Sebastian Krüger
be0fddf796
Only use CookieSession strategy for forward-auth endpoint to ensure browsers receive proper 302 redirects to the login page instead of HTTP Basic auth prompts. When HeaderAuthorization is in the strategies list, it sends www-authenticate headers that trigger browser Basic auth dialogs. For browser-based authentication, we only want CookieSession which handles redirects properly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
127 lines
2.7 KiB
YAML
127 lines
2.7 KiB
YAML
---
|
|
###############################################################
|
|
# Authelia Configuration #
|
|
###############################################################
|
|
|
|
theme: auto
|
|
|
|
server:
|
|
address: "tcp://:9091"
|
|
headers:
|
|
csp_template: ""
|
|
endpoints:
|
|
authz:
|
|
forward-auth:
|
|
implementation: 'ForwardAuth'
|
|
authn_strategies:
|
|
- name: 'CookieSession'
|
|
|
|
log:
|
|
level: info
|
|
format: text
|
|
|
|
# identity_validation jwt_secret set via environment variable:
|
|
# AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
|
|
|
|
totp:
|
|
issuer: pivoine.art
|
|
period: 30
|
|
skew: 1
|
|
|
|
webauthn:
|
|
disable: false
|
|
display_name: Pivoine Auth
|
|
attestation_conveyance_preference: indirect
|
|
user_verification: preferred
|
|
timeout: 60s
|
|
|
|
ntp:
|
|
address: "time.cloudflare.com:123"
|
|
version: 4
|
|
max_desync: 3s
|
|
disable_startup_check: false
|
|
disable_failure: false
|
|
|
|
authentication_backend:
|
|
password_reset:
|
|
disable: false
|
|
refresh_interval: 5m
|
|
file:
|
|
path: /etc/authelia/users_database.yml
|
|
watch: true
|
|
password:
|
|
algorithm: argon2
|
|
argon2:
|
|
variant: argon2id
|
|
iterations: 3
|
|
memory: 65536
|
|
parallelism: 4
|
|
key_length: 32
|
|
salt_length: 16
|
|
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
# Authelia portal itself
|
|
- domain: auth.pivoine.art
|
|
policy: bypass
|
|
|
|
# Services that should be publicly accessible
|
|
- domain:
|
|
- "pivoine.art"
|
|
- "www.pivoine.art"
|
|
policy: bypass
|
|
|
|
# Protected services - require authentication
|
|
- domain:
|
|
- "netdata.pivoine.art"
|
|
- "mailpit.pivoine.art"
|
|
- "scrapy.pivoine.art"
|
|
- "restic.pivoine.art"
|
|
- "traefik.pivoine.art"
|
|
policy: two_factor
|
|
|
|
# Development services
|
|
- domain:
|
|
- "dev.pivoine.art"
|
|
- "n8n.pivoine.art"
|
|
- "asciinema.pivoine.art"
|
|
- "coolify.pivoine.art"
|
|
policy: two_factor
|
|
|
|
# session secret set via environment variable: AUTHELIA_SESSION_SECRET
|
|
session:
|
|
cookies:
|
|
- name: authelia_session
|
|
domain: pivoine.art
|
|
authelia_url: https://auth.pivoine.art
|
|
same_site: lax
|
|
expiration: 1h
|
|
inactivity: 5m
|
|
remember_me: 1M
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 5m
|
|
|
|
# storage encryption_key and postgres password set via environment variables:
|
|
# AUTHELIA_STORAGE_ENCRYPTION_KEY, AUTHELIA_STORAGE_POSTGRES_PASSWORD
|
|
storage:
|
|
postgres:
|
|
host: postgres
|
|
port: 5432
|
|
database: authelia
|
|
username: valknar
|
|
schema: public
|
|
|
|
notifier:
|
|
disable_startup_check: false
|
|
smtp:
|
|
host: net_mailpit
|
|
port: 1025
|
|
sender: auth@pivoine.art
|
|
identifier: auth.pivoine.art
|
|
disable_require_tls: true
|
|
disable_html_emails: false
|