internal: centralise config for listeners to use same config system everywhere (#3367)

* centralise config for listeners to use same config system everywhere

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3360

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/lib/default.yml

@@ -7,11 +7,10 @@ postgresql:
   port: 5432
   password: 'env://POSTGRES_PASSWORD'
 
-web:
-  listen: 0.0.0.0:9000
-  listen_tls: 0.0.0.0:9443
+listen:
+  listen_http: 0.0.0.0:9000
+  listen_https: 0.0.0.0:9443
   listen_metrics: 0.0.0.0:9300
-  outpost_port_offset: 0
 
 redis:
   host: localhost

cmd/proxy/server.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"net/url"
 	"os"
-	"strconv"
 
 	log "github.com/sirupsen/logrus"
 
@@ -22,8 +21,7 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification
 
 Optionally, you can set these:
-- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST
-- AUTHENTIK_PORT_OFFSET: Offset to add to the listening ports, i.e. value of 100 makes proxy listen on 9100`
+- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
 
 func main() {
 	log.SetLevel(log.DebugLevel)
@@ -47,15 +45,6 @@ func main() {
 		fmt.Println(helpMessage)
 		os.Exit(1)
 	}
-	portOffset := 0
-	portOffsetS := os.Getenv("AUTHENTIK_PORT_OFFSET")
-	if portOffsetS != "" {
-		v, err := strconv.Atoi(portOffsetS)
-		if err != nil {
-			fmt.Println(err.Error())
-		}
-		portOffset = v
-	}
 
 	akURLActual, err := url.Parse(akURL)
 	if err != nil {
@@ -72,7 +61,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	ac.Server = proxyv2.NewProxyServer(ac, portOffset)
+	ac.Server = proxyv2.NewProxyServer(ac)
 
 	err = ac.Start()
 	if err != nil {

cmd/server/main.go

@@ -61,7 +61,7 @@ func main() {
 	g := gounicorn.NewGoUnicorn()
 	ws := web.NewWebServer(g)
 	g.HealthyCallback = func() {
-		if !config.Get().Web.DisableEmbeddedOutpost {
+		if !config.Get().DisableEmbeddedOutpost {
 			go attemptProxyStart(ws, u)
 		}
 	}
@@ -110,7 +110,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 			tw.Check()
 		})
 
-		srv := proxyv2.NewProxyServer(ac, 0)
+		srv := proxyv2.NewProxyServer(ac)
 		ws.ProxyServer = srv
 		ac.Server = srv
 		l.Debug("attempting to start outpost")

internal/config/config.go

@@ -19,6 +19,7 @@ var cfg *Config
 func Get() *Config {
 	if cfg == nil {
 		cfg = defaultConfig()
+		cfg.Setup()
 	}
 	return cfg
 }
@@ -26,9 +27,11 @@ func Get() *Config {
 func defaultConfig() *Config {
 	return &Config{
 		Debug: false,
-		Web: WebConfig{
-			Listen:    "localhost:9000",
-			ListenTLS: "localhost:9443",
+		Listen: ListenConfig{
+			HTTP:  "localhost:9000",
+			HTTPS: "localhost:9443",
+			LDAP:  "localhost:3389",
+			LDAPS: "localhost:6636",
 		},
 		Paths: PathsConfig{
 			Media: "./media",

internal/config/struct.go

@@ -3,11 +3,12 @@ package config
 type Config struct {
 	Debug                  bool                 `yaml:"debug" env:"AUTHENTIK_DEBUG"`
 	SecretKey              string               `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"`
-	Web            WebConfig            `yaml:"web"`
+	Listen                 ListenConfig         `yaml:"listen"`
 	Paths                  PathsConfig          `yaml:"paths"`
 	LogLevel               string               `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"`
 	ErrorReporting         ErrorReportingConfig `yaml:"error_reporting"`
 	Redis                  RedisConfig          `yaml:"redis"`
+	DisableEmbeddedOutpost bool                 `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
 }
 
 type RedisConfig struct {
@@ -26,11 +27,13 @@ type RedisConfig struct {
 	CacheTimeoutReputation int    `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
 }
 
