Environment
Authelia has a layered configuration model. This section describes how to implement the environment configuration.
Environment variables are applied after the configuration file meaning anything specified as part of the environment overrides the configuration files.
Please Note: It is not possible to configure the access control rules section or OpenID Connect identity provider clients section using environment variables at this time.
Prefix
The environment variables must be prefixed with AUTHELIA_. All environment variables that start with this prefix must
be for configuration. Any supplied environment variables that have this prefix and are not meant for configuration will
likely result in an error or even worse misconfiguration.
Kubernetes
Please see the Kubernetes Integration: Enable Service Links documentation for specific requirements for using Authelia with Kubernetes.
Mapping
Configuration options are mapped by their name. Levels of indentation / subkeys are replaced by underscores.
For example this YAML configuration:
log:
level: info
server:
buffers:
read: 4096
Can be replaced by this environment variable configuration:
AUTHELIA_LOG_LEVEL=info
AUTHELIA_SERVER_BUFFERS_READ=4096
Environment Variables
| Configuration Key | Environment Variable |
|---|---|
| theme | AUTHELIA_THEME |
| certificates_directory | AUTHELIA_CERTIFICATES_DIRECTORY |
| default_redirection_url | AUTHELIA_DEFAULT_REDIRECTION_URL |
| default_2fa_method | AUTHELIA_DEFAULT_2FA_METHOD |
| log.level | AUTHELIA_LOG_LEVEL |
| log.format | AUTHELIA_LOG_FORMAT |
| log.file_path | AUTHELIA_LOG_FILE_PATH |
| log.keep_stdout | AUTHELIA_LOG_KEEP_STDOUT |
| identity_providers.oidc.access_token_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ACCESS_TOKEN_LIFESPAN |
| identity_providers.oidc.authorize_code_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_AUTHORIZE_CODE_LIFESPAN |
| identity_providers.oidc.id_token_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ID_TOKEN_LIFESPAN |
| identity_providers.oidc.refresh_token_lifespan | AUTHELIA_IDENTITY_PROVIDERS_OIDC_REFRESH_TOKEN_LIFESPAN |
| identity_providers.oidc.enable_client_debug_messages | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_CLIENT_DEBUG_MESSAGES |
| identity_providers.oidc.minimum_parameter_entropy | AUTHELIA_IDENTITY_PROVIDERS_OIDC_MINIMUM_PARAMETER_ENTROPY |
| identity_providers.oidc.enforce_pkce | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENFORCE_PKCE |
| identity_providers.oidc.enable_pkce_plain_challenge | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ENABLE_PKCE_PLAIN_CHALLENGE |
| identity_providers.oidc.cors.allowed_origins_from_client_redirect_uris | AUTHELIA_IDENTITY_PROVIDERS_OIDC_CORS_ALLOWED_ORIGINS_FROM_CLIENT_REDIRECT_URIS |
| authentication_backend.password_reset.disable | AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE |
| authentication_backend.password_reset.custom_url | AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_CUSTOM_URL |
| authentication_backend.refresh_interval | AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL |
| authentication_backend.file.path | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PATH |
| authentication_backend.file.watch | AUTHELIA_AUTHENTICATION_BACKEND_FILE_WATCH |
| authentication_backend.file.password.algorithm | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ALGORITHM |
| authentication_backend.file.password.argon2.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_VARIANT |
| authentication_backend.file.password.argon2.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_ITERATIONS |
| authentication_backend.file.password.argon2.memory | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_MEMORY |
| authentication_backend.file.password.argon2.parallelism | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_PARALLELISM |
| authentication_backend.file.password.argon2.key_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_KEY_LENGTH |
| authentication_backend.file.password.argon2.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ARGON2_SALT_LENGTH |
| authentication_backend.file.password.sha2crypt.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_VARIANT |
