internal: centralise config for listeners to use same config system everywhere (#3367)
* centralise config for listeners to use same config system everywhere Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #3360 * add docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
9a9c826c0b
commit
2ce8e18bab
|
@ -7,11 +7,10 @@ postgresql:
|
|||
port: 5432
|
||||
password: 'env://POSTGRES_PASSWORD'
|
||||
|
||||
web:
|
||||
listen: 0.0.0.0:9000
|
||||
listen_tls: 0.0.0.0:9443
|
||||
listen:
|
||||
listen_http: 0.0.0.0:9000
|
||||
listen_https: 0.0.0.0:9443
|
||||
listen_metrics: 0.0.0.0:9300
|
||||
outpost_port_offset: 0
|
||||
|
||||
redis:
|
||||
host: localhost
|
||||
|
|
|
@ -4,7 +4,6 @@ import (
|
|||
"fmt"
|
||||
"net/url"
|
||||
"os"
|
||||
"strconv"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
|
||||
|
@ -22,8 +21,7 @@ Required environment variables:
|
|||
- AUTHENTIK_INSECURE: Skip SSL Certificate verification
|
||||
|
||||
Optionally, you can set these:
|
||||
- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST
|
||||
- AUTHENTIK_PORT_OFFSET: Offset to add to the listening ports, i.e. value of 100 makes proxy listen on 9100`
|
||||
- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
|
||||
|
||||
func main() {
|
||||
log.SetLevel(log.DebugLevel)
|
||||
|
@ -47,15 +45,6 @@ func main() {
|
|||
fmt.Println(helpMessage)
|
||||
os.Exit(1)
|
||||
}
|
||||
portOffset := 0
|
||||
portOffsetS := os.Getenv("AUTHENTIK_PORT_OFFSET")
|
||||
if portOffsetS != "" {
|
||||
v, err := strconv.Atoi(portOffsetS)
|
||||
if err != nil {
|
||||
fmt.Println(err.Error())
|
||||
}
|
||||
portOffset = v
|
||||
}
|
||||
|
||||
akURLActual, err := url.Parse(akURL)
|
||||
if err != nil {
|
||||
|
@ -72,7 +61,7 @@ func main() {
|
|||
os.Exit(1)
|
||||
}
|
||||
|
||||
ac.Server = proxyv2.NewProxyServer(ac, portOffset)
|
||||
ac.Server = proxyv2.NewProxyServer(ac)
|
||||
|
||||
err = ac.Start()
|
||||
if err != nil {
|
||||
|
|
|
@ -61,7 +61,7 @@ func main() {
|
|||
g := gounicorn.NewGoUnicorn()
|
||||
ws := web.NewWebServer(g)
|
||||
g.HealthyCallback = func() {
|
||||
if !config.Get().Web.DisableEmbeddedOutpost {
|
||||
if !config.Get().DisableEmbeddedOutpost {
|
||||
go attemptProxyStart(ws, u)
|
||||
}
|
||||
}
|
||||
|
@ -110,7 +110,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
|
|||
tw.Check()
|
||||
})
|
||||
|
||||
srv := proxyv2.NewProxyServer(ac, 0)
|
||||
srv := proxyv2.NewProxyServer(ac)
|
||||
ws.ProxyServer = srv
|
||||
ac.Server = srv
|
||||
l.Debug("attempting to start outpost")
|
||||
|
|
|
@ -19,6 +19,7 @@ var cfg *Config
|
|||
func Get() *Config {
|
||||
if cfg == nil {
|
||||
cfg = defaultConfig()
|
||||
cfg.Setup()
|
||||
}
|
||||
return cfg
|
||||
}
|
||||
|
@ -26,9 +27,11 @@ func Get() *Config {
|
|||
func defaultConfig() *Config {
|
||||
return &Config{
|
||||
Debug: false,
|
||||
Web: WebConfig{
|
||||
Listen: "localhost:9000",
|
||||
ListenTLS: "localhost:9443",
|
||||
Listen: ListenConfig{
|
||||
HTTP: "localhost:9000",
|
||||
HTTPS: "localhost:9443",
|
||||
LDAP: "localhost:3389",
|
||||
LDAPS: "localhost:6636",
|
||||
},
|
||||
Paths: PathsConfig{
|
||||
Media: "./media",
|
||||
|
|
|
@ -3,11 +3,12 @@ package config
|
|||
type Config struct {
|
||||
Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG"`
