Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # yamllint disable rule:comments-indentation
- ---
- ###############################################################################
- # Authelia Configuration #
- ###############################################################################
- ## Note: the container by default expects to find this file at /config/configuration.yml.
- ## Certificates directory specifies where Authelia will load trusted certificates (public portion) from in addition to
- ## the system certificates store.
- ## They should be in base64 format, and have one of the following extensions: *.cer, *.crt, *.pem.
- # certificates_directory: /config/certificates/
- ## The theme to display: light, dark, grey, auto.
- theme: dark
- ## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
- ## set using a secret: https://www.authelia.com/docs/configuration/secrets.html
- #jwt_secret: a_very_important_secret
- ## Default redirection URL
- ##
- ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
- ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
- ## in such a case.
- ##
- ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
- default_redirection_url: https://yourdomain.nl
- ##
- ## Server Configuration
- ##
- server:
- ## The address to listen on.
- host: 0.0.0.0
- ## The port to listen on.
- port: 9091
- ## Set the single level path Authelia listens on.
- ## Must be alphanumeric chars and should not contain any slashes.
- path: "authelia"
- ## Set the path on disk to Authelia assets.
- ## Useful to allow overriding of specific static assets.
- # asset_path: /config/assets/
- ## Buffers usually should be configured to be the same value.
- ## Explanation at https://www.authelia.com/docs/configuration/server.html
- ## Read buffer size adjusts the server's max incoming request size in bytes.
- ## Write buffer size does the same for outgoing responses.
- read_buffer_size: 4096
- write_buffer_size: 4096
- ##
- ## Log Configuration
- ##
- log:
- ## Level of verbosity for logs: info, debug, trace.
- level: debug
- ##
- ## TOTP Configuration
- ##
- ## Parameters used for TOTP generation.
- totp:
- ## The issuer name displayed in the Authenticator application of your choice.
- issuer: name
- ## The TOTP algorithm to use.
- ## It is CRITICAL you read the documentation before changing this option:
- ## https://www.authelia.com/docs/configuration/one-time-password.html#algorithm
- algorithm: sha256
- ## The number of digits a user has to input. Must either be 6 or 8.
- ## Changing this option only affects newly generated TOTP configurations.
- ## It is CRITICAL you read the documentation before changing this option:
- ## https://www.authelia.com/docs/configuration/one-time-password.html#digits
- digits: 6
- ## The period in seconds a one-time password is valid for.
- ## Changing this option only affects newly generated TOTP configurations.
- period: 30
- ## The skew controls number of one-time passwords either side of the current one that are valid.
- ## Warning: before changing skew read the docs link below.
- skew: 1
- ## See: https://www.authelia.com/docs/configuration/one-time-password.html#input-validation to read the documentation.
- ##
- ## NTP Configuration
- ##
- ## This is used to validate the servers time is accurate enough to validate TOTP.
- ntp:
- ## NTP server address.
- address: "time.cloudflare.com:123"
- ## NTP version.
- version: 4
- ## Maximum allowed time offset between the host and the NTP server.
- max_desync: 3s
- ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
- ## set this to true, and can operate in a truly offline mode.
- disable_startup_check: false
- ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
- ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
- ## will continue regardless of results.
- disable_failure: false
- ##
- ## Authentication Backend Provider Configuration
- ##
- ## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
- ##
- ## The available providers are: `file`, `ldap`. You must use only one of these providers.
- authentication_backend:
- ## Disable both the HTML element and the API for reset password functionality.
- disable_reset_password: false
- ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
- ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
- ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
- ## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
- ## See the below documentation for more information.
- ## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
- ## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval
- refresh_interval: 5m
- ##
- ## File (Authentication Provider)
- ##
- ## With this backend, the users database is stored in a file which is updated when users reset their passwords.
- ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
- ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
- ## implications it is highly recommended you leave the default values. Before considering changing these settings
- ## please read the docs page below:
- ## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning
- ##
- ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
- ##
- file:
- path: /config/users_database.yml
- password:
- algorithm: argon2id
- iterations: 1
- salt_length: 16
- parallelism: 8
- memory: 1024
- ##
- ## Access Control Configuration
- ##
- ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
- ##
- ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
- ## to anyone. Otherwise restrictions follow the rules defined.
- ##
- ## Note: One can use the wildcard * to match any subdomain.