| authentication_backend.file.password.sha2crypt.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_ITERATIONS |
| authentication_backend.file.password.sha2crypt.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SHA2CRYPT_SALT_LENGTH |
| authentication_backend.file.password.pbkdf2.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_VARIANT |
| authentication_backend.file.password.pbkdf2.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_ITERATIONS |
| authentication_backend.file.password.pbkdf2.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PBKDF2_SALT_LENGTH |
| authentication_backend.file.password.bcrypt.variant | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_VARIANT |
| authentication_backend.file.password.bcrypt.cost | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_BCRYPT_COST |
| authentication_backend.file.password.scrypt.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_ITERATIONS |
| authentication_backend.file.password.scrypt.block_size | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_BLOCK_SIZE |
| authentication_backend.file.password.scrypt.parallelism | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_PARALLELISM |
| authentication_backend.file.password.scrypt.key_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_KEY_LENGTH |
| authentication_backend.file.password.scrypt.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SCRYPT_SALT_LENGTH |
| authentication_backend.file.password.iterations | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_ITERATIONS |
| authentication_backend.file.password.memory | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_MEMORY |
| authentication_backend.file.password.parallelism | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_PARALLELISM |
| authentication_backend.file.password.key_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_KEY_LENGTH |
| authentication_backend.file.password.salt_length | AUTHELIA_AUTHENTICATION_BACKEND_FILE_PASSWORD_SALT_LENGTH |
| authentication_backend.file.search.email | AUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_EMAIL |
| authentication_backend.file.search.case_insensitive | AUTHELIA_AUTHENTICATION_BACKEND_FILE_SEARCH_CASE_INSENSITIVE |
| authentication_backend.ldap.implementation | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION |
| authentication_backend.ldap.url | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL |
| authentication_backend.ldap.timeout | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT |
| authentication_backend.ldap.start_tls | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS |
| authentication_backend.ldap.tls.minimum_version | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MINIMUM_VERSION |
| authentication_backend.ldap.tls.maximum_version | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MAXIMUM_VERSION |
| authentication_backend.ldap.tls.skip_verify | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SKIP_VERIFY |
| authentication_backend.ldap.tls.server_name | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SERVER_NAME |
| authentication_backend.ldap.base_dn | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN |
| authentication_backend.ldap.additional_users_dn | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN |
| authentication_backend.ldap.users_filter | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER |
| authentication_backend.ldap.additional_groups_dn | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN |
| authentication_backend.ldap.groups_filter | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER |
| authentication_backend.ldap.group_name_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE |
| authentication_backend.ldap.username_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE |
| authentication_backend.ldap.mail_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE |
| authentication_backend.ldap.display_name_attribute | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE |
| authentication_backend.ldap.permit_referrals | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_REFERRALS |