|
||||
SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"`
|
||||
Web WebConfig `yaml:"web"`
|
||||
Listen ListenConfig `yaml:"listen"`
|
||||
Paths PathsConfig `yaml:"paths"`
|
||||
LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"`
|
||||
ErrorReporting ErrorReportingConfig `yaml:"error_reporting"`
|
||||
Redis RedisConfig `yaml:"redis"`
|
||||
DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
|
||||
}
|
||||
|
||||
type RedisConfig struct {
|
||||
|
@ -26,11 +27,13 @@ type RedisConfig struct {
|
|||
CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
|
||||
}
|
||||
|
||||
type WebConfig struct {
|
||||
Listen string `yaml:"listen"`
|
||||
ListenTLS string `yaml:"listen_tls"`
|
||||
ListenMetrics string `yaml:"listen_metrics"`
|
||||
DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
|
||||
type ListenConfig struct {
|
||||
HTTP string `yaml:"listen_http" env:"AUTHENTIK_LISTEN__HTTP"`
|
||||
HTTPS string `yaml:"listen_https" env:"AUTHENTIK_LISTEN__HTTPS"`
|
||||
LDAP string `yaml:"listen_ldap" env:"AUTHENTIK_LISTEN__LDAP,default=0.0.0.0:3389"`
|
||||
LDAPS string `yaml:"listen_ldaps" env:"AUTHENTIK_LISTEN__LDAPS,default=0.0.0.0:6636"`
|
||||
Metrics string `yaml:"listen_metrics" env:"AUTHENTIK_LISTEN__METRICS,default=0.0.0.0:9300"`
|
||||
Debug string `yaml:"listen_debug" env:"AUTHENTIK_LISTEN__DEBUG,default=0.0.0.0:9900"`
|
||||
}
|
||||
|
||||
type PathsConfig struct {
|
||||
|
|
|
@ -7,6 +7,7 @@ import (
|
|||
"strings"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"goauthentik.io/internal/config"
|
||||
)
|
||||
|
||||
func EnableDebugServer() {
|
||||
|
@ -21,5 +22,5 @@ func EnableDebugServer() {
|
|||
h.HandleFunc("/debug/pprof/profile", pprof.Profile)
|
||||
h.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
|
||||
h.HandleFunc("/debug/pprof/trace", pprof.Trace)
|
||||
l.Println(http.ListenAndServe("0.0.0.0:9900", nil))
|
||||
l.Println(http.ListenAndServe(config.Get().Listen.Debug, nil))
|
||||
}
|
||||
|
|
|
@ -7,6 +7,7 @@ import (
|
|||
|
||||
"github.com/pires/go-proxyproto"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"goauthentik.io/internal/config"
|
||||
"goauthentik.io/internal/crypto"
|
||||
"goauthentik.io/internal/outpost/ak"
|
||||
"goauthentik.io/internal/outpost/ldap/metrics"
|
||||
|
@ -48,7 +49,7 @@ func (ls *LDAPServer) Type() string {
|
|||
}
|
||||
|
||||
func (ls *LDAPServer) StartLDAPServer() error {
|
||||
listen := "0.0.0.0:3389"
|
||||
listen := config.Get().Listen.LDAP
|
||||
|
||||
ln, err := net.Listen("tcp", listen)
|
||||
if err != nil {
|
||||
|
|
|
@ -5,6 +5,7 @@ import (
|
|||
"net"
|
||||
|
||||
"github.com/pires/go-proxyproto"
|
||||
"goauthentik.io/internal/config"
|
||||
)
|
||||
|
||||
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
|
@ -28,7 +29,7 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
|
|||
}
|
||||
|
||||
func (ls *LDAPServer) StartLDAPTLSServer() error {
|
||||
listen := "0.0.0.0:6636"
|
||||
listen := config.Get().Listen.LDAPS
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"net/http"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"goauthentik.io/internal/config"
|
||||
"goauthentik.io/internal/utils/sentry"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
