valknar/docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bec2add16b1a6c6241d5ecce44afdf635d994d64
docker-compose/net/authelia/configuration.yml
Sebastian Krüger bec2add16b fix: configure CookieSession strategy for forward-auth endpoint 
Added server.endpoints.authz.forward-auth configuration to explicitly
use CookieSession authentication strategy. This ensures browsers
receive HTTP 302 redirects instead of HTTP 401 responses when
accessing protected services while unauthenticated.

Without this configuration, the forward-auth endpoint was returning
401 with Location headers, which browsers don't automatically follow.
With CookieSession strategy, GET requests from browsers will now
receive 302 redirects that automatically redirect to the Authelia
login page.

Authentication strategy order:
1. CookieSession - for browser users (returns 302 redirects)
2. HeaderAuthorization - for API clients (returns 401 with headers)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-15 20:29:46 +01:00

128 lines
2.7 KiB
YAML
Raw Blame History

---
###############################################################
# Authelia Configuration #
###############################################################
theme: auto
server:
address: "tcp://:9091"
headers:
csp_template: ""
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
authn_strategies:
- name: 'CookieSession'
- name: 'HeaderAuthorization'
log:
level: info
format: text
# identity_validation jwt_secret set via environment variable:
# AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
totp:
issuer: pivoine.art
period: 30
skew: 1
webauthn:
disable: false
display_name: Pivoine Auth
attestation_conveyance_preference: indirect
user_verification: preferred
timeout: 60s
ntp:
address: "time.cloudflare.com:123"
version: 4
max_desync: 3s
disable_startup_check: false
disable_failure: false
authentication_backend:
password_reset:
disable: false
refresh_interval: 5m
file:
path: /etc/authelia/users_database.yml
watch: true
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
access_control:
default_policy: deny
rules:
# Authelia portal itself
- domain: auth.pivoine.art
policy: bypass
# Services that should be publicly accessible
- domain:
- "pivoine.art"
- "www.pivoine.art"
policy: bypass
# Protected services - require authentication
- domain:
- "netdata.pivoine.art"
- "mailpit.pivoine.art"
- "scrapy.pivoine.art"
- "restic.pivoine.art"
- "traefik.pivoine.art"
policy: two_factor
# Development services
- domain:
- "dev.pivoine.art"
- "n8n.pivoine.art"
- "asciinema.pivoine.art"
- "coolify.pivoine.art"
policy: two_factor
# session secret set via environment variable: AUTHELIA_SESSION_SECRET
session:
cookies:
- name: authelia_session
domain: pivoine.art
authelia_url: https://auth.pivoine.art
same_site: lax
expiration: 1h
inactivity: 5m
remember_me: 1M
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
# storage encryption_key and postgres password set via environment variables:
# AUTHELIA_STORAGE_ENCRYPTION_KEY, AUTHELIA_STORAGE_POSTGRES_PASSWORD
storage:
postgres:
host: postgres
port: 5432
database: authelia
username: valknar
schema: public
notifier:
disable_startup_check: false
smtp:
host: net_mailpit
port: 1025
sender: auth@pivoine.art
identifier: auth.pivoine.art
disable_require_tls: true
disable_html_emails: false
Reference in New Issue View Git Blame Copy Permalink