Update rauthy
This commit is contained in:
parent
e8f04f4dde
commit
5f825093cc
2
.env
2
.env
@ -40,3 +40,5 @@ SONIC_INGEST_PASS=SecretPassword
|
|||||||
SEARCH_ACTIVE=true
|
SEARCH_ACTIVE=true
|
||||||
|
|
||||||
KANIDM_IDM_ADMIN_PASS=2MScM5Cr2ANyLRps4ccGZjSJdx8bth6yXEwKJDqYU5ZdNfKN
|
KANIDM_IDM_ADMIN_PASS=2MScM5Cr2ANyLRps4ccGZjSJdx8bth6yXEwKJDqYU5ZdNfKN
|
||||||
|
|
||||||
|
RAUTHY_API_KEY=oidc$1nrMx5FY6crQaejAKTBAFlx8t8ObnKOUUSBhlBkkUBnyCfwAJvKmlEQ5LoqanRyn
|
||||||
|
@ -3,7 +3,7 @@ server {
|
|||||||
server_name rauthy.lvh;
|
server_name rauthy.lvh;
|
||||||
|
|
||||||
location ~ / {
|
location ~ / {
|
||||||
proxy_pass http://rauthy:8080;
|
proxy_pass http://rauthy:8301;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
# If you don't need the extra validations, you can set this to `false` to
|
# If you don't need the extra validations, you can set this to `false` to
|
||||||
# save some resources, if your clients to a lot of `/userinfo` lookups.
|
# save some resources, if your clients to a lot of `/userinfo` lookups.
|
||||||
# default: true
|
# default: true
|
||||||
#USERINFO_STRICT=true
|
USERINFO_STRICT=false
|
||||||
|
|
||||||
# Can be used when 'OPEN_USER_REG=true' to restrict the domains
|
# Can be used when 'OPEN_USER_REG=true' to restrict the domains
|
||||||
# for a registration. For instance, set it to
|
# for a registration. For instance, set it to
|
||||||
@ -60,7 +60,7 @@
|
|||||||
# in the Admin UI. If these are correct, your setup is okay.
|
# in the Admin UI. If these are correct, your setup is okay.
|
||||||
#
|
#
|
||||||
# (default: true)
|
# (default: true)
|
||||||
# SESSION_VALIDATE_IP=false
|
SESSION_VALIDATE_IP=false
|
||||||
|
|
||||||
# By default, Rauthy will log a warning into the logs, if an active password
|
# By default, Rauthy will log a warning into the logs, if an active password
|
||||||
# reset form is being access multiple times from different hosts. You can set
|
# reset form is being access multiple times from different hosts. You can set
|
||||||
@ -81,17 +81,17 @@
|
|||||||
# Cloudflare, which adds custom headers in this case.
|
# Cloudflare, which adds custom headers in this case.
|
||||||
# For instance, if your requests are proxied through cloudflare, your would
|
# For instance, if your requests are proxied through cloudflare, your would
|
||||||
# set `CF-Connecting-IP`.
|
# set `CF-Connecting-IP`.
|
||||||
# PEER_IP_HEADER_NAME="CF-Connecting-IP"
|
PEER_IP_HEADER_NAME="CF-Connecting-IP"
|
||||||
PEER_IP_HEADER_NAME="X-Forwarded-For"