|
@ -31,7 +32,7 @@ func RunServer() {
|
|||
rw.WriteHeader(204)
|
||||
})
|
||||
m.Path("/metrics").Handler(promhttp.Handler())
|
||||
listen := "0.0.0.0:9300"
|
||||
listen := config.Get().Listen.Metrics
|
||||
l.WithField("listen", listen).Info("Starting Metrics server")
|
||||
err := http.ListenAndServe(listen, m)
|
||||
if err != nil {
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"net/http"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"goauthentik.io/internal/config"
|
||||
"goauthentik.io/internal/utils/sentry"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
|
@ -31,7 +32,7 @@ func RunServer() {
|
|||
rw.WriteHeader(204)
|
||||
})
|
||||
m.Path("/metrics").Handler(promhttp.Handler())
|
||||
listen := "0.0.0.0:9300"
|
||||
listen := config.Get().Listen.Metrics
|
||||
l.WithField("listen", listen).Info("Starting Metrics server")
|
||||
err := http.ListenAndServe(listen, m)
|
||||
if err != nil {
|
||||
|
|
|
@ -4,7 +4,6 @@ import (
|
|||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"sync"
|
||||
|
@ -14,6 +13,7 @@ import (
|
|||
"github.com/pires/go-proxyproto"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"goauthentik.io/api/v3"
|
||||
"goauthentik.io/internal/config"
|
||||
"goauthentik.io/internal/crypto"
|
||||
"goauthentik.io/internal/outpost/ak"
|
||||
"goauthentik.io/internal/outpost/proxyv2/application"
|
||||
|
@ -23,9 +23,6 @@ import (
|
|||
)
|
||||
|
||||
type ProxyServer struct {
|
||||
Listen string
|
||||
PortOffset int
|
||||
|
||||
defaultCert tls.Certificate
|
||||
stop chan struct{} // channel for waiting shutdown
|
||||
|
||||
|
@ -36,7 +33,7 @@ type ProxyServer struct {
|
|||
akAPI *ak.APIController
|
||||
}
|
||||
|
||||
func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
|
||||
func NewProxyServer(ac *ak.APIController) *ProxyServer {
|
||||
l := log.WithField("logger", "authentik.outpost.proxyv2")
|
||||
defaultCert, err := crypto.GenerateSelfSignedCert()
|
||||
if err != nil {
|
||||
|
@ -55,9 +52,6 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
|
|||
globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil))
|
||||
globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
|
||||
s := &ProxyServer{
|
||||
Listen: "0.0.0.0:%d",
|
||||
PortOffset: portOffset,
|
||||
|
||||
cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
|
||||
apps: make(map[string]*application.Application),
|
||||
log: l,
|
||||
|
@ -116,7 +110,7 @@ func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certific
|
|||
|
||||
// ServeHTTP constructs a net.Listener and starts handling HTTP requests
|
||||
func (ps *ProxyServer) ServeHTTP() {
|
||||
listenAddress := fmt.Sprintf(ps.Listen, 9000+ps.PortOffset)
|
||||
listenAddress := config.Get().Listen.HTTP
|
||||
listener, err := net.Listen("tcp", listenAddress)
|
||||
if err != nil {
|
||||
ps.log.WithField("listen", listenAddress).WithError(err).Fatalf("listen failed")
|
||||
|
@ -131,7 +125,7 @@ func (ps *ProxyServer) ServeHTTP() {
|
|||
|
||||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||
func (ps *ProxyServer) ServeHTTPS() {
|
||||
listenAddress := fmt.Sprintf(ps.Listen, 9443+ps.PortOffset)
|
||||
listenAddress := config.Get().Listen.HTTPS
|
||||
config := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
