Environment
Authelia has a layered configuration model. This section describes how to implement the environment configuration.
On this page
Environment variables are applied after the configuration file meaning anything specified as part of the environment overrides the configuration files.
Please Note: It is not possible to configure the access control rules section or OpenID Connect identity provider clients section using environment variables at this time.
Prefix
The environment variables must be prefixed with AUTHELIA_
. All environment variables that start with this prefix must
be for configuration. Any supplied environment variables that have this prefix and are not meant for configuration will
likely result in an error or even worse misconfiguration.
Kubernetes
Please see the Kubernetes Integration: Enable Service Links documentation for specific requirements for using Authelia with Kubernetes.
Mapping
Configuration options are mapped by their name. Levels of indentation / subkeys are replaced by underscores.
For example this YAML configuration:
log:
level: info
server:
buffers:
read: 4096
Can be replaced by this environment variable configuration:
AUTHELIA_LOG_LEVEL=info
AUTHELIA_SERVER_BUFFERS_READ=4096
Environment Variables
Configuration Key | Environment Variable |
---|---|
theme | AUTHELIA_THEME |
certificates_directory | AUTHELIA_CERTIFICATES_DIRECTORY |
default_redirection_url | AUTHELIA_DEFAULT_REDIRECTION_URL |
default_2fa_method | AUTHELIA_DEFAULT_2FA_METHOD |
log.level | AUTHELIA_LOG_LEVEL |
log.format | AUTHELIA_LOG_FORMAT |
log.file_path | AUTHELIA_LOG_FILE_PATH |
log.keep_stdout | AUTHELIA_LOG_KEEP_STDOUT |
identity_providers.oidc.access_token_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ACCESS_TOKEN_LIFESPAN |
identity_providers.oidc.authorize_code_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_AUTHORIZE_CODE_LIFESPAN |
identity_providers.oidc.id_token_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ID_TOKEN_LIFESPAN |
identity_providers.oidc.refresh_token_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_REFRESH_TOKEN_LIFESPAN |
identity_providers.oidc.enable_client_debug_messages | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_CLIENT_DEBUG_MESSAGES |
identity_providers.oidc.minimum_parameter_entropy | AUTHELIA_IDENTITY_PROVIDERS_OIDC_MINIMUM_PARAMETER_ENTROPY |
identity_providers.oidc.enforce_pkce | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENFORCE_PKCE |
identity_providers.oidc.enable_pkce_plain_challenge | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_PKCE_PLAIN_CHALLENGE |
identity_providers.oidc.cors.allowed_origins_from_client_redirect_uris | AUTHELIA_IDENTITY_PROVIDERS_OIDC_CORS_ALLOWED_ORIGINS_FROM_CLIENT_REDIRECT_URIS |
authentication_backend.password_reset.disable | AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE |
authentication_backend.password_reset.custom_url | AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_CUSTOM_URL |
authentication_backend.refresh_interval | AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL |
authentication_backend.file.path | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PATH |
authentication_backend.file.watch | AUTHELIA_AUTHENTICATION_BACKEND_FILE_WATCH |
authentication_backend.file.password.algorithm | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ALGORITHM |
authentication_backend.file.password.argon2.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_VARIANT |
authentication_backend.file.password.argon2.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_ITERATIONS |
authentication_backend.file.password.argon2.memory | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_MEMORY |
authentication_backend.file.password.argon2.parallelism | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_PARALLELISM |
authentication_backend.file.password.argon2.key_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_KEY_LENGTH |
authentication_backend.file.password.argon2.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_SALT_LENGTH |