|
|
||||||
|
|
||||||
# You can enable authn/authz headers which would be added to the response
|
# You can enable authn/authz headers which would be added to the response
|
||||||
# of the `/auth/v1/forward_auth` endpoint. With `AUTH_HEADERS_ENABLE=true`,
|
# of the `/auth/v1/oidc/forward_auth` endpoint. With `AUTH_HEADERS_ENABLE=true`,
|
||||||
# the headers below will be added to authenticated requests. These could
|
# the headers below will be added to authenticated requests. These could
|
||||||
# be used on legacy downstream applications, that don't support OIDC on
|
# be used on legacy downstream applications, that don't support OIDC on
|
||||||
# their own.
|
# their own.
|
||||||
# However, be careful when using this, since this kind of authn/authz has
|
# However, be careful when using this, since this kind of authn/authz has
|
||||||
# a lot of pitfalls out of the scope of Rauthy.
|
# a lot of pitfalls out of the scope of Rauthy.
|
||||||
# AUTH_HEADERS_ENABLE=true
|
# default: false
|
||||||
|
AUTH_HEADERS_ENABLE=true
|
||||||
|
|
||||||
# Configure the header names being used for the different values.
|
# Configure the header names being used for the different values.
|
||||||
# You can change them to your needs, if you cannot easily change your
|
# You can change them to your needs, if you cannot easily change your
|
||||||
@ -174,7 +174,7 @@ AUTH_HEADER_MFA=x-forwarded-user-mfa
|
|||||||
#S3_BUCKET=my_s3_bucket_name
|
#S3_BUCKET=my_s3_bucket_name
|
||||||
#S3_ACCESS_KEY=
|
#S3_ACCESS_KEY=
|
||||||
#S3_ACCESS_SECRET=
|
#S3_ACCESS_SECRET=
|
||||||
#S3_DANGER_ACCEPT_INVALID_CERTS=false
|
#S3_DANGER_ALLOW_INSECURE=false
|
||||||
|
|
||||||
# Restores the given backup
|
# Restores the given backup
|
||||||
#
|
#
|
||||||
@ -217,7 +217,7 @@ BOOTSTRAP_ADMIN_EMAIL=admin@localhost.de
|
|||||||
# If set, this plain text password will be used for the
|
# If set, this plain text password will be used for the
|
||||||
# initial admin password instead of generating a random
|
# initial admin password instead of generating a random
|
||||||
# password.
|
# password.
|
||||||
BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS"
|
# BOOTSTRAP_ADMIN_PASSWORD_PLAIN="123SuperSafe"
|
||||||
|
|
||||||
# If set, this will take the argon2id hashed password
|
# If set, this will take the argon2id hashed password
|
||||||
# during the initialization of an empty production database.
|
# during the initialization of an empty production database.
|
||||||
@ -285,17 +285,17 @@ BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS"
|
|||||||
|
|
||||||
# If the cache should start in HA mode or standalone
|
# If the cache should start in HA mode or standalone
|
||||||
# accepts 'true|false', defaults to 'false'
|
# accepts 'true|false', defaults to 'false'
|
||||||
HA_MODE=false
|
#HA_MODE=false
|
||||||
|
|
||||||
# The connection strings (with hostnames) of the HA instances
|
# The connection strings (with hostnames) of the HA instances
|
||||||
# as a CSV.
|
# as a CSV.
|
||||||
# Format: 'scheme://hostname:port'
|
# Format: 'scheme://hostname:port'
|
||||||
HA_HOSTS="http://rauthy-0.rauthy:8080"
|
#HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000"
|
||||||
|
|
||||||
# Overwrite the hostname which is used to identify each cache member.
|
# Overwrite the hostname which is used to identify each cache member.
|
||||||
# Useful in scenarios, where for instance all members are on the same host with
|
# Useful in scenarios, where for instance all members are on the same host with
|
||||||
# different ports or for testing.
|
# different ports or for testing.
|
||||||
HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080"
|
#HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080"
|
||||||
|
|
||||||
## Define buffer sizes for channels between the components
|
## Define buffer sizes for channels between the components
|
||||||
# Buffer for client requests on the incoming stream - server
|
# Buffer for client requests on the incoming stream - server
|
||||||
@ -378,7 +378,6 @@ CACHE_USERS_LIFESPAN=28800
|
|||||||
#DATABASE_URL=sqlite::memory:
|
#DATABASE_URL=sqlite::memory:
|
||||||
#DATABASE_URL=sqlite:data/rauthy.db
|
#DATABASE_URL=sqlite:data/rauthy.db
|
||||||
#DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
|
#DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
|
||||||
DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy
|
|
||||||
|
|
||||||
# Max DB connections - irrelevant for SQLite (default: 5)
|
# Max DB connections - irrelevant for SQLite (default: 5)
|
||||||
#DATABASE_MAX_CONN=5
|
#DATABASE_MAX_CONN=5
|
||||||
@ -435,7 +434,7 @@ DPOP_NONCE_EXP=900
|
|||||||
# handled properly and your users just login blindly to any client
|
# handled properly and your users just login blindly to any client
|
||||||
# they get redirected to.
|
# they get redirected to.
|
||||||
# default: false
|
# default: false
|
||||||
ENABLE_DYN_CLIENT_REG=false
|
#ENABLE_DYN_CLIENT_REG=false
|
||||||
|
|
||||||
# If specified, this secret token will be expected during
|
# If specified, this secret token will be expected during
|
||||||
# dynamic client registrations to be given as a
|
# dynamic client registrations to be given as a
|
||||||
@ -515,12 +514,12 @@ EMAIL_SUB_PREFIX="Rauthy IAM"
|
|||||||
# TLS fails. It will never allow an unencrypted connection.
|
# TLS fails. It will never allow an unencrypted connection.
|
||||||
# You might want to set `SMTP_DANGER_INSECURE=true` if you
|
# You might want to set `SMTP_DANGER_INSECURE=true` if you
|
||||||
# need this for local dev.
|
# need this for local dev.
|
||||||
SMTP_URL=mailcrab
|
#SMTP_URL=
|
||||||
SMTP_USERNAME=
|
#SMTP_USERNAME=
|
||||||
SMTP_PASSWORD=
|
#SMTP_PASSWORD=
|
||||||
# Format: "Rauthy <rauthy@localhost.de>"
|
# Format: "Rauthy <rauthy@localhost.de>"
|
||||||
# default: "Rauthy <rauthy@localhost.de>"
|
# default: "Rauthy <rauthy@localhost.de>"
|
||||||
SMTP_FROM=notif@example.com
|
#SMTP_FROM=
|
||||||
|
|
||||||
# The number of retries that should be done for connecting to
|
# The number of retries that should be done for connecting to
|
||||||
# the given SMTP_URL.
|
# the given SMTP_URL.
|
||||||
@ -537,7 +536,7 @@ SMTP_FROM=notif@example.com
|
|||||||
# ignored and you can modify the target port with
|
# ignored and you can modify the target port with
|
||||||
# `SMTP_DANGER_INSECURE_PORT`.
|
# `SMTP_DANGER_INSECURE_PORT`.
|
||||||
# default: false
|
# default: false
|
||||||
SMTP_DANGER_INSECURE=true
|
#SMTP_DANGER_INSECURE=false
|
||||||
|
|
||||||
# The port for an insecure SMTP relay.
|
# The port for an insecure SMTP relay.
|
||||||
# This will most likely be used for testing only.
|
# This will most likely be used for testing only.
|
||||||
@ -662,7 +661,7 @@ MAX_HASH_THREADS=1
|
|||||||
#####################################
|
#####################################
|
||||||
|
|
||||||
# The E-Mail address event notifications should be sent to.
|
# The E-Mail address event notifications should be sent to.
|
||||||
#EVENT_EMAIL=admin@localhost.de
|
EVENT_EMAIL=admin@localhost.de
|
||||||
|
|
||||||
# Matrix variables for event notifications.
|
# Matrix variables for event notifications.
|
||||||
# `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory.
|
# `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory.
|
||||||
@ -673,7 +672,7 @@ MAX_HASH_THREADS=1
|
|||||||
# you should provide `EVENT_MATRIX_ACCESS_TOKEN`.
|
# you should provide `EVENT_MATRIX_ACCESS_TOKEN`.
|
||||||
# If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred.
|
# If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred.
|
||||||
#
|
#
|
||||||