| authentication_backend.ldap.permit_unauthenticated_bind | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_UNAUTHENTICATED_BIND |
| authentication_backend.ldap.permit_feature_detection_failure | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_FEATURE_DETECTION_FAILURE |
| authentication_backend.ldap.user | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER |
| session.name | AUTHELIA_SESSION_NAME |
| session.domain | AUTHELIA_SESSION_DOMAIN |
| session.same_site | AUTHELIA_SESSION_SAME_SITE |
| session.expiration | AUTHELIA_SESSION_EXPIRATION |
| session.inactivity | AUTHELIA_SESSION_INACTIVITY |
| session.remember_me_duration | AUTHELIA_SESSION_REMEMBER_ME_DURATION |
| session.redis.host | AUTHELIA_SESSION_REDIS_HOST |
| session.redis.port | AUTHELIA_SESSION_REDIS_PORT |
| session.redis.username | AUTHELIA_SESSION_REDIS_USERNAME |
| session.redis.database_index | AUTHELIA_SESSION_REDIS_DATABASE_INDEX |
| session.redis.maximum_active_connections | AUTHELIA_SESSION_REDIS_MAXIMUM_ACTIVE_CONNECTIONS |
| session.redis.minimum_idle_connections | AUTHELIA_SESSION_REDIS_MINIMUM_IDLE_CONNECTIONS |
| session.redis.tls.minimum_version | AUTHELIA_SESSION_REDIS_TLS_MINIMUM_VERSION |
| session.redis.tls.maximum_version | AUTHELIA_SESSION_REDIS_TLS_MAXIMUM_VERSION |
| session.redis.tls.skip_verify | AUTHELIA_SESSION_REDIS_TLS_SKIP_VERIFY |
| session.redis.tls.server_name | AUTHELIA_SESSION_REDIS_TLS_SERVER_NAME |
| session.redis.high_availability.sentinel_name | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_NAME |
| session.redis.high_availability.sentinel_username | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_USERNAME |
| session.redis.high_availability.route_by_latency | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_BY_LATENCY |
| session.redis.high_availability.route_randomly | AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_ROUTE_RANDOMLY |
| totp.disable | AUTHELIA_TOTP_DISABLE |
| totp.issuer | AUTHELIA_TOTP_ISSUER |
| totp.algorithm | AUTHELIA_TOTP_ALGORITHM |
| totp.digits | AUTHELIA_TOTP_DIGITS |
| totp.period | AUTHELIA_TOTP_PERIOD |
| totp.skew | AUTHELIA_TOTP_SKEW |
| totp.secret_size | AUTHELIA_TOTP_SECRET_SIZE |
| duo_api.disable | AUTHELIA_DUO_API_DISABLE |
| duo_api.hostname | AUTHELIA_DUO_API_HOSTNAME |
| duo_api.enable_self_enrollment | AUTHELIA_DUO_API_ENABLE_SELF_ENROLLMENT |
| access_control.default_policy | AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY |
| ntp.address | AUTHELIA_NTP_ADDRESS |
| ntp.version | AUTHELIA_NTP_VERSION |
| ntp.max_desync | AUTHELIA_NTP_MAX_DESYNC |
| ntp.disable_startup_check | AUTHELIA_NTP_DISABLE_STARTUP_CHECK |
| ntp.disable_failure | AUTHELIA_NTP_DISABLE_FAILURE |
| regulation.max_retries | AUTHELIA_REGULATION_MAX_RETRIES |
| regulation.find_time | AUTHELIA_REGULATION_FIND_TIME |
| regulation.ban_time | AUTHELIA_REGULATION_BAN_TIME |
| storage.local.path | AUTHELIA_STORAGE_LOCAL_PATH |
| storage.mysql.host | AUTHELIA_STORAGE_MYSQL_HOST |
| storage.mysql.port | AUTHELIA_STORAGE_MYSQL_PORT |
| storage.mysql.database | AUTHELIA_STORAGE_MYSQL_DATABASE |
| storage.mysql.username | AUTHELIA_STORAGE_MYSQL_USERNAME |
| storage.mysql.timeout | AUTHELIA_STORAGE_MYSQL_TIMEOUT |
| storage.mysql.tls.minimum_version | AUTHELIA_STORAGE_MYSQL_TLS_MINIMUM_VERSION |
| storage.mysql.tls.maximum_version | AUTHELIA_STORAGE_MYSQL_TLS_MAXIMUM_VERSION |
| storage.mysql.tls.skip_verify | AUTHELIA_STORAGE_MYSQL_TLS_SKIP_VERIFY |
| storage.mysql.tls.server_name | AUTHELIA_STORAGE_MYSQL_TLS_SERVER_NAME |
| storage.postgres.host | AUTHELIA_STORAGE_POSTGRES_HOST |
| storage.postgres.port | AUTHELIA_STORAGE_POSTGRES_PORT |
| storage.postgres.database | AUTHELIA_STORAGE_POSTGRES_DATABASE |
| storage.postgres.username | AUTHELIA_STORAGE_POSTGRES_USERNAME |
| storage.postgres.timeout | AUTHELIA_STORAGE_POSTGRES_TIMEOUT |
| storage.postgres.schema | AUTHELIA_STORAGE_POSTGRES_SCHEMA |
| storage.postgres.tls.minimum_version | AUTHELIA_STORAGE_POSTGRES_TLS_MINIMUM_VERSION |
| storage.postgres.tls.maximum_version | AUTHELIA_STORAGE_POSTGRES_TLS_MAXIMUM_VERSION |
| storage.postgres.tls.skip_verify | AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY |
| storage.postgres.tls.server_name | AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME |
| storage.postgres.ssl.mode | AUTHELIA_STORAGE_POSTGRES_SSL_MODE |
| storage.postgres.ssl.root_certificate | AUTHELIA_STORAGE_POSTGRES_SSL_ROOT_CERTIFICATE |
| storage.postgres.ssl.certificate | AUTHELIA_STORAGE_POSTGRES_SSL_CERTIFICATE |
| notifier.disable_startup_check | AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK |
| notifier.filesystem.filename | AUTHELIA_NOTIFIER_FILESYSTEM_FILENAME |
| notifier.smtp.host | AUTHELIA_NOTIFIER_SMTP_HOST |
| notifier.smtp.port | AUTHELIA_NOTIFIER_SMTP_PORT |
| notifier.smtp.timeout | AUTHELIA_NOTIFIER_SMTP_TIMEOUT |
| notifier.smtp.username | AUTHELIA_NOTIFIER_SMTP_USERNAME |
| notifier.smtp.identifier | AUTHELIA_NOTIFIER_SMTP_IDENTIFIER |
| notifier.smtp.sender | AUTHELIA_NOTIFIER_SMTP_SENDER |
| notifier.smtp.subject | AUTHELIA_NOTIFIER_SMTP_SUBJECT |
| notifier.smtp.startup_check_address | AUTHELIA_NOTIFIER_SMTP_STARTUP_CHECK_ADDRESS |
| notifier.smtp.disable_require_tls | AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS |
| notifier.smtp.disable_html_emails | AUTHELIA_NOTIFIER_SMTP_DISABLE_HTML_EMAILS |
| notifier.smtp.disable_starttls | AUTHELIA_NOTIFIER_SMTP_DISABLE_STARTTLS |
| notifier.smtp.tls.minimum_version | AUTHELIA_NOTIFIER_SMTP_TLS_MINIMUM_VERSION |
| notifier.smtp.tls.maximum_version | AUTHELIA_NOTIFIER_SMTP_TLS_MAXIMUM_VERSION |
| notifier.smtp.tls.skip_verify | AUTHELIA_NOTIFIER_SMTP_TLS_SKIP_VERIFY |
| notifier.smtp.tls.server_name | AUTHELIA_NOTIFIER_SMTP_TLS_SERVER_NAME |
| notifier.template_path | AUTHELIA_NOTIFIER_TEMPLATE_PATH |
| server.host | AUTHELIA_SERVER_HOST |
| server.port | AUTHELIA_SERVER_PORT |
| server.path | AUTHELIA_SERVER_PATH |
| server.asset_path | AUTHELIA_SERVER_ASSET_PATH |
| server.enable_pprof | AUTHELIA_SERVER_ENABLE_PPROF |
| server.enable_expvars | AUTHELIA_SERVER_ENABLE_EXPVARS |
| server.disable_healthcheck | AUTHELIA_SERVER_DISABLE_HEALTHCHECK |
| server.tls.certificate | AUTHELIA_SERVER_TLS_CERTIFICATE |
| server.headers.csp_template | AUTHELIA_SERVER_HEADERS_CSP_TEMPLATE |
| server.buffers.read | AUTHELIA_SERVER_BUFFERS_READ |
| server.buffers.write | AUTHELIA_SERVER_BUFFERS_WRITE |
| server.timeouts.read | AUTHELIA_SERVER_TIMEOUTS_READ |
| server.timeouts.write | AUTHELIA_SERVER_TIMEOUTS_WRITE |
| server.timeouts.idle | AUTHELIA_SERVER_TIMEOUTS_IDLE |
| telemetry.metrics.enabled | AUTHELIA_TELEMETRY_METRICS_ENABLED |
| telemetry.metrics.address | AUTHELIA_TELEMETRY_METRICS_ADDRESS |
| telemetry.metrics.buffers.read | AUTHELIA_TELEMETRY_METRICS_BUFFERS_READ |
| telemetry.metrics.buffers.write | AUTHELIA_TELEMETRY_METRICS_BUFFERS_WRITE |
| telemetry.metrics.timeouts.read | AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_READ |
| telemetry.metrics.timeouts.write | AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_WRITE |
| telemetry.metrics.timeouts.idle | AUTHELIA_TELEMETRY_METRICS_TIMEOUTS_IDLE |
| webauthn.disable | AUTHELIA_WEBAUTHN_DISABLE |
| webauthn.display_name | AUTHELIA_WEBAUTHN_DISPLAY_NAME |
| webauthn.attestation_conveyance_preference | AUTHELIA_WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE |
| webauthn.user_verification | AUTHELIA_WEBAUTHN_USER_VERIFICATION |
| webauthn.timeout | AUTHELIA_WEBAUTHN_TIMEOUT |
| password_policy.standard.enabled | AUTHELIA_PASSWORD_POLICY_STANDARD_ENABLED |
| password_policy.standard.min_length | AUTHELIA_PASSWORD_POLICY_STANDARD_MIN_LENGTH |
| password_policy.standard.max_length | AUTHELIA_PASSWORD_POLICY_STANDARD_MAX_LENGTH |
| password_policy.standard.require_uppercase | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_UPPERCASE |
| password_policy.standard.require_lowercase | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_LOWERCASE |
| password_policy.standard.require_number | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_NUMBER |
| password_policy.standard.require_special | AUTHELIA_PASSWORD_POLICY_STANDARD_REQUIRE_SPECIAL |
| password_policy.zxcvbn.enabled | AUTHELIA_PASSWORD_POLICY_ZXCVBN_ENABLED |
| password_policy.zxcvbn.min_score | AUTHELIA_PASSWORD_POLICY_ZXCVBN_MIN_SCORE |