-type WebConfig struct {
-	Listen                 string `yaml:"listen"`
-	ListenTLS              string `yaml:"listen_tls"`
-	ListenMetrics          string `yaml:"listen_metrics"`
-	DisableEmbeddedOutpost bool   `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
+type ListenConfig struct {
+	HTTP    string `yaml:"listen_http" env:"AUTHENTIK_LISTEN__HTTP"`
+	HTTPS   string `yaml:"listen_https" env:"AUTHENTIK_LISTEN__HTTPS"`
+	LDAP    string `yaml:"listen_ldap" env:"AUTHENTIK_LISTEN__LDAP,default=0.0.0.0:3389"`
+	LDAPS   string `yaml:"listen_ldaps" env:"AUTHENTIK_LISTEN__LDAPS,default=0.0.0.0:6636"`
+	Metrics string `yaml:"listen_metrics" env:"AUTHENTIK_LISTEN__METRICS,default=0.0.0.0:9300"`
+	Debug   string `yaml:"listen_debug" env:"AUTHENTIK_LISTEN__DEBUG,default=0.0.0.0:9900"`
 }
 
 type PathsConfig struct {

internal/debug/debug.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	log "github.com/sirupsen/logrus"
+	"goauthentik.io/internal/config"
 )
 
 func EnableDebugServer() {
@@ -21,5 +22,5 @@ func EnableDebugServer() {
 	h.HandleFunc("/debug/pprof/profile", pprof.Profile)
 	h.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
 	h.HandleFunc("/debug/pprof/trace", pprof.Trace)
-	l.Println(http.ListenAndServe("0.0.0.0:9900", nil))
+	l.Println(http.ListenAndServe(config.Get().Listen.Debug, nil))
 }

internal/outpost/ldap/ldap.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/pires/go-proxyproto"
 	log "github.com/sirupsen/logrus"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/crypto"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ldap/metrics"
@@ -48,7 +49,7 @@ func (ls *LDAPServer) Type() string {
 }
 
 func (ls *LDAPServer) StartLDAPServer() error {
-	listen := "0.0.0.0:3389"
+	listen := config.Get().Listen.LDAP
 
 	ln, err := net.Listen("tcp", listen)
 	if err != nil {

internal/outpost/ldap/ldap_tls.go

@@ -5,6 +5,7 @@ import (
 	"net"
 
 	"github.com/pires/go-proxyproto"
+	"goauthentik.io/internal/config"
 )
 
 func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -28,7 +29,7 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
 }
 
 func (ls *LDAPServer) StartLDAPTLSServer() error {
-	listen := "0.0.0.0:6636"
+	listen := config.Get().Listen.LDAPS
 	tlsConfig := &tls.Config{
 		MinVersion:     tls.VersionTLS12,
 		MaxVersion:     tls.VersionTLS12,

internal/outpost/ldap/metrics/metrics.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	log "github.com/sirupsen/logrus"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/sentry"
 
 	"github.com/gorilla/mux"
@@ -31,7 +32,7 @@ func RunServer() {
 		rw.WriteHeader(204)
 	})
 	m.Path("/metrics").Handler(promhttp.Handler())
-	listen := "0.0.0.0:9300"
+	listen := config.Get().Listen.Metrics
 	l.WithField("listen", listen).Info("Starting Metrics server")
 	err := http.ListenAndServe(listen, m)
 	if err != nil {

internal/outpost/proxyv2/metrics/metrics.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	log "github.com/sirupsen/logrus"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/sentry"
 
 	"github.com/gorilla/mux"
@@ -31,7 +32,7 @@ func RunServer() {
 		rw.WriteHeader(204)
 	})
 	m.Path("/metrics").Handler(promhttp.Handler())
-	listen := "0.0.0.0:9300"
+	listen := config.Get().Listen.Metrics
 	l.WithField("listen", listen).Info("Starting Metrics server")
 	err := http.ListenAndServe(listen, m)
 	if err != nil {

internal/outpost/proxyv2/proxyv2.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
-	"fmt"
 	"net"
 	"net/http"
 	"sync"
@@ -14,6 +13,7 @@ import (
 	"github.com/pires/go-proxyproto"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/crypto"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/application"
@@ -23,9 +23,6 @@ import (
 )
 
 type ProxyServer struct {
-	Listen     string
-	PortOffset int
-
 	defaultCert tls.Certificate
 	stop        chan struct{} // channel for waiting shutdown
 
