # Rules applied to user 'john' - domain: 'dev.example.com' resources: - '^/users/john/.*$' subject: 'user:john' policy: 'two_factor' # Rules applied to 'dev' group and user 'john' - domain: 'dev.example.com' resources: - '^/deny-all.*$' subject: ['group:dev', 'user:john'] policy: 'deny' # Rules applied to user 'harry' - domain: 'dev.example.com' resources: - '^/users/harry/.*$' subject: 'user:harry' policy: 'two_factor' # Rules applied to user 'bob' - domain: '*.mail.example.com' subject: 'user:bob' policy: 'two_factor' - domain: 'dev.example.com' resources: - '^/users/bob/.*$' subject: 'user:bob' policy: 'two_factor' session: name: 'authelia_session' expiration: '1h' # 1 hour inactivity: '5m' # 5 minutes domain: 'example.com' redis: host: '127.0.0.1' port: 6379 high_availability: sentinel_name: 'test' regulation: max_retries: 3 find_time: '2m' ban_time: '5m' storage: mysql: address: 'tcp://127.0.0.1:3306' database: 'authelia' username: 'authelia' notifier: smtp: address: 'smtp://127.0.0.1:1025' username: 'test' sender: 'admin@example.com' disable_require_tls: true ...