-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathconfiguration.yml
190 lines (169 loc) · 6.05 KB
/
configuration.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
###############################################################
# AUTHELIA CONFIGURATION #
###############################################################
# -------------
# MISCELLANEOUS
# -------------
host: 0.0.0.0
port: 9091
# Default redirection URL
#
# If user tries to authenticate without any referer, Authelia
# does not know where to redirect the user to at the end of the
# authentication process.
# This parameter allows you to specify the default redirection
# URL Authelia will use in such a case.
#
# Note: this parameter is optional. If not provided, user won't
# be redirected upon successful authentication.
default_redirection_url: https://auth.yourdomain.tld
# The theme to display: light, dark, grey
theme: light
# -------
# LOGGING
# -------
# Level of verbosity for logs: info, debug, trace
log_level: info
# Format the logs are written as: json, text
log_format: text
# File path where the logs will be written. If not set logs are written to stdout.
log_file_path: /data/authelia.log
# ----------------------------
# TIME-BASED ONE-TIME PASSWORD
# ----------------------------
totp:
# The issuer name displayed in the Authenticator application of your choice
issuer: auth.yourdomain.tld
# The period in seconds a one-time password is current for. Changing this will require all users to register
# their TOTP applications again.
# Warning: before changing period read the docs link below.
period: 30
# The skew controls number of one-time passwords either side of the current one that are valid.
# Warning: before changing skew read the docs link below.
skew: 1
# -----------------------
# AUTHENTICATION BACKENDS
# The authentication backend to use for verifying user passwords
# and retrieve information such as email address and groups users belong to.
# -----------------------
authentication_backend:
# Disable both the HTML element and the API for reset password functionality
disable_reset_password: true
# File backend configuration.
#
# With this backend, the users database is stored in a file
# which is updated when users reset their passwords.
# Therefore, this backend is meant to be used in a dev environment
# and not in production since it prevents Authelia to be scaled to
# more than one instance. The options under 'password' have sane
# defaults, and as it has security implications it is highly recommended
# you leave the default values. Before considering changing these settings
# please read the docs page below:
# https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning
file:
path: /config/users.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
# --------------
# ACCESS CONTROL
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
# --------------
access_control:
default_policy: deny
networks:
- name: internal
networks:
- 127.0.0.1/32
- 172.25.0.0/16
rules:
# Rules applied to everyone
- domain: auth.yourdomain.tld
policy: bypass
# - domain:
# - "*.yourdomain.tld"
# - yourdomain.tld
# policy: one_factor
# Allow free access from local network
- domain:
- traefik.yourdomain.tld
policy: bypass
networks:
- internal
- domain:
- portainer.yourdomain.tld
- traefik.yourdomain.tld
- netdata.yourdomain.tld
policy: two_factor
# -------
# SESSION
# Configuration of session cookies
#
# The session cookies identify the user once logged in.
# -------
session:
# The name of the session cookie.
name: auth_session
# Sets the cookies SameSite value.
same_site: lax
# The time in seconds before the cookie expires and session is reset.
# The time before the cookie expires and the session is destroyed.
expiration: 24h
# The inactivity time in seconds before the session is reset.
# The time the user can be inactive for until the session is destroyed.
inactivity: 6h
# The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain of the issuer.
domain: yourdomain.tld
redis:
host: v1_company_redis_1
port: 6379
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
database_index: 3
# ----------
# REGULATION
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of time.
# ----------
regulation:
# The number of failed login attempts before user is banned.
max_retries: 3
# The time range during which the user can attempt login before being banned.
# The user is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
find_time: 2m
# The length of time before a banned user can login again.
ban_time: 5m
# -------
# STORAGE
# Configuration of the storage backend used to store data and secrets.
# -------
storage:
# The directory where the DB files will be saved
local:
path: /data/db.sqlite3
# # Settings to connect to MySQL server
# mysql:
# host: database
# port: 3306
# database: authelia
# username: authelia
# # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
# password: mypassword
# --------
# NOTIFIER
# Configuration of the notification system.
#
# Notifications are sent to users when they require a password reset, a u2f
# registration or a TOTP registration.
# --------
notifier:
filesystem:
filename: /data/notifications.txt