# If left empty, no messages will be sent to Slack.
|
# If left empty, no messages will be sent to Matrix.
|
||||||
# Format: `@<user_id>:<server address>`
|
# Format: `@<user_id>:<server address>`
|
||||||
#EVENT_MATRIX_USER_ID=
|
#EVENT_MATRIX_USER_ID=
|
||||||
# Format: `!<random string>:<server address>`
|
# Format: `!<random string>:<server address>`
|
||||||
@ -703,7 +702,7 @@ MAX_HASH_THREADS=1
|
|||||||
|
|
||||||
# The notification level for events. Works the same way as a logging level.
|
# The notification level for events. Works the same way as a logging level.
|
||||||
# For instance: 'notice' means send out a notifications for all events with
|
# For instance: 'notice' means send out a notifications for all events with
|
||||||
# the info level or higher.
|
# the notice level or higher.
|
||||||
# Possible values:
|
# Possible values:
|
||||||
# - info
|
# - info
|
||||||
# - notice
|
# - notice
|
||||||
@ -726,11 +725,11 @@ EVENT_NOTIFY_LEVEL_SLACK=notice
|
|||||||
# - warning
|
# - warning
|
||||||
# - critical
|
# - critical
|
||||||
# default: 'info'
|
# default: 'info'
|
||||||
EVENT_PERSIST_LEVEL=info
|
#EVENT_PERSIST_LEVEL=info
|
||||||
|
|
||||||
# Define the number of days when events should be cleaned up from the database.
|
# Define the number of days when events should be cleaned up from the database.
|
||||||
# default: 31
|
# default: 31
|
||||||
EVENT_CLEANUP_DAYS=31
|
#EVENT_CLEANUP_DAYS=31
|
||||||
|
|
||||||
# The level for the generated Event after a new user has been registered.
|
# The level for the generated Event after a new user has been registered.
|
||||||
# default: info
|
# default: info
|
||||||
@ -790,7 +789,7 @@ EVENT_LEVEL_FAILED_LOGIN=info
|
|||||||
# by doing a request to the Github API to check the latest release.
|
# by doing a request to the Github API to check the latest release.
|
||||||
# This ignores any type of prerelease and will only notify for a new stable.
|
# This ignores any type of prerelease and will only notify for a new stable.
|
||||||
# default: false
|
# default: false
|
||||||
DISABLE_APP_VERSION_CHECK=true
|
#DISABLE_APP_VERSION_CHECK=false
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
############## FED CM ###############
|
############## FED CM ###############
|
||||||
@ -838,14 +837,15 @@ DISABLE_APP_VERSION_CHECK=true
|
|||||||
|
|
||||||
# Session lifetime in seconds - the session can not be
|
# Session lifetime in seconds - the session can not be
|
||||||
# extended beyond this time and a new login will be forced.
|
# extended beyond this time and a new login will be forced.
|
||||||
# This is the session for the authorization code flow. (default: 14400)
|
# This is the session for the authorization code flow.
|
||||||
|
# (default: 14400)
|
||||||
#SESSION_LIFETIME=14400
|
#SESSION_LIFETIME=14400
|
||||||
|
|
||||||
# If 'true', a 2FA / MFA check will be done with each automatic
|
# If 'true', a 2FA / MFA check will be done with each automatic
|
||||||
# token generation, even with an active session, which kind of
|
# token generation, even with an active session, which kind of
|
||||||
# makes the session useless with Webauthn enabled, but provides
|
# makes the session useless with Webauthn enabled, but provides
|
||||||
# maximum amount of security.
|
# maximum amount of security.
|
||||||
# If 'false', the user will not get a MFA prompt with an active
|
# If 'false', the user will not get an MFA prompt with an active
|
||||||
# session at the authorization endpoint.
|
