### Example Server Configuration Source: https://www.authelia.com/configuration/miscellaneous/server This is a comprehensive example of the server configuration section. It is not necessarily a valid configuration but serves as a contextual layout. ```yaml server: address: 'tcp://:9091/' disable_healthcheck: false tls: key: '' certificate: '' client_certificates: [] headers: csp_template: '' buffers: read: 4096 write: 4096 timeouts: read: '6s' write: '6s' idle: '30s' endpoints: enable_pprof: false enable_expvars: false authz: {} ## See the dedicated "Server Authz Endpoints" configuration guide. rate_limits: {} ## See the dedicated "Server Endpoint Rate Limits" configuration guide. ``` -------------------------------- ### Configuration Key Example Source: https://www.authelia.com/contributing/guidelines/style Example of how to document configuration keys using stylized icons. This format is used within configuration documentation. ```html {{< confkey type="string" default="none" required="no" >}} ``` -------------------------------- ### Example Rule Matching with Domain and Path Source: https://www.authelia.com/configuration/security/access-control Demonstrates how rules are matched sequentially. This example shows a bypass rule for specific domains and paths, followed by a more specific two-factor rule for a subdomain. The first rule matches requests to 'example.com' or its subdomains with paths starting with '/api/', preventing the second rule from being evaluated for 'app.example.com/api'. ```yaml - domain: - 'example.com' - '*.example.com' policy: 'bypass' resources: - '^/api$' - '^/api/' - domain: - 'app.example.com' policy: 'two_factor' ``` -------------------------------- ### Example Authelia Configuration Source: https://www.authelia.com/configuration/miscellaneous/introduction This is an example configuration layout and may not be a valid configuration. Refer to the options section for detailed explanations. ```yaml certificates_directory: '/config/certs/' default_redirection_url: 'https://home.example.com:8080/' theme: 'light' ``` -------------------------------- ### Install pam_authelia on Debian/Ubuntu Source: https://www.authelia.com/integration/guides/pam-authelia Installs the pam_authelia package from the Authelia APT repository. Ensure the repository is added first. ```bash sudo apt update && sudo apt install pam_authelia ``` -------------------------------- ### Clone and Install Dependencies Source: https://www.authelia.com/contributing/prologue/documentation-contributions Clone the Authelia repository and install project dependencies using pnpm. ```bash git clone https://github.com/authelia/authelia.git cd authelia/docs pnpm install pnpm dev ``` -------------------------------- ### Example MySQL Configuration Source: https://www.authelia.com/configuration/storage/mysql This is an example configuration for the MySQL storage integration. It is not intended to be a valid configuration but provides a contextual layout. Ensure to consult the options section for detailed understanding. ```yaml storage: encryption_key: 'a_very_important_secret' mysql: address: 'tcp://127.0.0.1:3306' database: 'authelia' username: 'authelia' password: 'mypassword' timeout: '5s' tls: server_name: 'mysql.example.com' skip_verify: false minimum_version: 'TLS1.2' maximum_version: 'TLS1.3' certificate_chain: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- ``` -------------------------------- ### Example WebAuthn Configuration Source: https://www.authelia.com/configuration/second-factor/webauthn This is an example configuration for WebAuthn. It is not guaranteed to be valid and should be used as a contextual layout reference. Consult the options section for individual option details. ```yaml webauthn: disable: false enable_passkey_login: false display_name: 'Authelia' attestation_conveyance_preference: 'indirect' timeout: '60 seconds' filtering: permitted_aaguids: [] prohibited_aaguids: [] prohibit_backup_eligibility: false selection_criteria: attachment: '' discoverability: 'preferred' user_verification: 'preferred' metadata: enabled: false cache_policy: strict validate_trust_anchor: true validate_entry: