mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-10-17 23:24:22 +00:00
178 lines
4.9 KiB
YAML
178 lines
4.9 KiB
YAML
---
|
|
|
|
login:
|
|
title: "luzifer.io - Login"
|
|
default_method: "simple"
|
|
default_redirect: "https://luzifer.io/"
|
|
hide_mfa_field: false
|
|
names:
|
|
simple: "Username / Password"
|
|
yubikey: "Yubikey"
|
|
|
|
cookie:
|
|
domain: ".example.com"
|
|
authentication_key: "Ff1uWJcLouKu9kwxgbnKcU3ps47gps72sxEz79TGHFCpJNCPtiZAFDisM4MWbstH"
|
|
expire: 3600 # Optional, default: 3600
|
|
prefix: "nginx-sso" # Optional, default: nginx-sso
|
|
secure: true # Optional, default: false
|
|
|
|
# Optional, default: 127.0.0.1:8082
|
|
listen:
|
|
addr: "127.0.0.1"
|
|
port: 8082
|
|
|
|
audit_log:
|
|
targets:
|
|
- fd://stdout
|
|
- file:///var/log/nginx-sso/audit.jsonl
|
|
events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
|
|
headers: ['x-origin-uri']
|
|
trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]
|
|
|
|
acl:
|
|
rule_sets:
|
|
- rules:
|
|
- field: "host"
|
|
equals: "test.example.com"
|
|
- field: "x-origin-uri"
|
|
regexp: "^/api"
|
|
allow: ["luzifer", "@admins"]
|
|
|
|
mfa:
|
|
yubikey:
|
|
# Get your client / secret from https://upgrade.yubico.com/getapikey/
|
|
client_id: "12345"
|
|
secret_key: "foobar"
|
|
|
|
duo:
|
|
# Get your ikey / skey / host from https://duo.com/docs/duoweb#first-steps
|
|
ikey: "IKEY"
|
|
skey: "SKEY"
|
|
host: "HOST"
|
|
user_agent: "nginx-sso"
|
|
|
|
plugins:
|
|
directory: ./plugins/
|
|
|
|
providers:
|
|
# Authentication against an Atlassian Crowd directory server
|
|
# Supports: Users, Groups
|
|
crowd:
|
|
url: "https://crowd.example.com/crowd/"
|
|
app_name: ""
|
|
app_pass: ""
|
|
|
|
# Authentication through OAuth2 workflow with Google Account
|
|
# Supports: Users
|
|
google_oauth:
|
|
client_id: ""
|
|
client_secret: ""
|
|
redirect_url: "https://login.luifer.io/login"
|
|
|
|
# Optional, defaults to no limitations
|
|
require_domain: "example.com"
|
|
# Optional, defaults to "user-id"
|
|
user_id_method: "full-email"
|
|
|
|
# Authentication against (Open)LDAP server
|
|
# Supports: Users, Groups
|
|
ldap:
|
|
enable_basic_auth: false
|
|
manager_dn: "cn=admin,dc=example,dc=com"
|
|
manager_password: ""
|
|
root_dn: "dc=example,dc=com"
|
|
server: "ldap://ldap.example.com"
|
|
# Optional, defaults to root_dn
|
|
user_search_base: ou=users,dc=example,dc=com
|
|
# Optional, defaults to '(uid={0})'
|
|
user_search_filter: ""
|
|
# Optional, defaults to root_dn
|
|
group_search_base: "ou=groups,dc=example,dc=com"
|
|
# Optional, defaults to '(|(member={0})(uniqueMember={0}))'
|
|
group_membership_filter: ""
|
|
# Replace DN as the username with another attribute
|
|
# Optional, defaults to "dn"
|
|
username_attribute: "uid"
|
|
# Configure TLS parameters for LDAPs connections
|
|
# Optional, defaults to null
|
|
tls_config:
|
|
# Set the hostname for certificate validation
|
|
# Optional, defaults to host from the connection URI
|
|
validate_hostname: ldap.example.com
|
|
# Disable certificate validation
|
|
# Optional, defaults to false
|
|
allow_insecure: false
|
|
|
|
# Authentication through OAuth2 workflow with OpenID Connect provider
|
|
# Supports: Users
|
|
oidc:
|
|
client_id: ""
|
|
client_secret: ""
|
|
# Optional, defaults to "OpenID Connect"
|
|
issuer_name: ""
|
|
issuer_url: ""
|
|
redirect_url: "https://login.luifer.io/login"
|
|
|
|
# Optional, defaults to no limitations
|
|
require_domain: "example.com"
|
|
# Optional, defaults to "subject"
|
|
user_id_method: "full-email"
|
|
|
|
|
|
# Authentication against embedded user database
|
|
# Supports: Users, Groups, MFA
|
|
simple:
|
|
enable_basic_auth: false
|
|
|
|
# Unique username mapped to bcrypt hashed password
|
|
users:
|
|
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
|
|
|
|
# Groupname to users mapping
|
|
groups:
|
|
admins: ["luzifer"]
|
|
|
|
# MFA configs: Username to configs mapping
|
|
mfa:
|
|
luzifer:
|
|
- provider: duo
|
|
|
|
- provider: totp
|
|
attributes:
|
|
secret: MZXW6YTBOIFA # required
|
|
period: 30 # optional, defaults to 30 (Google Authenticator)
|
|
skew: 1 # optional, defaults to 1 (Google Authenticator)
|
|
digits: 8 # optional, defaults to 6 (Google Authenticator)
|
|
algorithm: sha1 # optional (sha1, sha256, sha512), defaults to sha1 (Google Authenticator)
|
|
|
|
- provider: yubikey
|
|
attributes:
|
|
device: ccccccfcvuul
|
|
|
|
# Authentication against embedded token directory
|
|
# Supports: Users, Groups
|
|
token:
|
|
# Mapping of unique token names to the token
|
|
tokens:
|
|
tokenname: "MYTOKEN"
|
|
|
|
# Groupname to token mapping
|
|
groups:
|
|
mytokengroup: ["tokenname"]
|
|
|
|
# Authentication against Yubikey cloud validation servers
|
|
# Supports: Users, Groups
|
|
yubikey:
|
|
# Get your client / secret from https://upgrade.yubico.com/getapikey/
|
|
client_id: "12345"
|
|
secret_key: "foobar"
|
|
|
|
# First 12 characters of the OTP string mapped to the username
|
|
devices:
|
|
ccccccfcvuul: "luzifer"
|
|
|
|
# Groupname to users mapping
|
|
groups:
|
|
admins: ["luzifer"]
|
|
|
|
...
|