# session at the authorization endpoint.
|
||||||
# (default: false)
|
# (default: false)
|
||||||
#SESSION_RENEW_MFA=false
|
#SESSION_RENEW_MFA=false
|
||||||
@ -873,7 +873,7 @@ DISABLE_APP_VERSION_CHECK=true
|
|||||||
|
|
||||||
# This is the log level for stdout logs
|
# This is the log level for stdout logs
|
||||||
# Accepts: error, info, debug, trace (default: info)
|
# Accepts: error, info, debug, trace (default: info)
|
||||||
LOG_LEVEL=trace
|
#LOG_LEVEL=info
|
||||||
|
|
||||||
# This is a special config which allows the configuration of
|
# This is a special config which allows the configuration of
|
||||||
# customized access logs. These logs will be logged with each
|
# customized access logs. These logs will be logged with each
|
||||||
@ -900,7 +900,7 @@ LOG_LEVEL=trace
|
|||||||
|
|
||||||
# If 'true', MFA for an account must be enabled to access the
|
# If 'true', MFA for an account must be enabled to access the
|
||||||
# rauthy admin UI (default: true)
|
# rauthy admin UI (default: true)
|
||||||
#ADMIN_FORCE_MFA=true
|
ADMIN_FORCE_MFA=false
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
############## POW #################
|
############## POW #################
|
||||||
@ -923,12 +923,12 @@ POW_EXP=30
|
|||||||
|
|
||||||
# The server address to listen on. Can bind to a specific IP.
|
# The server address to listen on. Can bind to a specific IP.
|
||||||
# default: 0.0.0.0
|
# default: 0.0.0.0
|
||||||
LISTEN_ADDRESS=0.0.0.0
|
#LISTEN_ADDRESS=0.0.0.0
|
||||||
|
|
||||||
# The listen ports for HTTP / HTTPS, depending on the
|
# The listen ports for HTTP / HTTPS, depending on the
|
||||||
# activated 'LISTEN_SCHEME'
|
# activated 'LISTEN_SCHEME'
|
||||||
# default: 8080
|
# default: 8080
|
||||||
LISTEN_PORT_HTTP=8080
|
#LISTEN_PORT_HTTP=8080
|
||||||
# default: 8443
|
# default: 8443
|
||||||
#LISTEN_PORT_HTTPS=8443
|
#LISTEN_PORT_HTTPS=8443
|
||||||
|
|
||||||
@ -941,43 +941,43 @@ LISTEN_SCHEME=http
|
|||||||
# HEADER later on, which is especially important when running
|
# HEADER later on, which is especially important when running
|
||||||
# rauthy behind a reverse proxy. In case of a non-standard
|
# rauthy behind a reverse proxy. In case of a non-standard
|
||||||
# port (80/443), you need to add the port to the PUB_URL
|
# port (80/443), you need to add the port to the PUB_URL
|
||||||
PUB_URL=rauthy.lvh
|
PUB_URL=localhost:8301
|
||||||
|
|
||||||
# default value: number of available physical cores
|
# default value: number of available physical cores
|
||||||
HTTP_WORKERS=10
|
#HTTP_WORKERS=1
|
||||||
|
|
||||||
# When rauthy is running behind a reverse proxy, set to true
|
# When rauthy is running behind a reverse proxy, set to true
|
||||||
# default: false
|
# default: false
|
||||||
PROXY_MODE=true
|
PROXY_MODE=false
|
||||||
|
|
||||||
# A `\n` separated list of trusted proxy CIDRs.
|
# A `\n` separated list of trusted proxy CIDRs.
|
||||||
# When `PROXY_MODE=true` or `PEER_IP_HEADER_NAME` is set,
|
# When `PROXY_MODE=true` or `PEER_IP_HEADER_NAME` is set,
|
||||||
# these are mandatory to be able to extract the real client
|
# these are mandatory to be able to extract the real client
|
||||||
# IP properly and safely to prevent IP header spoofing.
|
# IP properly and safely to prevent IP header spoofing.
|
||||||
# All requests with a different source will be blocked.
|
# All requests with a different source will be blocked.
|
||||||
TRUSTED_PROXIES="
|
#TRUSTED_PROXIES="
|
||||||
192.168.14.0/24
|
#192.168.14.0/24
|
||||||
"
|
#"