true validate_entry_permit_zero_aaguid: false validate_status: true validate_status_permitted: [] validate_status_prohibited: - 'REVOKED' - 'USER_KEY_PHYSICAL_COMPROMISE' - 'USER_KEY_REMOTE_COMPROMISE' - 'USER_VERIFICATION_BYPASS' - 'ATTESTATION_KEY_COMPROMISE' ``` -------------------------------- ### Install Authelia using Nix Source: https://www.authelia.com/integration/deployment/bare-metal Installs Authelia using the Nix package manager by adding the unstable channel and then installing the `authelia` package. Note that the unstable channel may contain third-party packages. ```bash nix-channel --add https://nixos.org/channels/nixpkgs-unstable nix-channel --update nix-env -iA nixpkgs.authelia ``` -------------------------------- ### Example Network Configuration Source: https://www.authelia.com/configuration/definitions/network This is an example configuration for defining named network lists. It shows how to specify IP addresses and CIDR notations for network definitions. ```yaml definitions: network: network_name: - '192.168.1.0/24' - '192.168.2.20' - '2001:db8::/32' - '2001:db8:1234:5678::1' ``` -------------------------------- ### Install Built Authelia PAM Artifacts Source: https://www.authelia.com/integration/guides/pam-authelia Install the compiled Authelia PAM binary and shared object. The destination for the .so file is determined by finding the existing pam_unix.so location. ```bash sudo install -m 0755 pam_authelia /usr/bin/pam_authelia sudo install -m 0644 shim/pam_authelia.so \ "$(dirname "$(find /lib /usr/lib -name pam_unix.so -print -quit)")/pam_authelia.so" ``` -------------------------------- ### Example PostgreSQL Configuration Source: https://www.authelia.com/configuration/storage/postgres This is an example configuration for PostgreSQL storage. It is not intended to be a valid configuration but provides a contextual layout. Ensure to consult the options section for detailed explanations. ```yaml storage: encryption_key: 'a_very_important_secret' postgres: address: 'tcp://127.0.0.1:5432' servers: [] database: 'authelia' schema: 'public' username: 'authelia' password: 'mypassword' timeout: '5s' tls: server_name: 'postgres.example.com' skip_verify: false minimum_version: 'TLS1.2' maximum_version: 'TLS1.3' certificate_chain: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- ``` -------------------------------- ### Install pam_authelia from .deb on Debian/Ubuntu Source: https://www.authelia.com/integration/guides/pam-authelia Installs a specific .deb release of pam_authelia. Useful for pinning versions or when the APT repository is unavailable. ```bash apt install ./.deb ``` -------------------------------- ### OpenID Connect Client Configuration Example Source: https://www.authelia.com/configuration/identity-providers/openid-connect/clients This is an example configuration for an OpenID Connect client. It demonstrates the structure and various parameters available for client registration, including authentication, response types, and token handling. ```yaml identity_providers: oidc: clients: - client_id: 'unique-client-identifier' client_name: 'My Application' client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. sector_identifier_uri: 'https://example.com/sector.json' public: false redirect_uris: - 'https://oidc.example.com:8080/oauth2/callback' request_uris: - 'https://oidc.example.com:8080/oidc/request-object.jwk' audience: - 'https://app.example.com' scopes: - 'openid' - 'groups' - 'email' - 'profile' grant_types: - 'refresh_token' - 'authorization_code' response_types: - 'code' response_modes: - 'form_post' - 'query' - 'fragment' authorization_policy: 'two_factor' lifespan: '' claims_policy: '' requested_audience_mode: 'explicit' consent_mode: 'explicit' pre_configured_consent_duration: '1 week' require_pushed_authorization_requests: false require_pkce: false pkce_challenge_method: 'S256' authorization_signed_response_key_id: '' authorization_signed_response_alg: 'RS256' authorization_encrypted_response_key_id: '' authorization_encrypted_response_alg: 'none' authorization_encrypted_response_enc: 'A128CBC-HS256' id_token_signed_response_key_id: '' id_token_signed_response_alg: 'RS256' id_token_encrypted_response_key_id: '' id_token_encrypted_response_alg: 'none' id_token_encrypted_response_enc: 'A128CBC-HS256' access_token_signed_response_key_id: '' access_token_signed_response_alg: 'none' access_token_encrypted_response_key_id: '' access_token_encrypted_response_alg: 'none' access_token_encrypted_response_enc: 'A128CBC-HS256' userinfo_signed_response_key_id: '' userinfo_signed_response_alg: 'none' userinfo_encrypted_response_key_id: '' userinfo_encrypted_response_alg: 'none' userinfo_encrypted_response_enc: 'A128CBC-HS256' introspection_signed_response_key_id: '' introspection_signed_response_alg: 'none' introspection_encrypted_response_key_id: '' introspection_encrypted_response_alg: 'none' introspection_encrypted_response_enc: 'A128CBC-HS256' request_object_signing_alg: 'RS256' request_object_encryption_alg: '' request_object_encryption_enc: '' token_endpoint_auth_method: 'client_secret_basic' token_endpoint_auth_signing_alg: 'RS256' revocation_endpoint_auth_method: 'client_secret_basic' revocation_endpoint_auth_signing_alg: 'RS256' introspection_endpoint_auth_method: 'client_secret_basic' introspection_endpoint_auth_signing_alg: 'RS256' pushed_authorization_request_endpoint_auth_method: 'client_secret_basic' pushed_authorization_request_endpoint_auth_signing_alg: 'RS256' jwks_uri: '' jwks: - key_id: 'example' algorithm: 'RS256' use: 'sig' key: | -----BEGIN RSA PUBLIC KEY----- ... -----END RSA PUBLIC KEY----- certificate_chain: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- ``` -------------------------------- ### Network Address Examples Source: https://www.authelia.com/configuration/prologue/common Various examples demonstrating network address formats, including TCP and UDP with and without ports and subpaths. ```text 0.0.0.0 ``` ```text tcp://0.0.0.0 ``` ```text tcp://0.0.0.0/subpath ``` ```text tcp://0.0.0.0:9091 ``` ```text tcp://0.0.0.0:9091/subpath ``` ```text tcp://:9091 ``` ```text tcp://:9091/subpath ``` ```text 0.0.0.0:9091 ``` ```text udp://0.0.0.0:123 ``` ```text udp://:123 ``` ```text unix:///var/lib/authelia.sock ``` -------------------------------- ### Example Session Configuration Source: https://www.authelia.com/configuration/session/introduction This is an example configuration for session settings, including secret, name, same_site, inactivity, expiration, remember_me, and specific cookie domains. It is not a valid configuration and should be used for contextual layout only. ```yaml session: secret: 'insecure_session_secret' name: 'authelia_session' same_site: 'lax' inactivity: '5m' expiration: '1h' remember_me: '1M' cookies: - domain: 'example.com' authelia_url: 'https://auth.example.com' default_redirection_url: 'https://www.example.com' name: 'authelia_session' same_site: 'lax' inactivity: '5m' expiration: '1h' remember_me: '1d' ``` -------------------------------- ### Example Notification Configuration Source: https://www.authelia.com/configuration/notifications/introduction This is an example configuration for the notification section. It shows the general layout and available options but may not be a valid configuration. Ensure you consult the options section for detailed explanations. ```yaml notifier: disable_startup_check: false template_path: '' filesystem: {} smtp: {} ``` -------------------------------- ### Install pam_authelia-bin on Arch Linux Source: https://www.authelia.com/integration/guides/pam-authelia Installs the prebuilt pam_authelia binary artifact on Arch Linux using an AUR helper like paru. No local toolchain is required. ```bash paru -S pam_authelia-bin ``` -------------------------------- ### Install pam_authelia-bin with yay on Arch Linux Source: https://www.authelia.com/integration/guides/pam-authelia Installs the prebuilt pam_authelia binary artifact on Arch Linux using the yay AUR helper. No local toolchain is required. ```bash yay -S pam_authelia-bin ``` -------------------------------- ### Verify Authelia PAM Installation Source: https://www.authelia.com/integration/guides/pam-authelia Verify that the Authelia PAM binary and shared object have been installed correctly and have the