Common

This section details common configuration elements within the Authelia configuration. This section is mainly used as a reference for other sections as necessary.

Duration Notation Format

We have implemented a string/integer based notation for configuration options that take a duration of time. This section describes the implementation of this. You can use this implementation in various areas of configuration such as:

  • session:
    • expiration
    • inactivity
    • remember_me_duration
  • regulation:
    • ban_time
    • find_time
  • ntp:
    • max_desync
  • webauthn:
    • timeout

The way this format works is you can either configure an integer or a string in the specific configuration areas. If you supply an integer, it is considered a representation of seconds. If you supply a string, it parses the string in blocks of quantities and units (number followed by a unit letter). For example 5h indicates a quantity of 5 units of h.

While you can use multiple of these blocks in combination, we suggest keeping it simple and use a single value.

Unit Legend

UnitAssociated Letter
Yearsy
MonthsM
Weeksw
Daysd
Hoursh
Minutesm
Secondss

Examples

Desired ValueConfiguration Examples
1 hour and 30 minutes90m or 1h30m or 5400 or 5400s
1 day1d or 24h or 86400 or 86400s
10 hours10h or 600m or 9h60m or 36000

Address

The address type is a string that takes the following format:

[<scheme>://]<ip>[:<port>]

The square brackets indicate optional sections, and the angled brackets indicate required sections. The following sections elaborate on this. Sections may only be optional for the purposes of parsing, there may be a configuration requirement that one of these is provided.

scheme

The entire scheme is optional, but if the scheme host delimiter :// is in the string, the scheme must be present. The scheme must be one of tcp://, or udp://. The default scheme is tcp://.

ip

The IP is required. If specifying an IPv6 it should be wrapped in square brackets. For example for the IPv6 address ::1 with the tcp:// scheme and port 80: tcp://[::1]:80.

port

The entire port is optional, but if the host port delimiter : exists it must also include a numeric port.

Regular Expressions

We have several sections of configuration that utilize regular expressions. It’s recommended to validate your regex manually either via tools like Regex 101 (ensure you pick the Golang option) or some other means.

It’s important when attempting to utilize a backslash that it’s utilized correctly. The YAML parser is likely to parse this as you trying to use YAML escape syntax instead of regex escape syntax. To avoid this use single quotes instead of no quotes or double quotes.

Good Example:

domain_regex: '^(admin|secure)\.example\.com$'

Bad Example:

domain_regex: "^(admin|secure)\.example\.com$"

TLS Configuration

Various sections of the configuration use a uniform configuration section called TLS. Notably LDAP and SMTP. This section documents the usage.

server_name

string not required

The key server_name overrides the name checked against the certificate in the verification process. Useful if you require an IP address for the host of the backend service but want to verify a specific certificate server name.

skip_verify

boolean false not required

The key skip_verify completely negates validating the certificate of the backend service. This is not recommended, instead you should tweak the server_name option, and the global option certificates directory.

minimum_version

string TLS1.2 not required

Controls the minimum TLS version Authelia will use when performing TLS handshakes. The possible values are TLS1.3, TLS1.2, TLS1.1, TLS1.0, SSL3.0. Anything other than TLS1.3 or TLS1.2 are very old and deprecated. You should avoid using these and upgrade your backend service instead of decreasing this value. At the time of this writing SSL3.0 will always produce errors.

maximum_version

string TLS1.3 not required

Controls the maximum TLS version Authelia will use when performing TLS handshakes. The possible values are TLS1.3, TLS1.2, TLS1.1, TLS1.0, SSL3.0. Anything other than TLS1.3 or TLS1.2 are very old and deprecated. You should avoid using these and upgrade your backend service instead of decreasing this value. At the time of this writing SSL3.0 will always produce errors.

certificate_chain

string not required

The certificate chain/bundle to be used with the private_key to perform mutual TLS authentication with the server.

The value must be one or more certificates encoded in the DER base64 ([RFC4648]) encoded PEM format.

private_key

string required

Important Note: This can also be defined using a secret which is strongly recommended especially for containerized deployments.

The private key to be used with the certificate_chain for mutual TLS authentication.

The value must be one private key encoded in the DER base64 ([RFC4648]) encoded PEM format. If more than one certificate is provided, in top down order, each certificate must be signed by the next certificate if provided.

Server Buffers

read

integer 4096 not required

Configures the maximum request size. The default of 4096 is generally sufficient for most use cases.

write

integer 4096 not required

Configures the maximum response size. The default of 4096 is generally sufficient for most use cases.

Server Timeouts

read

duration 6s not required

Note: This setting uses the duration notation format. Please see the common options documentation for information on this format.

Configures the server read timeout.

write

duration 6s not required

Note: This setting uses the duration notation format. Please see the common options documentation for information on this format.

Configures the server write timeout.

idle

duration 30s not required

Note: This setting uses the duration notation format. Please see the common options documentation for information on this format.

Configures the server write timeout.