--- login: title: "luzifer.io - Login" default_method: "simple" default_redirect: "https://luzifer.io/" hide_mfa_field: false names: simple: "Username / Password" yubikey: "Yubikey" cookie: domain: ".example.com" authentication_key: "Ff1uWJcLouKu9kwxgbnKcU3ps47gps72sxEz79TGHFCpJNCPtiZAFDisM4MWbstH" expire: 3600 # Optional, default: 3600 prefix: "nginx-sso" # Optional, default: nginx-sso secure: true # Optional, default: false # Optional, default: 127.0.0.1:8082 listen: addr: "127.0.0.1" port: 8082 audit_log: targets: - fd://stdout - file:///var/log/nginx-sso/audit.jsonl events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate'] headers: ['x-origin-uri'] trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"] acl: rule_sets: - rules: - field: "host" equals: "test.example.com" - field: "x-origin-uri" regexp: "^/api" allow: ["luzifer", "@admins"] mfa: yubikey: # Get your client / secret from https://upgrade.yubico.com/getapikey/ client_id: "12345" secret_key: "foobar" duo: # Get your ikey / skey / host from https://duo.com/docs/duoweb#first-steps ikey: "IKEY" skey: "SKEY" host: "HOST" user_agent: "nginx-sso" plugins: directory: ./plugins/ providers: # Authentication against an Atlassian Crowd directory server # Supports: Users, Groups crowd: url: "https://crowd.example.com/crowd/" app_name: "" app_pass: "" # Authentication against (Open)LDAP server # Supports: Users, Groups ldap: enable_basic_auth: false manager_dn: "cn=admin,dc=example,dc=com" manager_password: "" root_dn: "dc=example,dc=com" server: "ldap://ldap.example.com" # Optional, defaults to root_dn user_search_base: ou=users,dc=example,dc=com # Optional, defaults to '(uid={0})' user_search_filter: "" # Optional, defaults to root_dn group_search_base: "ou=groups,dc=example,dc=com" # Optional, defaults to '(|(member={0})(uniqueMember={0}))' group_membership_filter: "" # Replace DN as the username with another attribute # Optional, defaults to "dn" username_attribute: "uid" # Configure TLS parameters for LDAPs connections # Optional, defaults to null tls_config: # Set the hostname for certificate validation # Optional, defaults to host from the connection URI validate_hostname: ldap.example.com # Disable certificate validation # Optional, defaults to false allow_insecure: false # Authentication against embedded user database # Supports: Users, Groups, MFA simple: enable_basic_auth: false # Unique username mapped to bcrypt hashed password users: luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu" # Groupname to users mapping groups: admins: ["luzifer"] # MFA configs: Username to configs mapping mfa: luzifer: - provider: duo - provider: totp attributes: secret: MZXW6YTBOIFA # required period: 30 # optional, defaults to 30 (Google Authenticator) skew: 1 # optional, defaults to 1 (Google Authenticator) digits: 8 # optional, defaults to 6 (Google Authenticator) algorithm: sha1 # optional (sha1, sha256, sha512), defaults to sha1 (Google Authenticator) - provider: yubikey attributes: device: ccccccfcvuul # Authentication against embedded token directory # Supports: Users, Groups token: # Mapping of unique token names to the token tokens: tokenname: "MYTOKEN" # Groupname to token mapping groups: mytokengroup: ["tokenname"] # Authentication against Yubikey cloud validation servers # Supports: Users, Groups yubikey: # Get your client / secret from https://upgrade.yubico.com/getapikey/ client_id: "12345" secret_key: "foobar" # First 12 characters of the OTP string mapped to the username devices: ccccccfcvuul: "luzifer" # Groupname to users mapping groups: admins: ["luzifer"] ...