expected file modes. ```bash ls -l /usr/bin/pam_authelia ls -l "$(dirname "$(find /lib /usr/lib -name pam_unix.so -print -quit)")/pam_authelia.so" ``` -------------------------------- ### Example Authelia Configuration Source: https://www.authelia.com/configuration/first-factor/introduction This is an example configuration layout for Authelia. It is not a valid configuration and should be used for contextual understanding only. Refer to the options section for detailed explanations. ```yaml authentication_backend: refresh_interval: '5m' password_reset: disable: false custom_url: '' password_change: disable: false ``` -------------------------------- ### Verify Authelia Setup Source: https://www.authelia.com/blog/authelia--traefik-setup-guide Commands to verify the Authelia setup by checking container status and accessing the Traefik dashboard and a protected application. ```bash docker compose ps ``` -------------------------------- ### Example Storage Configuration Source: https://www.authelia.com/configuration/storage/introduction This is an example configuration for Authelia's storage section. It shows the layout and available backend options. Ensure you consult the specific option documentation for valid settings. ```yaml storage: encryption_key: 'a_very_important_secret' local: {} mysql: {} postgres: {} ``` -------------------------------- ### Configure Authelia PAM Module in PAM Stack Source: https://www.authelia.com/integration/guides/pam-authelia Example configuration for the pam_authelia.so module within a PAM stack file (e.g., /etc/pam.d/sshd). This example requires a specific authentication level. ```text auth required pam_authelia.so url=https://auth.example.com auth-level=1FA+2FA ``` -------------------------------- ### Setup Authelia Integration Suite Source: https://www.authelia.com/contributing/development/integration-suites Use this command to deploy the environment for a specific Authelia integration suite. Ensure you have completed prerequisites and bootstrapped the development context. ```bash authelia-scripts suites setup Standalone ``` -------------------------------- ### Configure SQLite3 Storage in Authelia Source: https://www.authelia.com/configuration/storage/sqlite Example configuration for using SQLite3 as Authelia's storage provider. Note that this setup is stateful and not recommended for production or highly available environments. Ensure the 'encryption_key' is kept secret. ```yaml storage: encryption_key: 'a_very_important_secret' local: path: '/config/db.sqlite3' ``` -------------------------------- ### IPv6 Address Example Source: https://www.authelia.com/configuration/prologue/common Example of how to specify an IPv6 address with a scheme and port. ```text tcp://[::1]:80 ``` -------------------------------- ### YAML Configuration Example Source: https://www.authelia.com/configuration/prologue/migration Illustrates how a configuration key like 'server.host' is represented in YAML format. ```yaml server: host: '0.0.0.0' ``` -------------------------------- ### SMTP Configuration Example Source: https://www.authelia.com/configuration/notifications/smtp An example of the SMTP configuration block within the Authelia configuration file. ```APIDOC ## SMTP Configuration Example This section provides an example of how to configure the SMTP notifier in Authelia. ```yaml notifier: disable_startup_check: false smtp: address: 'smtp://127.0.0.1:25' timeout: '5s' username: 'test' password: 'password' sender: "Authelia " identifier: 'localhost' subject: "[Authelia] {title}" startup_check_address: 'test@example.com' disable_require_tls: false disable_starttls: false disable_html_emails: false tls: server_name: 'smtp.example.com' skip_verify: false minimum_version: 'TLS1.2' maximum_version: 'TLS1.3' certificate_chain: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- ``` ``` -------------------------------- ### Setup Local Authelia Bundle Source: https://www.authelia.com/integration/deployment/docker This script sets up the local Authelia bundle after cloning the repository. It modifies the /etc/hosts file, requiring sudo privileges. ```bash cd examples/compose/local ./setup.sh ``` -------------------------------- ### YAML Configuration Example Source: https://www.authelia.com/configuration/methods/environment Illustrates a typical YAML structure for Authelia configuration. ```yaml log: level: 'info' server: buffers: read: 4096 ``` -------------------------------- ### Text Log Example Source: https://www.authelia.com/configuration/miscellaneous/logging An example of a log entry formatted as plain text. This format is human-readable and suitable for direct viewing in a terminal. ```text time="2020-01-01T00:00:00+11:00" level=info msg="Logging severity set to info" time="2020-01-01T00:00:00+11:00" level=info msg="Authelia is listening for non-TLS connections on 0.0.0.0:9091" ``` -------------------------------- ### JSON Log Example Source: https://www.authelia.com/configuration/miscellaneous/logging An example of a log entry formatted as JSON. This format includes timestamp, severity level, message, and other relevant details. ```json {"level":"info","msg":"Logging severity set to info","time":"2020-01-01T00:00:00+11:00"} {"level":"info","msg":"Authelia is listening for non-TLS connections on 0.0.0.0:9091","time":"2020-01-01T00:00:00+11:00"} ``` -------------------------------- ### Start Authelia Docker Compose Stack Source: https://www.authelia.com/blog/authelia--traefik-setup-guide Command to start the Authelia and Traefik containers using Docker Compose from the project root directory. ```bash docker compose up -d ``` -------------------------------- ### List Available Suites Source: https://www.authelia.com/contributing/development/build-and-test Lists all available test suites that can be set up and run for integration testing. ```bash authelia-scripts suites list ``` -------------------------------- ### Example Authelia Regulation Configuration Source: https://www.authelia.com/configuration/security/regulation This is an example configuration for Authelia's regulation feature. It demonstrates the layout and available options for preventing brute-force attacks. ```yaml regulation: modes: - 'user' - 'ip' max_retries: 3 find_time: '2m' ban_time: '5m' ``` -------------------------------- ### Environment Variable Mapping Example Source: https://www.authelia.com/configuration/methods/environment Shows how the YAML configuration is translated into environment variables. ```bash AUTHELIA_LOG_LEVEL=info AUTHELIA_SERVER_BUFFERS_READ=4096 ``` -------------------------------- ### Example NTP Configuration Source: https://www.authelia.com/configuration/miscellaneous/ntp This is a sample configuration block for Authelia's NTP settings. It demonstrates the structure and common options available for tuning time synchronization. ```yaml ntp: address: 'udp://time.cloudflare.com:123' version: 3 max_desync: '3s' disable_startup_check: false disable_failure: false ``` -------------------------------- ### Example Reset Password Configuration Source: https://www.authelia.com/configuration/identity-validation/reset-password This example demonstrates the basic structure for configuring the reset password JWT settings. Ensure the jwt_secret is a strong, random string. ```yaml identity_validation: reset_password: jwt_secret: '' jwt_lifespan: '5 minutes' jwt_algorithm: 'HS256' ``` -------------------------------- ### Identity Validation Configuration Example Source: https://www.authelia.com/configuration/identity-validation/introduction This is an example configuration for identity validation. It includes settings for elevated sessions and password resets. Refer to the options section for detailed explanations. ```yaml identity_validation: elevated_session: {} reset_password: {} ``` -------------------------------- ### Build Authelia Go Helper Binary Source: https://www.authelia.com/integration/guides/pam-authelia Build the Go helper binary for the Authelia PAM module using specific build flags for optimization and size reduction. CGO_ENABLED=0 ensures it's a static binary. ```bash CGO_ENABLED=0 go build -trimpath -ldflags '-s -w' -o pam_authelia ./cmd/pam_authelia ``` -------------------------------- ### Run Authelia with Multiple Config Files (Comma-Separated) Source: