1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-12-20 21:01:17 +00:00
nginx-sso/config.yaml

140 lines
3.6 KiB
YAML
Raw Normal View History

---
login:
title: "luzifer.io - Login"
default_method: "simple"
hide_mfa_field: false
names:
simple: "Username / Password"
yubikey: "Yubikey"
cookie:
domain: ".example.com"
authentication_key: "Ff1uWJcLouKu9kwxgbnKcU3ps47gps72sxEz79TGHFCpJNCPtiZAFDisM4MWbstH"
expire: 3600 # Optional, default: 3600
prefix: "nginx-sso" # Optional, default: nginx-sso
secure: true # Optional, default: false
# Optional, default: 127.0.0.1:8082
listen:
addr: "127.0.0.1"
port: 8082
audit_log:
targets:
- fd://stdout
- file:///var/log/nginx-sso/audit.jsonl
events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
headers: ['x-origin-uri']
trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]
acl:
rule_sets:
- rules:
- field: "host"
equals: "test.example.com"
- field: "x-origin-uri"
regexp: "^/api"
allow: ["luzifer", "@admins"]
mfa:
yubikey:
# Get your client / secret from https://upgrade.yubico.com/getapikey/
client_id: "12345"
secret_key: "foobar"
2018-12-28 16:34:55 +00:00
duo:
ikey: "IKEY"
skey: "SKEY"
host: "HOST"
2018-12-28 19:35:26 +00:00
user_agent: "nginx-sso"
2018-12-28 16:34:55 +00:00
providers:
# Authentication against an Atlassian Crowd directory server
# Supports: Users, Groups
crowd:
url: "https://crowd.example.com/crowd/"
app_name: ""
app_pass: ""
# Authentication against (Open)LDAP server
# Supports: Users, Groups
ldap:
enable_basic_auth: false
manager_dn: "cn=admin,dc=example,dc=com"
manager_password: ""
root_dn: "dc=example,dc=com"
server: "ldap://ldap.example.com"
# Optional, defaults to root_dn
user_search_base: ou=users,dc=example,dc=com
# Optional, defaults to '(uid={0})'
user_search_filter: ""
# Optional, defaults to root_dn
group_search_base: "ou=groups,dc=example,dc=com"
# Optional, defaults to '(|(member={0})(uniqueMember={0}))'
group_membership_filter: ""
# Replace DN as the username with another attribute
# Optional, defaults to "dn"
username_attribute: "uid"
# Configure TLS parameters for LDAPs connections
# Optional, defaults to null
tls_config:
# Set the hostname for certificate validation
# Optional, defaults to host from the connection URI
validate_hostname: ldap.example.com
# Disable certificate validation
# Optional, defaults to false
allow_insecure: false
# Authentication against embedded user database
# Supports: Users, Groups, MFA
simple:
enable_basic_auth: false
# Unique username mapped to bcrypt hashed password
users:
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
# Groupname to users mapping
groups:
admins: ["luzifer"]
# MFA configs: Username to configs mapping
mfa:
luzifer:
2018-12-28 16:34:55 +00:00
- provider: duo
- provider: google
attributes:
secret: MZXW6YTBOIFA
- provider: yubikey
attributes:
device: ccccccfcvuul
# Authentication against embedded token directory
# Supports: Users, Groups
token:
# Mapping of unique token names to the token
tokens:
tokenname: "MYTOKEN"
# Groupname to token mapping
groups:
mytokengroup: ["tokenname"]
# Authentication against Yubikey cloud validation servers
# Supports: Users, Groups
yubikey:
# Get your client / secret from https://upgrade.yubico.com/getapikey/
client_id: "12345"
secret_key: "foobar"
# First 12 characters of the OTP string mapped to the username
devices:
ccccccfcvuul: "luzifer"
# Groupname to users mapping
groups:
admins: ["luzifer"]
...