Refactor Authelia configuration for clarity and remove deprecated comments
This commit is contained in:
Mohmmed Elfateh Sabry
@@ -1,33 +1,23 @@
|
||||
---
|
||||
# Authelia Configuration File
|
||||
# Minimal validated Authelia configuration
|
||||
|
||||
## Server Configuration
|
||||
server:
|
||||
## Server options
|
||||
address: 'tcp://:9091'
|
||||
# asset_path removed (directory didn't exist). Re-add if you mount custom portal assets.
|
||||
|
||||
## Endpoints
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: 'ForwardAuth'
|
||||
|
||||
## Log Configuration
|
||||
log:
|
||||
level: 'info'
|
||||
format: 'text'
|
||||
|
||||
## Theme Configuration
|
||||
theme: 'light'
|
||||
|
||||
## Identity Validation / Password Reset JWT (replaces deprecated jwt_secret)
|
||||
identity_validation:
|
||||
reset_password:
|
||||
jwt_secret: '${AUTHELIA_JWT_SECRET}'
|
||||
# Ensure AUTHELIA_JWT_SECRET is defined in environment (.env/Secrets) or startup will fail.
|
||||
|
||||
## TOTP Configuration
|
||||
totp:
|
||||
disable_reuse_security_policy: false
|
||||
issuer: 'Authelia'
|
||||
@@ -37,51 +27,19 @@ totp:
|
||||
skew: 1
|
||||
secret_size: 32
|
||||
|
||||
## WebAuthn Configuration
|
||||
webauthn:
|
||||
disable: false
|
||||
display_name: 'Authelia'
|
||||
attestation_conveyance_preference: 'indirect'
|
||||
selection_criteria:
|
||||
user_verification: 'preferred' # migrated from deprecated webauthn.user_verification
|
||||
user_verification: 'preferred'
|
||||
timeout: '60s'
|
||||
|
||||
## Duo Push API Configuration (optional)
|
||||
# duo_api:
|
||||
# hostname: 'api-123456789.duosecurity.com'
|
||||
# integration_key: 'ABCDEF'
|
||||
# secret_key: 'GHIJKLMNOPQRSTUVWXYZ'
|
||||
|
||||
## Authentication Backend Configuration
|
||||
authentication_backend:
|
||||
## Password Reset
|
||||
password_reset:
|
||||
disable: false
|
||||
custom_url: ''
|
||||
|
||||
## Refresh Interval
|
||||
refresh_interval: '5m'
|
||||
|
||||
## LDAP Configuration (uncomment and configure if using LDAP)
|
||||
# ldap:
|
||||
# implementation: 'custom'
|
||||
# address: 'ldap://127.0.0.1:389'
|
||||
# timeout: '5s'
|
||||
# start_tls: false
|
||||
# skip_verify: false
|
||||
# base_dn: 'dc=example,dc=com'
|
||||
# username_attribute: 'uid'
|
||||
# additional_users_dn: 'ou=users'
|
||||
# users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||
# additional_groups_dn: 'ou=groups'
|
||||
# groups_filter: '(&(member={dn})(objectclass=groupOfNames))'
|
||||
# group_name_attribute: 'cn'
|
||||
# mail_attribute: 'mail'
|
||||
# display_name_attribute: 'displayName'
|
||||
# user: 'cn=admin,dc=example,dc=com'
|
||||
# password: 'password'
|
||||
|
||||
## File Configuration
|
||||
file:
|
||||
path: '/config/users_database.yml'
|
||||
watch: false
|
||||
@@ -98,150 +56,48 @@ authentication_backend:
|
||||
key_length: 32
|
||||
salt_length: 16
|
||||
|
||||
## Access Control Configuration
|
||||
access_control:
|
||||
## Default Policy
|
||||
# Baseline policy when no rule matches. Choose two_factor for stronger default.
|
||||
default_policy: 'two_factor'
|
||||
|
||||
## Networks (optional, for IP-based rules)
|
||||
networks:
|
||||
- name: 'internal'
|
||||
networks:
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
|
||||
## Rules
|
||||
rules:
|
||||
# Authelia portal itself is bypassed so users can reach the login UI
|
||||
- domain: 'auth.gate.3launchpad.com'
|
||||
policy: 'bypass'
|
||||
|
||||
# Admin-only services require 2FA and membership in admins group
|
||||
- domain:
|
||||
- 'traefik.gate.3launchpad.com'
|
||||
- 'portainer.gate.3launchpad.com'
|
||||
policy: 'two_factor'
|
||||
subject:
|
||||
- 'group:admins'
|
||||
|
||||
# All other subdomains require at least one factor
|
||||
- domain: '*.gate.3launchpad.com'
|
||||
policy: 'one_factor'
|
||||
|
||||
## Session Configuration
|
||||
session:
|
||||
## Session Name
|
||||
name: 'authelia_session'
|
||||
|
||||
## Session Secret (do not hardcode; provided via env var)
|
||||
secret: '${AUTHELIA_SESSION_SECRET}'
|
||||
|
||||
## Session Expiration / Activity
|
||||
expiration: 1h
|
||||
inactivity: 5m
|
||||
|
||||
## Remember Me (replaces deprecated remember_me_duration)
|
||||
remember_me: 1M
|
||||
|
||||
## Cookie-based configuration (domain key removed to avoid conflict)
|
||||
cookies:
|
||||
- domain: 'gate.3launchpad.com'
|
||||
authelia_url: 'https://auth.gate.3launchpad.com'
|
||||
default_redirection_url: 'https://gate.3launchpad.com'
|
||||
|
||||
## Redis Configuration (uncomment if using Redis)
|
||||
# redis:
|
||||
# host: 'redis'
|
||||
# port: 6379
|
||||
# password: ''
|
||||
# database_index: 0
|
||||
# maximum_active_connections: 8
|
||||
# minimum_idle_connections: 0
|
||||
|
||||
## Regulation Configuration
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
## Storage Configuration
|
||||
storage:
|
||||
## Encryption key is required (newer versions). Provide via env var.
|
||||
encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' # must be 32+ chars, consistent across restarts
|
||||
encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
|
||||
local:
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
## MySQL Configuration (alternative to local)
|
||||
# mysql:
|
||||
# address: 'tcp://mysql:3306'
|
||||
# database: 'authelia'
|
||||
# username: 'authelia'
|
||||
# password: 'password'
|
||||
# timeout: '5s'
|
||||
|
||||
## PostgreSQL Configuration (alternative to local)
|
||||
# postgres:
|
||||
# address: 'tcp://postgres:5432'
|
||||
# database: 'authelia'
|
||||
# schema: 'public'
|
||||
# username: 'authelia'
|
||||
# password: 'password'
|
||||
# timeout: '5s'
|
||||
# ssl:
|
||||
# mode: 'disable'
|
||||
|
||||
## Notification Configuration
|
||||
notifier:
|
||||
## Disable Startup Check
|
||||
disable_startup_check: false
|
||||
|
||||
## File System Notifier (for development/testing)
|
||||
filesystem:
|
||||
filename: '/config/notification.txt'
|
||||
|
||||
## SMTP Configuration (for production)
|
||||
# smtp:
|
||||
# address: 'smtp://mail.example.com:587'
|
||||
# username: 'authelia@example.com'
|
||||
# password: 'password'
|
||||
# sender: 'Authelia <authelia@example.com>'
|
||||
# identifier: 'authelia'
|
||||
# subject: '[Authelia] {title}'
|
||||
# startup_check_address: 'test@authelia.com'
|
||||
# disable_require_tls: false
|
||||
# disable_html_emails: false
|
||||
# disable_starttls: false
|
||||
# tls:
|
||||
# skip_verify: false
|
||||
# minimum_version: 'TLS1.2'
|
||||
# maximum_version: 'TLS1.3'
|
||||
|
||||
## Identity Providers Configuration (optional)
|
||||
# identity_providers:
|
||||
# oidc:
|
||||
# hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET'
|
||||
# issuer_private_key: |
|
||||
# -----BEGIN RSA PRIVATE KEY-----
|
||||
# ...
|
||||
# -----END RSA PRIVATE KEY-----
|
||||
# access_token_lifespan: '1h'
|
||||
# authorize_code_lifespan: '1m'
|
||||
# id_token_lifespan: '1h'
|
||||
# refresh_token_lifespan: '90m'
|
||||
# enable_client_debug_messages: false
|
||||
# clients:
|
||||
# - id: 'myapp'
|
||||
# description: 'My Application'
|
||||
# secret: '$pbkdf2-sha512$310000$...'
|
||||
# public: false
|
||||
# authorization_policy: 'two_factor'
|
||||
# redirect_uris:
|
||||
# - 'https://myapp.example.com/callback'
|
||||
# scopes:
|
||||
# - 'openid'
|
||||
# - 'profile'
|
||||
# - 'email'
|
||||
# - 'groups'
|
||||
# userinfo_signing_algorithm: 'none'
|
||||
|
||||
Reference in New Issue
Block a user