https://www.authelia.com/configuration/methods/files Provide multiple configuration files to Authelia using a comma-separated list in a single --config argument. Later files override earlier ones. ```bash docker run -d authelia/authelia:latest authelia --config configuration.yml,config-acl.yml,config-other.yml ``` -------------------------------- ### Configure Advanced Query Matching Rules Source: https://www.authelia.com/configuration/security/access-control This example demonstrates complex query parameter matching using AND and OR logic. It shows how to check for the presence/absence of keys and match values against regular expressions. Use quotes for values to prevent potential issues. ```yaml access_control: rules: - domain: 'app.example.com' policy: 'bypass' query: - - operator: 'present' key: 'secure' - operator: 'absent' key: 'insecure' - - operator: 'pattern' key: 'token' value: '^(abc123|zyx789)$' - operator: 'not pattern' key: 'random' value: '^(1|2)$' ``` -------------------------------- ### SMTP Notifier Configuration Example Source: https://www.authelia.com/configuration/notifications/smtp This is an example configuration for the SMTP notifier. It is not intended to be a valid configuration but rather to provide a contextual layout. Refer to the options section for detailed explanations. ```yaml notifier: disable_startup_check: false smtp: address: 'smtp://127.0.0.1:25' timeout: '5s' username: 'test' password: 'password' sender: "Authelia " identifier: 'localhost' subject: "[Authelia] {title}" startup_check_address: 'test@example.com' disable_require_tls: false disable_starttls: false disable_html_emails: false tls: server_name: 'smtp.example.com' skip_verify: false minimum_version: 'TLS1.2' maximum_version: 'TLS1.3' certificate_chain: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- private_key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- ``` -------------------------------- ### Example Server Endpoint Rate Limit Configuration Source: https://www.authelia.com/configuration/miscellaneous/server-endpoint-rate-limits This configuration demonstrates how to set up rate limits for various server endpoints, including password reset, second factor authentication, and OpenID Connect requests. It shows the structure for enabling rate limits and defining multiple buckets with different time periods and request counts. ```yaml server: endpoints: rate_limits: reset_password_start: enable: true buckets: - period: '10 minutes' requests: 5 - period: '15 minutes' requests: 10 - period: '30 minutes' requests: 15 reset_password_finish: enable: true buckets: - period: '1 minute' requests: 10 - period: '2 minutes' requests: 15 second_factor_totp: enable: true buckets: - period: '1 minute' requests: 30 - period: '2 minutes' requests: 40 - period: '10 minutes' requests: 50 second_factor_duo: enable: true buckets: - period: '1 minute' requests: 10 - period: '2 minutes' requests: 15 session_elevation_start: enable: true buckets: - period: '5 minutes' requests: 3 - period: '10 minutes' requests: 5 - period: '1 hour' requests: 15 session_elevation_finish: enable: true buckets: - period: '10 minutes' requests: 3 - period: '20 minutes' requests: 5 - period: '1 hour' requests: 15 openid_connect_token: enable: true buckets: - period: '1 minute' requests: 30 - period: '2 minutes' requests: 40 - period: '10 minutes' requests: 50 - period: '1 hour' requests: 100 openid_connect_pushed_authorization_request: enable: true buckets: - period: '1 minute' requests: 30 - period: '2 minutes' requests: 40 - period: '10 minutes' requests: 50 - period: '1 hour' requests: 100 openid_connect_userinfo: enable: true buckets: - period: '1 minute' requests: 30 - period: '2 minutes' requests: 40 - period: '10 minutes' requests: 50 - period: '1 hour' requests: 100 openid_connect_introspection: enable: true buckets: - period: '1 minute' requests: 30 - period: '2 minutes' requests: 40 - period: '10 minutes' requests: 50 - period: '1 hour' requests: 100 openid_connect_revocation: enable: true buckets: - period: '1 minute' requests: 30 - period: '2 minutes' requests: 40 - period: '10 minutes' requests: 50 - period: '1 hour' requests: 100 ```