2fauth
From KlavoWiki
Jump to navigationJump to search
docker
2fauth:
image: 2fauth/2fauth
container_name: 2fauth
restart: unless-stopped
user: 1000:1000
volumes:
- ./2fauth:/2fauth
ports:
- 8001:8000/tcp
environment:
- APP_NAME=2FAuth
- APP_ENV=production
- APP_TIMEZONE=Australia/Brisbane
- APP_DEBUG=false
- [email protected]
- APP_KEY=createyourappkey
- APP_URL=https://2fa.klaverstyn.com.au
- ASSET_URL=https://2fa.klaverstyn.com.au
- IS_DEMO_APP=false
- LOG_CHANNEL=daily
- LOG_LEVEL=notice
- DB_DATABASE="/2fauth/database.sqlite"
- CACHE_DRIVER=redis
- SESSION_DRIVER=redis
- MAIL_MAILER=smtp
- MAIL_HOST=mail.mailadmin.au
- MAIL_PORT=25
- MAIL_USERNAME=null
- MAIL_PASSWORD=null
- MAIL_ENCRYPTION=null
- MAIL_FROM_NAME=null
- [email protected]
- MAIL_VERIFY_SSL_PEER=true
- THROTTLE_API=60
- LOGIN_THROTTLE=5
- AUTHENTICATION_GUARD=web-guard
- AUTHENTICATION_LOG_RETENTION=365
#- PROXY_LOGOUT_URL=null
- WEBAUTHN_NAME=2FAuth
- WEBAUTHN_ID=2fa.klaverstyn.com.au
- WEBAUTHN_USER_VERIFICATION=preferred
- TRUSTED_PROXIES=web-docker.klaverstyn.com.au
#- PROXY_FOR_OUTGOING_REQUESTS=null
- CONTENT_SECURITY_POLICY=true
# Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing.
- BROADCAST_DRIVER=log
- QUEUE_DRIVER=sync
- SESSION_LIFETIME=120
- REDIS_HOST=librenms_redis
- REDIS_PASSWORD=null
- REDIS_PORT=6379
- REDIS_DB=1
- PUSHER_APP_ID=
- PUSHER_APP_KEY=
- PUSHER_APP_SECRET=
- PUSHER_APP_CLUSTER=ap1
- VITE_PUSHER_APP_KEY=
- VITE_PUSHER_APP_CLUSTER=ap1
- MIX_ENV=local
- PHP_MEMORY_LIMIT=256M
nginx
# This map ensures the 'Connection' header is correctly set for WebSockets,
# though it's not strictly necessary for 2FAuth unless you enable WebSocket features.
# Place this in your http {} block or a common include file (e.g., /etc/nginx/nginx.conf)
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 192.168.1.1:80;
listen [fe80::4c9a:23d2:1f45:6a12]:80;
server_name 2fa.klaverstyn.com.au;
access_log /var/log/nginx/access_2fa.log;
error_log /var/log/nginx/error_2fa.log;
return 301 https://$host$request_uri;
}
server {
listen 192.168.1.1:443 ssl;
listen [fe80::4c9a:23d2:1f45:6a12]:443 ssl;
http2 on;
server_name 2fa.klaverstyn.com.au;
access_log /var/log/nginx/access_2fa.log;
error_log /var/log/nginx/error_2fa.log;
ssl_certificate /etc/letsencrypt/live/2fa.klaverstyn.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/2fa.klaverstyn.com.au/privkey.pem;
client_body_timeout 10s;
client_header_timeout 10s;
keepalive_timeout 15s;
send_timeout 10s;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
server_tokens off;
client_max_body_size 50M;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
if ($http_user_agent ~* (HTTrack|wget|curl|nikto|sqlmap)) {
return 403;
}
# === Main 2FAuth Proxy Pass Configuration (without external auth) ===
location / {
# IMPORTANT: Replace 10.13.13.242:8001 with the actual internal IP/hostname and port of your 2fauth container.
proxy_pass http://localhost:8001;
# Standard proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket proxying (leave as is if unsure, harmless)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
