-
-
Notifications
You must be signed in to change notification settings - Fork 41
/
config.yaml
178 lines (151 loc) · 4.87 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
---
login:
title: "luzifer.io - Login"
default_method: "simple"
default_redirect: "https://luzifer.io/"
hide_mfa_field: false
names:
simple: "Username / Password"
yubikey: "Yubikey"
cookie:
domain: ".example.com"
authentication_key: "Ff1uWJcLouKu9kwxgbnKcU3ps47gps72sxEz79TGHFCpJNCPtiZAFDisM4MWbstH"
expire: 3600 # Optional, default: 3600
prefix: "nginx-sso" # Optional, default: nginx-sso
secure: true # Optional, default: false
# Optional, default: 127.0.0.1:8082
listen:
addr: "127.0.0.1"
port: 8082
audit_log:
targets:
- fd://stdout
- file:///var/log/nginx-sso/audit.jsonl
events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
headers: ['x-origin-uri']
trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]
acl:
rule_sets:
- rules:
- field: "host"
equals: "test.example.com"
- field: "x-origin-uri"
regexp: "^/api"
allow: ["luzifer", "@admins"]
mfa:
yubikey:
# Get your client / secret from https://upgrade.yubico.com/getapikey/
client_id: "12345"
secret_key: "foobar"
duo:
# Get your ikey / skey / host from https://duo.com/docs/duoweb#first-steps
ikey: "IKEY"
skey: "SKEY"
host: "HOST"
user_agent: "nginx-sso"
plugins:
directory: ./plugins/
providers:
# Authentication against an Atlassian Crowd directory server
# Supports: Users, Groups
crowd:
url: "https://crowd.example.com/crowd/"
app_name: ""
app_pass: ""
# Authentication through OAuth2 workflow with Google Account
# Supports: Users
google_oauth:
client_id: ""
client_secret: ""
redirect_url: "https://login.luifer.io/login"
# Optional, defaults to no limitations
require_domain: "example.com"
# Optional, defaults to "user-id"
user_id_method: "full-email"
# Authentication against (Open)LDAP server
# Supports: Users, Groups
ldap:
enable_basic_auth: false
manager_dn: "cn=admin,dc=example,dc=com"
manager_password: ""
root_dn: "dc=example,dc=com"
server: "ldap://ldap.example.com"
# Optional, defaults to root_dn
user_search_base: ou=users,dc=example,dc=com
# Optional, defaults to '(uid={0})'
user_search_filter: ""
# Optional, defaults to root_dn
group_search_base: "ou=groups,dc=example,dc=com"
# Optional, defaults to '(|(member={0})(uniqueMember={0}))'
group_membership_filter: ""
# Replace DN as the username with another attribute
# Optional, defaults to "dn"
username_attribute: "uid"
# Configure TLS parameters for LDAPs connections
# Optional, defaults to null
tls_config:
# Set the hostname for certificate validation
# Optional, defaults to host from the connection URI
validate_hostname: ldap.example.com
# Disable certificate validation
# Optional, defaults to false
allow_insecure: false
# Authentication through OAuth2 workflow with OpenID Connect provider
# Supports: Users
oidc:
client_id: ""
client_secret: ""
# Optional, defaults to "OpenID Connect"
issuer_name: ""
issuer_url: ""
redirect_url: "https://login.luifer.io/login"
# Optional, defaults to no limitations
require_domain: "example.com"
# Optional, defaults to "subject"
user_id_method: "full-email"
# Authentication against embedded user database
# Supports: Users, Groups, MFA
simple:
enable_basic_auth: false
# Unique username mapped to bcrypt hashed password
users:
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
# Groupname to users mapping
groups:
admins: ["luzifer"]
# MFA configs: Username to configs mapping
mfa:
luzifer:
- provider: duo
- provider: totp
attributes:
secret: MZXW6YTBOIFA # required
period: 30 # optional, defaults to 30 (Google Authenticator)
skew: 1 # optional, defaults to 1 (Google Authenticator)
digits: 8 # optional, defaults to 6 (Google Authenticator)
algorithm: sha1 # optional (sha1, sha256, sha512), defaults to sha1 (Google Authenticator)
- provider: yubikey
attributes:
device: ccccccfcvuul
# Authentication against embedded token directory
# Supports: Users, Groups
token:
# Mapping of unique token names to the token
tokens:
tokenname: "MYTOKEN"
# Groupname to token mapping
groups:
mytokengroup: ["tokenname"]
# Authentication against Yubikey cloud validation servers
# Supports: Users, Groups
yubikey:
# Get your client / secret from https://upgrade.yubico.com/getapikey/
client_id: "12345"
secret_key: "foobar"
# First 12 characters of the OTP string mapped to the username
devices:
ccccccfcvuul: "luzifer"
# Groupname to users mapping
groups:
admins: ["luzifer"]
...