authentication_backend.file.password.sha2crypt.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_VARIANT |
authentication_backend.file.password.sha2crypt.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_ITERATIONS |
authentication_backend.file.password.sha2crypt.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_SALT_LENGTH |
authentication_backend.file.password.pbkdf2.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_VARIANT |
authentication_backend.file.password.pbkdf2.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_ITERATIONS |
authentication_backend.file.password.pbkdf2.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_SALT_LENGTH |
authentication_backend.file.password.bcrypt.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_VARIANT |
authentication_backend.file.password.bcrypt.cost | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_COST |
authentication_backend.file.password.scrypt.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_ITERATIONS |
authentication_backend.file.password.scrypt.block_size | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_BLOCK_SIZE |
authentication_backend.file.password.scrypt.parallelism | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_PARALLELISM |
authentication_backend.file.password.scrypt.key_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_KEY_LENGTH |
authentication_backend.file.password.scrypt.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_SALT_LENGTH |
authentication_backend.file.password.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ITERATIONS |
authentication_backend.file.password.memory | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_MEMORY |
authentication_backend.file.password.parallelism | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PARALLELISM |
authentication_backend.file.password.key_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_KEY_LENGTH |
authentication_backend.file.password.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SALT_LENGTH |
authentication_backend.file.search.email | AUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_EMAIL |
authentication_backend.file.search.case_insensitive | AUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_CASE_INSENSITIVE |
authentication_backend.ldap.implementation | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION |
authentication_backend.ldap.url | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL |
authentication_backend.ldap.timeout | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT |
authentication_backend.ldap.start_tls | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS |
authentication_backend.ldap.tls.minimum_version | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MINIMUM_VERSION |
authentication_backend.ldap.tls.maximum_version | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MAXIMUM_VERSION |
authentication_backend.ldap.tls.skip_verify | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SKIP_VERIFY |
authentication_backend.ldap.tls.server_name | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SERVER_NAME |
authentication_backend.ldap.base_dn | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN |
authentication_backend.ldap.additional_users_dn | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN |
authentication_backend.ldap.users_filter | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER |
authentication_backend.ldap.additional_groups_dn | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN |
authentication_backend.ldap.groups_filter | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER |
authentication_backend.ldap.group_name_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE |
authentication_backend.ldap.username_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE |
authentication_backend.ldap.mail_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE |
authentication_backend.ldap.display_name_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE |
authentication_backend.ldap.permit_referrals | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_REFERRALS |