|
||||||
|
|
||||||
# To enable or disable the additional HTTP server to expose the /metrics endpoint
|
# To enable or disable the additional HTTP server to expose the /metrics endpoint
|
||||||
# default: true
|
# default: true
|
||||||
METRICS_ENABLE=true
|
# METRICS_ENABLE=true
|
||||||
|
|
||||||
# The IP address to listen on for the /metrics endpoint.
|
# The IP address to listen on for the /metrics endpoint.
|
||||||
# You do not want to expose your metrics on a publicly reachable endpoint!
|
# You do not want to expose your metrics on a publicly reachable endpoint!
|
||||||
# default: 0.0.0.0
|
# default: 0.0.0.0
|
||||||
METRICS_ADDR=0.0.0.0
|
# METRICS_ADDR=0.0.0.0
|
||||||
|
|
||||||
# The post to listen on for the /metrics endpoint.
|
# The post to listen on for the /metrics endpoint.
|
||||||
# You do not want to expose your metrics on a publicly reachable endpoint!
|
# You do not want to expose your metrics on a publicly reachable endpoint!
|
||||||
# default: 9090
|
# default: 9090
|
||||||
METRICS_PORT=8302
|
# METRICS_PORT=9090
|
||||||
|
|
||||||
# If the Swagger UI should be served together with the /metrics route on the internal
|
# If the Swagger UI should be served together with the /metrics route on the internal
|
||||||
# server. It it then reachable via:
|
# server. It it then reachable via:
|
||||||
# http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/
|
# http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/
|
||||||
# default: true
|
# default: true
|
||||||
SWAGGER_UI_INTERNAL=true
|
# SWAGGER_UI_INTERNAL=true
|
||||||
|
|
||||||
# If the Swagger UI should be served externally as well. This makes the link in the
|
# If the Swagger UI should be served externally as well. This makes the link in the
|
||||||
# Admin UI work.
|
# Admin UI work.
|
||||||
@ -986,7 +986,7 @@ SWAGGER_UI_INTERNAL=true
|
|||||||
# Rauthy is open source, which means anyone could just download it and see on their
|
# Rauthy is open source, which means anyone could just download it and see on their
|
||||||
# own, but it may be a security concern to just expose less information.
|
# own, but it may be a security concern to just expose less information.
|
||||||
# default: false
|
# default: false
|
||||||
SWAGGER_UI_EXTERNAL=true
|
#SWAGGER_UI_EXTERNAL=false
|
||||||
|
|
||||||
# The interval in seconds in which keep-alives should be sent to SSE clients.
|
# The interval in seconds in which keep-alives should be sent to SSE clients.
|
||||||
# Depending on your network setup, proxy timeouts, ...
|
# Depending on your network setup, proxy timeouts, ...
|
||||||
@ -1061,7 +1061,7 @@ SWAGGER_UI_EXTERNAL=true
|
|||||||
|
|
||||||
# Enable / disable TLS for the cache communication
|
# Enable / disable TLS for the cache communication
|
||||||
# (default: true)
|
# (default: true)
|
||||||
CACHE_TLS=false
|
CACHE_TLS=true
|
||||||
|
|
||||||
# The path to the server TLS certificate PEM file
|
# The path to the server TLS certificate PEM file
|
||||||
# default: tls/redhac.cert-chain.pem
|
# default: tls/redhac.cert-chain.pem
|
||||||
@ -1089,7 +1089,7 @@ CACHE_TLS_SERVER_KEY=tls/key.pem
|
|||||||
# 'X509v3 Subject Alternative Name' when you take a look at
|
# 'X509v3 Subject Alternative Name' when you take a look at
|
||||||
# the servers certificate with the openssl tool.
|
# the servers certificate with the openssl tool.
|
||||||
# default: redhac.local
|
# default: redhac.local
|
||||||
CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh
|
CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local
|
||||||
|
|
||||||
# Can be used if you need to overwrite the SNI when the
|
# Can be used if you need to overwrite the SNI when the
|
||||||
# client connects to the server, for instance if you are
|
# client connects to the server, for instance if you are
|
||||||
@ -1105,12 +1105,12 @@ CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh
|
|||||||
# (default: localhost)
|
# (default: localhost)
|
||||||
# CAUTION: When this changes, already registered devices will stop
|
# CAUTION: When this changes, already registered devices will stop
|
||||||
# working and users cannot log in anymore!
|
# working and users cannot log in anymore!
|
||||||
RP_ID=rauthy.lvh
|
RP_ID=localhost
|
||||||
|
|
||||||
# Url containing the effective domain name
|
# Url containing the effective domain name
|
||||||
# (default: http://localhost:8080)
|
# (default: http://localhost:8080)
|
||||||
# CAUTION: Must include the port number!
|
# CAUTION: Must include the port number!
|
||||||
RP_ORIGIN=http://rauthy.lvh
|
RP_ORIGIN=http://localhost:8080
|
||||||
|
|
||||||
# Non critical RP Name
|
# Non critical RP Name
|
||||||
# Has no security properties and may be changed without issues
|
# Has no security properties and may be changed without issues
|
||||||
@ -1141,7 +1141,7 @@ RP_NAME='Rauthy Webauthn'
|
|||||||
# again. That is why we should ask for the original password
|
# again. That is why we should ask for the original password
|
||||||
# in addition once in a while to set the cookie.
|
# in addition once in a while to set the cookie.
|
||||||
# The value is in hours (default: 2160)
|
# The value is in hours (default: 2160)
|
||||||
#WEBAUTHN_RENEW_EXP=2160
|
WEBAUTHN_RENEW_EXP=2160
|
||||||
|
|
||||||
# This feature can be set to 'true' to force User verification
|
# This feature can be set to 'true' to force User verification
|
||||||
# during the Webauthn ceremony. UV will be true, if the user
|
# during the Webauthn ceremony. UV will be true, if the user
|
||||||
@ -1153,7 +1153,7 @@ RP_NAME='Rauthy Webauthn'
|
|||||||
# option, since Android and some special combinations of OS +
|
# option, since Android and some special combinations of OS +
|
||||||
# browser to not support UV yet.
|
# browser to not support UV yet.
|
||||||
# (default: false)
|
# (default: false)
|
||||||
#WEBAUTHN_FORCE_UV=false
|
WEBAUTHN_FORCE_UV=false
|
||||||
|
|
||||||
# Can be set to 'true' to disable password expiry for users
|
# Can be set to 'true' to disable password expiry for users
|
||||||
# that have at least one active passkey. When set to 'false',
|
# that have at least one active passkey. When set to 'false',
|
||||||
@ -1162,4 +1162,4 @@ RP_NAME='Rauthy Webauthn'
|
|||||||
# With this option active, rauthy will ignore any password
|
# With this option active, rauthy will ignore any password
|
||||||
# expiry set by the password policy for Webauthn users.
|
# expiry set by the password policy for Webauthn users.
|
||||||
# default: true
|
# default: true
|
||||||
WEBAUTHN_NO_PASSWORD_EXPIRY=true
|
#WEBAUTHN_NO_PASSWORD_EXPIRY=true
|
||||||
|
@ -2,15 +2,17 @@ version: '3'
|
|||||||
services:
|
services:
|
||||||
rumqqtd:
|
rumqqtd:
|
||||||
image: bytebeamio/rumqttd
|
image: bytebeamio/rumqttd
|
||||||
|
restart: no
|
||||||
ports:
|
ports:
|
||||||
- 1883:1883
|
- 1883:1883
|
||||||
- 1884:1884
|
- 1884:1884
|
||||||
|
|
||||||
rauthy-nginx:
|
rauthy-nginx:
|
||||||
