Authelia¶
docker-compose.yml
version: '3.3'
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
volumes:
- ./authelia:/config
ports:
- 10.3.0.4:9091:9091
expose:
- 9091
restart: unless-stopped
healthcheck:
## In production the healthcheck section should be commented.
disable: true
environment:
- TZ=Europe/Madrid
Fichero de configuración. Debe ubicarse dentro de la carpeta authelia, en la raíz del proyecto, antes de arrancar el contenedor:
---
###############################################################
# Authelia configuration #
###############################################################
theme: dark
jwt_secret: XXX
default_redirection_url: https://auth.sogeti.es
server:
host: 0.0.0.0
port: 9091
asset_path: /config/assets/
log:
level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
#authentication_backend:
# password_reset:
# disable: false
# file:
# path: /config/users_database.yml
authentication_backend:
# Password reset through authelia works normally.
password_reset:
disable: false
# How often authelia should check if there is an user update in LDAP
refresh_interval: 1m
ldap:
implementation: custom
# Pattern is ldap://HOSTNAME-OR-IP:PORT
# Normal ldap port is 389, standard in LLDAP is 3890
url: ldap://10.3.0.4:3890
# The dial timeout for LDAP.
timeout: 5s
# Use StartTLS with the LDAP connection, TLS not supported right now
start_tls: false
#tls:
# skip_verify: false
# minimum_version: TLS1.2
# Set base dn, like dc=google,dc.com
base_dn: dc=sogeti,dc=es
username_attribute: uid
# You need to set this to ou=people, because all users are stored in this ou!
additional_users_dn: ou=people
# To allow sign in both with username and email, one can use a filter like
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
#users_filter: "(&({username_attribute}={input})(objectClass=person))"
users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
# Set this to ou=groups, because all groups are stored in this ou
additional_groups_dn: ou=groups
# Only this filter is supported right now
groups_filter: "(member={dn})"
# The attribute holding the name of the group.
group_name_attribute: cn
# Email attribute
mail_attribute: mail
# The attribute holding the display name of the user. This will be used to greet an authenticated user.
display_name_attribute: displayName
# The username and password of the admin user.
# "admin" should be the admin username you set in the LLDAP configuration
user: uid=admin,ou=people,dc=sogeti,dc=es
# Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
password: XXX
access_control:
default_policy: deny
networks:
- name: sogeti
networks:
- '198.184.231.0/24'
- '213.229.149.0/24'
rules:
# BYPASS FILTERED
- domain: ntfy.sogeti.es
policy: bypass
resources:
- '^/sgt(.*)?$'
- domain: n8n.sogeti.es
policy: bypass
resources:
- '^/webhook-test/.*$'
- '^/webhook/.*$'
# TWO_FACTOR FILTERED
- domain: docslabs.sogeti.es
policy: two_factor
subject:
- ['group:users_lab']
resources:
- '^/Documentación Técnica/.*$'
# BYPASS BY IP
- domain:
- docslabs.sogeti.es
- dashlabs.sogeti.es
policy: bypass
networks:
- 'sogeti'
# BYPASS BY IP FILTERED
- domain:
- statuslabs.sogeti.es
policy: bypass
networks:
- 'sogeti'
resources:
- '^/status/.*$'
# ADMINS
- domain:
- proxy.sogeti.es
- userslab.sogeti.es
- statuslabs.sogeti.es
- grafanalabs.sogeti.es
policy: two_factor
subject:
- ['group:admins_lab']
# TWO_FACTOR
- domain:
# - n8n.sogeti.es
- docslabs.sogeti.es
- ntfy.sogeti.es
#- sonarlabs.sogeti.es
- dashlabs.sogeti.es
- linkslabs.sogeti.es
policy: two_factor
subject:
- ['group:users_lab']
# BYPASS FULL ACCESS
- domain:
- sogetilabsblog.sogeti.es
- vaultlabs.sogeti.es
# - ntfy.sogeti.es
policy: bypass
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: XXX
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: sogeti.es # Should match whatever your root protected domain is
# redis:
# host: redis
# port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: XXX
local:
path: /config/db.sqlite3
notifier:
smtp:
username: sogetilabspain@gmail.com
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
password: XXX
host: smtp.gmail.com
port: 465
sender: sogetilabspain@gmail.com