authentication_backend.ldap.permit_unauthenticated_bind | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_UNAUTHENTICATED_BIND |
authentication_backend.ldap.permit_feature_detection_failure | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_FEATURE_DETECTION_FAILURE |
authentication_backend.ldap.user | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER |
session.name | AUTHELIA_SESSION_NAME |
session.domain | AUTHELIA_SESSION_DOMAIN |
session.same_site | AUTHELIA_SESSION_SAME_SITE |
session.expiration | AUTHELIA_SESSION_EXPIRATION |
session.inactivity | AUTHELIA_SESSION_INACTIVITY |
session.remember_me_duration | AUTHELIA_SESSION_REMEMBER_ME_DURATION |
session.redis.host | AUTHELIA_SESSION_REDIS_HOST |
session.redis.port | AUTHELIA_SESSION_REDIS_PORT |
session.redis.username | AUTHELIA_SESSION_REDIS_USERNAME |
session.redis.database_index | AUTHELIA_SESSION_REDIS_DATABASE_INDEX |
session.redis.maximum_active_connections | AUTHELIA_SESSION_REDIS_MAXIMUM_ACTIVE_CONNECTIONS |
session.redis.minimum_idle_connections | AUTHELIA_SESSION_REDIS_MINIMUM_IDLE_CONNECTIONS |
session.redis.tls.minimum_version | AUTHELIA_SESSION_REDIS_TLS_MINIMUM_VERSION |
session.redis.tls.maximum_version | AUTHELIA_SESSION_REDIS_TLS_MAXIMUM_VERSION |
session.redis.tls.skip_verify | AUTHELIA_SESSION_REDIS_TLS_SKIP_VERIFY |
session.redis.tls.server_name | AUTHELIA_SESSION_REDIS_TLS_SERVER_NAME |
session.redis.high_availability.sentinel_name | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_NAME |
session.redis.high_availability.sentinel_username | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_USERNAME |
session.redis.high_availability.route_by_latency | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_BY_LATENCY |
session.redis.high_availability.route_randomly | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_RANDOMLY |
totp.disable | AUTHELIA_TOTP_DISABLE |
totp.issuer | AUTHELIA_TOTP_ISSUER |
totp.algorithm | AUTHELIA_TOTP_ALGORITHM |
totp.digits | AUTHELIA_TOTP_DIGITS |
totp.period | AUTHELIA_TOTP_PERIOD |
totp.skew | AUTHELIA_TOTP_SKEW |
totp.secret_size | AUTHELIA_TOTP_SECRET_SIZE |
duo_api.disable | AUTHELIA_DUO_API_DISABLE |
duo_api.hostname | AUTHELIA_DUO_API_HOSTNAME |
duo_api.enable_self_enrollment | AUTHELIA_DUO_API_ENABLE_SELF_ENROLLMENT |
access_control.default_policy | AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY |
ntp.address | AUTHELIA_NTP_ADDRESS |
ntp.version | AUTHELIA_NTP_VERSION |
ntp.max_desync | AUTHELIA_NTP_MAX_DESYNC |
ntp.disable_startup_check | AUTHELIA_NTP_DISABLE_STARTUP_CHECK |
ntp.disable_failure | AUTHELIA_NTP_DISABLE_FAILURE |
regulation.max_retries | AUTHELIA_REGULATION_MAX_RETRIES |
regulation.find_time | AUTHELIA_REGULATION_FIND_TIME |
regulation.ban_time | AUTHELIA_REGULATION_BAN_TIME |
storage.local.path | AUTHELIA_STORAGE_LOCAL_PATH |
storage.mysql.host | AUTHELIA_STORAGE_MYSQL_HOST |
storage.mysql.port | AUTHELIA_STORAGE_MYSQL_PORT |
storage.mysql.database | AUTHELIA_STORAGE_MYSQL_DATABASE |
storage.mysql.username | AUTHELIA_STORAGE_MYSQL_USERNAME |
storage.mysql.timeout | AUTHELIA_STORAGE_MYSQL_TIMEOUT |
storage.mysql.tls.minimum_version | AUTHELIA_STORAGE_MYSQL_TLS_MINIMUM_VERSION |
storage.mysql.tls.maximum_version | AUTHELIA_STORAGE_MYSQL_TLS_MAXIMUM_VERSION |
storage.mysql.tls.skip_verify | AUTHELIA_STORAGE_MYSQL_TLS_SKIP_VERIFY |
storage.mysql.tls.server_name | AUTHELIA_STORAGE_MYSQL_TLS_SERVER_NAME |
storage.postgres.host | AUTHELIA_STORAGE_POSTGRES_HOST |
storage.postgres.port | AUTHELIA_STORAGE_POSTGRES_PORT |
storage.postgres.database | AUTHELIA_STORAGE_POSTGRES_DATABASE |
storage.postgres.username | AUTHELIA_STORAGE_POSTGRES_USERNAME |
storage.postgres.timeout | AUTHELIA_STORAGE_POSTGRES_TIMEOUT |
storage.postgres.schema | AUTHELIA_STORAGE_POSTGRES_SCHEMA |
storage.postgres.tls.minimum_version | AUTHELIA_STORAGE_POSTGRES_TLS_MINIMUM_VERSION |
storage.postgres.tls.maximum_version | AUTHELIA_STORAGE_POSTGRES_TLS_MAXIMUM_VERSION |
storage.postgres.tls.skip_verify | AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY |
storage.postgres.tls.server_name | AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME |
storage.postgres.ssl.mode | AUTHELIA_STORAGE_POSTGRES_SSL_MODE |
storage.postgres.ssl.root_certificate | AUTHELIA_STORAGE_POSTGRES_SSL_ROOT_CERTIFICATE |
storage.postgres.ssl.certificate | AUTHELIA_STORAGE_POSTGRES_SSL_CERTIFICATE |
notifier.disable_startup_check | AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK |
notifier.filesystem.filename | AUTHELIA_NOTIFIER_FILESYSTEM_FILENAME |
notifier.smtp.host | AUTHELIA_NOTIFIER_SMTP_HOST |
notifier.smtp.port | AUTHELIA_NOTIFIER_SMTP_PORT |
notifier.smtp.timeout | AUTHELIA_NOTIFIER_SMTP_TIMEOUT |
notifier.smtp.username | AUTHELIA_NOTIFIER_SMTP_USERNAME |
notifier.smtp.identifier | AUTHELIA_NOTIFIER_SMTP_IDENTIFIER |
notifier.smtp.sender | AUTHELIA_NOTIFIER_SMTP_SENDER |
notifier.smtp.subject | AUTHELIA_NOTIFIER_SMTP_SUBJECT |
notifier.smtp.startup_check_address | AUTHELIA_NOTIFIER_SMTP_STARTUP_CHECK_ADDRESS |
notifier.smtp.disable_require_tls | AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS |
notifier.smtp.disable_html_emails | AUTHELIA_NOTIFIER_SMTP_DISABLE_HTML_EMAILS |
notifier.smtp.disable_starttls | AUTHELIA_NOTIFIER_SMTP_DISABLE_STARTTLS |
notifier.smtp.tls.minimum_version | AUTHELIA_NOTIFIER_SMTP_TLS_MINIMUM_VERSION |
notifier.smtp.tls.maximum_version | AUTHELIA_NOTIFIER_SMTP_TLS_MAXIMUM_VERSION |
notifier.smtp.tls.skip_verify | AUTHELIA_NOTIFIER_SMTP_TLS_SKIP_VERIFY |
notifier.smtp.tls.server_name | AUTHELIA_NOTIFIER_SMTP_TLS_SERVER_NAME |
notifier.template_path | AUTHELIA_NOTIFIER_TEMPLATE_PATH |
server.host | AUTHELIA_SERVER_HOST |
server.port | AUTHELIA_SERVER_PORT |
server.path | AUTHELIA_SERVER_PATH |
server.asset_path | AUTHELIA_SERVER_ASSET_PATH |
server.enable_pprof | AUTHELIA_SERVER_ENABLE_PPROF |
server.enable_expvars | AUTHELIA_SERVER_ENABLE_EXPVARS |
server.disable_healthcheck | AUTHELIA_SERVER_DISABLE_HEALTHCHECK |
server.tls.certificate | AUTHELIA_SERVER_TLS_CERTIFICATE |
server.headers.csp_template | AUTHELIA_SERVER_HEADERS_CSP_TEMPLATE |
server.buffers.read | AUTHELIA_SERVER_BUFFERS_READ |
server.buffers.write | AUTHELIA_SERVER_BUFFERS_WRITE |
server.timeouts.read | AUTHELIA_SERVER_TIMEOUTS_READ |
server.timeouts.write | AUTHELIA_SERVER_TIMEOUTS_WRITE |
server.timeouts.idle | AUTHELIA_SERVER_TIMEOUTS_IDLE |
telemetry.metrics.enabled | AUTHELIA_TELEMETRY_METRICS_ENABLED |
telemetry.metrics.address | AUTHELIA_TELEMETRY_METRICS_ADDRESS |
telemetry.metrics.buffers.read | AUTHELIA_TELEMETRY_METRICS_BUFFERS_READ |
telemetry.metrics.buffers.write | AUTHELIA_TELEMETRY_METRICS_BUFFERS_WRITE |
telemetry.metrics.timeouts.read | AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_READ |
telemetry.metrics.timeouts.write | AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_WRITE |
telemetry.metrics.timeouts.idle | AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_IDLE |
webauthn.disable | AUTHELIA_WEBAUTHN_DISABLE |
webauthn.display_name | AUTHELIA_WEBAUTHN_DISPLAY_NAME |
webauthn.attestation_conveyance_preference | AUTHELIA_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE |
webauthn.user_verification | AUTHELIA_WEBAUTHN_USER_VERIFICATION |
webauthn.timeout | AUTHELIA_WEBAUTHN_TIMEOUT |
password_policy.standard.enabled | AUTHELIA_PASSWORD_POLICY_STANDARD_ENABLED |
password_policy.standard.min_length | AUTHELIA_PASSWORD_POLICY_STANDARD_MIN_LENGTH |
password_policy.standard.max_length | AUTHELIA_PASSWORD_POLICY_STANDARD_MAX_LENGTH |
password_policy.standard.require_uppercase | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_UPPERCASE |
password_policy.standard.require_lowercase | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_LOWERCASE |
password_policy.standard.require_number | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_NUMBER |
password_policy.standard.require_special | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_SPECIAL |
password_policy.zxcvbn.enabled | AUTHELIA_PASSWORD_POLICY_ZXCVBN_ENABLED |
password_policy.zxcvbn.min_score | AUTHELIA_PASSWORD_POLICY_ZXCVBN_MIN_SCORE |