From e17aed8297977e8160bf344c3cf3bce083b6eb69 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Tue, 20 Aug 2019 11:48:40 +0000 Subject: [PATCH] Added initial config for TOTP; for use with the Spomky-Labs/otphp class --- README.md | 21 +++++++++------------ lucidAuth.config.php.example | 13 +++++++++++++ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index f6735f4..b790784 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,19 @@ # lucidAuth -[![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#) +[![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#) Forward Authentication for use with proxies (caddy, nginx, traefik, etc) ## Usage -- Create a new folder, navigate to it in a commandprompt and run the following command: - `git clone https://code.spamasaurus.com/djpbessems/lucidAuth.git` -- Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php` -- Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder -- Check if you are able to browse to `https:///lucidAuth.login.php` (where `` is the actual domain -or IP address- your webserver is listening on) -- Edit your proxy's configuration to use the new website as forward proxy: +- Create a new folder, navigate to it in a commandprompt and run the following command: + `git clone https://code.spamasaurus.com/djpbessems/lucidAuth.git` +- Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php` +- Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder +- Check if you are able to browse to `https:///lucidAuth.login.php` (where `` is the actual domain -or IP address- your webserver is listening on) +- Edit your proxy's configuration to use the new website as forward proxy: - #### ~~in Caddy/nginx~~ (planned for a later stage) - - #### in Traefik - Add the following lines (change to reflect your existing configuration): + - #### in Traefik + Add the following lines (change to reflect your existing configuration): ``` [frontends.server1] entrypoints = ["https"] @@ -25,8 +25,5 @@ Forward Authentication for use with proxies (caddy, nginx, traefik, etc) rule = "Host:" ``` -- #### Important! - The domainname of the website made in step 3, needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing this authentication proxy. - ## Questions or bugs Feel free to open issues in this repository. \ No newline at end of file diff --git a/lucidAuth.config.php.example b/lucidAuth.config.php.example index 167797b..9653f67 100644 --- a/lucidAuth.config.php.example +++ b/lucidAuth.config.php.example @@ -18,6 +18,16 @@ return (object) array( // Specify the NetBios name of the domain; to allow users to log on with just their usernames. ], + '2FA' => [ + 'Protocol' => 'TOTP', // Possible options are HOTP (sequential codes) and TOTP (timebased codes) + 'TOTP' => [ + 'Secret' => 'NULL', // By default, a 512 bits secret is generated. If you need, you can provide your own secret here. + 'Age' => '30', // The duration that each OTP code is valid for. + 'Length' => '6', // Number of digits the OTP code will consist of. + 'Algorithm' => 'SHA256' // The hashing algorithm used. + ], + ], + 'Sqlite' => [ 'Path' => '../data/lucidAuth.sqlite.db' // Relative path to the location where the database should be stored @@ -37,6 +47,9 @@ return (object) array( 'CrossDomainLogin' => False, // Set this to True if SingleSignOn (albeit rudementary) is desired // (cookies are inheritently unaware of each other; clearing cookies for one domain does not affect other domains) + // Important! + // If you leave this set to False, the domainname where lucidAuth will be running on, + // needs to match the domainname (*ignoring subdomains, if any*) of the resource utilizing the authentication proxy. 'CookieDomains' => [ 'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld' ]