|
|
|
@ -54,10 +54,10 @@ func RunMetricsServer() {
|
|||
return
|
||||
}
|
||||
})
|
||||
l.WithField("listen", config.Get().Web.ListenMetrics).Info("Starting Metrics server")
|
||||
err := http.ListenAndServe(config.Get().Web.ListenMetrics, m)
|
||||
l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
|
||||
err := http.ListenAndServe(config.Get().Listen.Metrics, m)
|
||||
if err != nil {
|
||||
l.WithError(err).Warning("Failed to start metrics server")
|
||||
}
|
||||
l.WithField("listen", config.Get().Web.ListenMetrics).Info("Stopping Metrics server")
|
||||
l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
|
||||
}
|
||||
|
|
|
@ -41,7 +41,7 @@ func (ws *WebServer) listenTLS() {
|
|||
GetCertificate: ws.GetCertificate(),
|
||||
}
|
||||
|
||||
ln, err := net.Listen("tcp", config.Get().Web.ListenTLS)
|
||||
ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
|
||||
if err != nil {
|
||||
ws.log.WithError(err).Fatalf("failed to listen (TLS)")
|
||||
return
|
||||
|
@ -50,7 +50,7 @@ func (ws *WebServer) listenTLS() {
|
|||
defer proxyListener.Close()
|
||||
|
||||
tlsListener := tls.NewListener(proxyListener, tlsConfig)
|
||||
ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Starting HTTPS server")
|
||||
ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server")
|
||||
ws.serve(tlsListener)
|
||||
ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Stopping HTTPS server")
|
||||
ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Stopping HTTPS server")
|
||||
}
|
||||
|
|
|
@ -68,16 +68,16 @@ func (ws *WebServer) Shutdown() {
|
|||
}
|
||||
|
||||
func (ws *WebServer) listenPlain() {
|
||||
ln, err := net.Listen("tcp", config.Get().Web.Listen)
|
||||
ln, err := net.Listen("tcp", config.Get().Listen.HTTP)
|
||||
if err != nil {
|
||||
ws.log.WithError(err).Fatal("failed to listen")
|
||||
}
|
||||
proxyListener := &proxyproto.Listener{Listener: ln}
|
||||
defer proxyListener.Close()
|
||||
|
||||
ws.log.WithField("listen", config.Get().Web.Listen).Info("Starting HTTP server")
|
||||
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
|
||||
ws.serve(proxyListener)
|
||||
ws.log.WithField("listen", config.Get().Web.Listen).Info("Stopping HTTP server")
|
||||
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Stopping HTTP server")
|
||||
}
|
||||
|
||||
func (ws *WebServer) serve(listener net.Listener) {
|
||||
|
|
|
@ -37,6 +37,15 @@ All of these variables can be set to values, but you can also use a URI-like for
|
|||
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300
|
||||
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
|
||||
|
||||
## Listen Setting
|
||||
|
||||
- `AUTHENTIK_LISTEN__HTTP`: Listening port for HTTP (Server and Proxy outpost)
|
||||
- `AUTHENTIK_LISTEN__HTTPS`: Listening port for HTTPS (Server and Proxy outpost)
|
||||
- `AUTHENTIK_LISTEN__LDAP`: Listening port for LDAP (LDAP outpost)
|
||||
- `AUTHENTIK_LISTEN__LDAPS`: Listening port for LDAPS (LDAP outpost)
|
||||
- `AUTHENTIK_LISTEN__METRICS`: Listening port for Prometheus metrics (All)
|
||||
- `AUTHENTIK_LISTEN__DEBUG`: Listening port for Go Debugging metrics (All)
|
||||
|
||||
## authentik Settings
|
||||
|
||||
### `AUTHENTIK_SECRET_KEY`
|
||||
|
|
Reference in New Issue