Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
# yamllint disable rule:comments-indentation # https://github.com/authelia/authelia # https://www.authelia.com/docs/configuration/ # https://dbt3ch.com/books/authelia-for-nginx-proxy-manager # https://shownotes.opensourceisawesome.com/authelia-authentication/ --- ############################################################################### # Authelia Configuration # ############################################################################### theme: dark jwt_secret: REDACTED default_redirection_url: https://home.DOMAIN.TLD/ # Log Configuration log: level: info format: json file_path: /config/authelia.log keep_stdout: false # Server Configuration server: host: 0.0.0.0 port: 9091 path: "" asset_path: /assets/ #Site static configs. read_buffer_size: 4096 write_buffer_size: 4096 enable_pprof: false enable_expvars: false disable_healthcheck: false # Certificates directory for all other certificates used to verify TLS. certificates_directory: /certs/ # NTP Configuration ntp: address: "pool.ntp.org:123" version: 4 max_desync: 3s disable_startup_check: false disable_failure: false # TOTP Configuration totp: issuer: DOMAIN.TLD_SSO algorithm: sha256 digits: 6 period: 30 skew: 1 # Authentication Backend Provider Configuration authentication_backend: disable_reset_password: false refresh_interval: 5m ldap: implementation: custom url: ldaps://ipa.DOMAIN.TLD:636 timeout: 5s start_tls: false tls: server_name: ipa.DOMAIN.TLD skip_verify: true minimum_version: TLS1.2 base_dn: dc=DOMAIN,dc=TLD username_attribute: uid group_name_attribute: cn display_name_attribute: sn users_filter: (&({username_attribute}={input})(objectClass=person)(!(nsaccountlock=TRUE))) groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=DOMAIN,dc=TLD)(objectClass=groupOfNames)(|(cn=apps-security)(cn=apps-users))) #Bind credentials user: uid=BIND-USER,cn=users,cn=accounts,dc=DOMAIN,dc=TLD password: REDACTED # Access Control Configuration access_control: default_policy: deny # Network rule definitions. networks: - name: internal networks: - 10.0.0.0/8 # Rules for access to apps. rules: - domain: auth.DOMAIN.TLD policy: bypass - domain: - app-sec01.DOMAIN.TLD - app-sec02.DOMAIN.TLD - app-sec03.DOMAIN.TLD network: internal subject: "group:apps-security" policy: two_factor - domain: - app-user01.DOMAIN.TLD - app-user02.DOMAIN.TLD - app-user03.DOMAIN.TLD subject: "group:apps-users" policy: two_factor # Session Provider Configuration session: name: authelia_session domain: DOMAIN.TLD same_site: lax secret: REDACTED expiration: 24h inactivity: 120m remember_me_duration: 1M redis: host: REDIS-CONTAINER-NAME port: 6379 password: REDACTED database_index: 0 maximum_active_connections: 8 minimum_idle_connections: 0 # Regulation Configuration regulation: max_retries: 6 find_time: 2m ban_time: 5m # Storage Provider Configuration storage: encryption_key: REDACTED mysql: host: MARIADB-CONTAINER-NAME port: 3306 database: authelia username: authelia password: REDACTED timeout: 5s # Notification Provider notifier: disable_startup_check: false filesystem: filename: /config/notification.txt ...