image: nginx:latest
|
image: nginx:latest
|
||||||
|
restart: no
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
volumes:
|
volumes:
|
||||||
# /etc/nginx/conf.d/*.conf;
|
|
||||||
- ./config/rauth.nginx:/etc/nginx/conf.d/rauth.conf:ro
|
- ./config/rauth.nginx:/etc/nginx/conf.d/rauth.conf:ro
|
||||||
depends_on:
|
depends_on:
|
||||||
- rauthy
|
- rauthy
|
||||||
@ -21,20 +23,36 @@ services:
|
|||||||
POSTGRES_PASSWORD: 123SuperSafe
|
POSTGRES_PASSWORD: 123SuperSafe
|
||||||
POSTGRES_USER: rauthy
|
POSTGRES_USER: rauthy
|
||||||
POSTGRES_DB: rauthy
|
POSTGRES_DB: rauthy
|
||||||
DATABASE_URL: postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
|
ports:
|
||||||
|
- 6677:5432
|
||||||
volumes:
|
volumes:
|
||||||
- rauthy-psql:/var/lib/postgresql/data
|
- rauthy-psql:/var/lib/postgresql/data
|
||||||
|
|
||||||
rauthy:
|
rauthy:
|
||||||
image: ghcr.io/sebadob/rauthy:0.23.5
|
image: ghcr.io/sebadob/rauthy:0.24.1
|
||||||
depends_on:
|
depends_on:
|
||||||
- rauthy-psql
|
- rauthy-psql
|
||||||
|
- mailcrab
|
||||||
ports:
|
ports:
|
||||||
- 8302:8302
|
- 8302:8302
|
||||||
- 8301:9090
|
- 8301:8301
|
||||||
|
- 9090:9090
|
||||||
environment:
|
environment:
|
||||||
COOKIE_MODE: danger-insecure
|
- COOKIE_MODE=danger-insecure
|
||||||
SWAGGER_UI_EXTERNAL: true
|
- SWAGGER_UI_EXTERNAL=true
|
||||||
|
- RUSY_LOG=actix_http::h1::dispatcher=error,actix_server::signals=error,trace
|
||||||
|
- DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy
|
||||||
|
- LISTEN_PORT_HTTP=8301
|
||||||
|
- SMTP_URL=mailcrab
|
||||||
|
- SMTP_USERNAME=""
|
||||||
|
- SMTP_PASSWORD=""
|
||||||
|
- SMTP_DANGER_INSECURE=true
|
||||||
|
- SMTP_DANGER_INSECURE_PORT=1025
|
||||||
|
- METRICS_ENABLE=true
|
||||||
|
- METRICS_ADDR=0.0.0.0
|
||||||
|
- METRICS_PORT=9090
|
||||||
|
- SWAGGER_UI_INTERNAL=true
|
||||||
|
- SWAGGER_UI_EXTERNAL=true
|
||||||
volumes:
|
volumes:
|
||||||
- rauthy:/app/data
|
- rauthy:/app/data
|
||||||
- ./config/rauthy.cfg:/app/rauthy.cfg
|
- ./config/rauthy.cfg:/app/rauthy.cfg
|
||||||
@ -42,7 +60,7 @@ services:
|
|||||||
quickwit:
|
quickwit:
|
||||||
image: quickwit/quickwit:v0.5.2
|
image: quickwit/quickwit:v0.5.2
|
||||||
command: run
|
command: run
|
||||||
restart: always
|
restart: no
|
||||||
environment:
|
environment:
|
||||||
QW_ENABLE_OTLP_ENDPOINT: true
|
QW_ENABLE_OTLP_ENDPOINT: true
|
||||||
QW_ENABLE_JAEGER_ENDPOINT: true
|
QW_ENABLE_JAEGER_ENDPOINT: true
|
||||||
@ -54,7 +72,7 @@ services:
|
|||||||
|
|
||||||
jaeger:
|
jaeger:
|
||||||
image: jaegertracing/jaeger-query:1.45
|
image: jaegertracing/jaeger-query:1.45
|
||||||
restart: always
|
restart: no
|
||||||
depends_on:
|
depends_on:
|
||||||
- quickwit
|
- quickwit
|
||||||
environment:
|
environment:
|
||||||
@ -65,7 +83,7 @@ services:
|
|||||||
|
|
||||||
grafana:
|
grafana:
|
||||||
image: grafana/grafana-enterprise:10.0.0
|
image: grafana/grafana-enterprise:10.0.0
|
||||||
restart: always
|
restart: no
|
||||||
depends_on:
|
depends_on:
|
||||||
- quickwit
|
- quickwit
|
||||||
environment:
|
environment:
|
||||||
@ -77,7 +95,10 @@ services:
|
|||||||
|
|
||||||
mailcrab:
|
mailcrab:
|
||||||
image: 'marlonb/mailcrab:latest'
|
image: 'marlonb/mailcrab:latest'
|
||||||
restart: unless-stopped
|
restart: no
|
||||||
|
environment:
|
||||||
|
- ENABLE_TLS_AUTH=false
|
||||||
|
- RUST_LOG=debug
|
||||||
ports:
|
ports:
|
||||||
- 1125:1025
|
- 1125:1025
|
||||||
- 1180:1080
|
- 1180:1080
|
||||||
|
Loading…
Reference in New Issue
Block a user