- ## It must stand at the beginning of the pattern. (example: *.mydomain.com)
- ##
- ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
- ##
- ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
- ##
- ## - 'domain' defines which domain or set of domains the rule applies to.
- ##
- ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
- ## provided. If provided, the parameter represents either a user or a group. It should be of the form
- ## 'user:<username>' or 'group:<groupname>'.
- ##
- ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
- ##
- ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
- ## is optional and matches any resource if not provided.
- ##
- ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
- access_control:
- ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
- ## resource if there is no policy to be applied to the user.
- default_policy: deny
- rules:
- - domain: subdomain.yourdomain.nl
- networks:
- policy: bypass
- - domain:
- - "*.yourdomain.nl"
- policy: two_factor
- ##
- ## Session Provider Configuration
- ##
- ## The session cookies identify the user once logged in.
- ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
- session:
- ## The name of the session cookie.
- name: authelia_session
- ## The domain to protect.
- ## Note: the authenticator must also be in that domain.
- ## If empty, the cookie is restricted to the subdomain of the issuer.
- domain: homesloth.nl
- ## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
- ## Please read https://www.authelia.com/docs/configuration/session/#same_site
- same_site: lax
- ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
- ## Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
- #secret: insecure_session_secret
- ## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format.
- ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
- ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
- ## because a stolen cookie will last longer giving attackers more time to spy or attack.
- ## The time before the cookie expires and the session is destroyed if remember me IS NOT selected.
- expiration: 1h
- ## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user
- ## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last time
- ## Authelia detected user activity.
- inactivity: 5m
- ## The time before the cookie expires and the session is destroyed if remember me IS selected.
- ## Value of 0 disables remember me.
- remember_me_duration: 1M
- ##
- ## Regulation Configuration
- ##
- ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
- ## in a short period of time.
- regulation:
- ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
- max_retries: 3
- ## The time range during which the user can attempt login before being banned. The user is banned if the
- ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
- ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
- find_time: 2m
- ## The length of time before a banned user can login again. Ban Time accepts duration notation.
- ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
- ban_time: 5m
- ##
- ## Storage Provider Configuration
- ##
- ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
- storage:
- ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
- ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
- encryption_key: myverysecretencryptionkey
- ##
- ## MySQL / MariaDB (Storage Provider)
- ##
- mysql:
- host: autheliadb
- port: 3306
- database: authelia
- username: dbuser
- ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
- #password: mypassword
- timeout: 5s
- ##
- ## Notification Provider
- ##
- ## Notifications are sent to users when they require a password reset, a U2F registration or a TOTP registration.
- ## The available providers are: filesystem, smtp. You must use only one of these providers.
- notifier:
- ## You can disable the notifier startup check by setting this to true.
- disable_startup_check: false
- ##
- ## SMTP (Notification Provider)
- ##
- ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
- ## [Security] By default Authelia will:
- ## - force all SMTP connections over TLS including unauthenticated connections
- ## - use the disable_require_tls boolean value to disable this requirement
- ## (only works for unauthenticated connections)
- ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
- ## (configure in tls section)
- smtp:
- ## The SMTP host to connect to.
- host: smtp.gmail.com
- ## The port to connect to the SMTP host on.
- port: 587
- ## The connection timeout.
- timeout: 5s
- ## The username used for SMTP authentication.
- username: youremail@gmail.com
- ## The password used for SMTP authentication.
- ## Can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
- #password: password
- ## The sender is used to is used for the MAIL FROM command and the FROM header.
- ## If this is not defined and the username is an email, we use the username as this value. This can either be just
- ## an email address or the RFC5322 'Name <email address>' format.
- sender: "Authelia <youremail@gmail.com>"
- ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
- identifier: localhost
- ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
- subject: "[Authelia] {title}"
- ## This address is used during the startup check to verify the email configuration is correct.
- ## It's not important what it is except if your email server only allows local delivery.
- startup_check_address: test@authelia.com
- ## By default we require some form of TLS. This disables this check though is not advised.
- disable_require_tls: false
- ## Disables sending HTML formatted emails.
- disable_html_emails: false
- tls:
- ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
- server_name: smtp.gmail.com
- ## Skip verifying the server certificate (to allow a self-signed certificate).
- ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
- ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
- skip_verify: false
- ## Minimum TLS version for either StartTLS or SMTPS.
- minimum_version: TLS1.2
Add Comment
Please, Sign In to add comment