@@ -36,7 +33,7 @@ type ProxyServer struct {
 	akAPI       *ak.APIController
 }
 
-func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
+func NewProxyServer(ac *ak.APIController) *ProxyServer {
 	l := log.WithField("logger", "authentik.outpost.proxyv2")
 	defaultCert, err := crypto.GenerateSelfSignedCert()
 	if err != nil {
@@ -55,9 +52,6 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
 	globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil))
 	globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
 	s := &ProxyServer{
-		Listen:     "0.0.0.0:%d",
-		PortOffset: portOffset,
-
 		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
 		apps:        make(map[string]*application.Application),
 		log:         l,
@@ -116,7 +110,7 @@ func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certific
 
 // ServeHTTP constructs a net.Listener and starts handling HTTP requests
 func (ps *ProxyServer) ServeHTTP() {
-	listenAddress := fmt.Sprintf(ps.Listen, 9000+ps.PortOffset)
+	listenAddress := config.Get().Listen.HTTP
 	listener, err := net.Listen("tcp", listenAddress)
 	if err != nil {
 		ps.log.WithField("listen", listenAddress).WithError(err).Fatalf("listen failed")
@@ -131,7 +125,7 @@ func (ps *ProxyServer) ServeHTTP() {
 
 // ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
 func (ps *ProxyServer) ServeHTTPS() {
-	listenAddress := fmt.Sprintf(ps.Listen, 9443+ps.PortOffset)
+	listenAddress := config.Get().Listen.HTTPS
 	config := &tls.Config{
 		MinVersion:     tls.VersionTLS12,
 		MaxVersion:     tls.VersionTLS12,

internal/web/metrics.go

@@ -54,10 +54,10 @@ func RunMetricsServer() {
 			return
 		}
 	})
-	l.WithField("listen", config.Get().Web.ListenMetrics).Info("Starting Metrics server")
-	err := http.ListenAndServe(config.Get().Web.ListenMetrics, m)
+	l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
+	err := http.ListenAndServe(config.Get().Listen.Metrics, m)
 	if err != nil {
 		l.WithError(err).Warning("Failed to start metrics server")
 	}
-	l.WithField("listen", config.Get().Web.ListenMetrics).Info("Stopping Metrics server")
+	l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
 }

internal/web/tls.go

@@ -41,7 +41,7 @@ func (ws *WebServer) listenTLS() {
 		GetCertificate: ws.GetCertificate(),
 	}
 
-	ln, err := net.Listen("tcp", config.Get().Web.ListenTLS)
+	ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
 	if err != nil {
 		ws.log.WithError(err).Fatalf("failed to listen (TLS)")
 		return
@@ -50,7 +50,7 @@ func (ws *WebServer) listenTLS() {
 	defer proxyListener.Close()
 
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)
-	ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Starting HTTPS server")
+	ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server")
 	ws.serve(tlsListener)
-	ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Stopping HTTPS server")
+	ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Stopping HTTPS server")
 }

internal/web/web.go

@@ -68,16 +68,16 @@ func (ws *WebServer) Shutdown() {
 }
 
 func (ws *WebServer) listenPlain() {
-	ln, err := net.Listen("tcp", config.Get().Web.Listen)
+	ln, err := net.Listen("tcp", config.Get().Listen.HTTP)
 	if err != nil {
 		ws.log.WithError(err).Fatal("failed to listen")
 	}
 	proxyListener := &proxyproto.Listener{Listener: ln}
 	defer proxyListener.Close()
 
-	ws.log.WithField("listen", config.Get().Web.Listen).Info("Starting HTTP server")
+	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
 	ws.serve(proxyListener)
-	ws.log.WithField("listen", config.Get().Web.Listen).Info("Stopping HTTP server")
+	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Stopping HTTP server")
 }
 
 func (ws *WebServer) serve(listener net.Listener) {

website/docs/installation/configuration.md

@@ -37,6 +37,15 @@ All of these variables can be set to values, but you can also use a URI-like for
 -   `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300
 -   `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
 
+## Listen Setting
+
+-   `AUTHENTIK_LISTEN__HTTP`: Listening port for HTTP (Server and Proxy outpost)
+-   `AUTHENTIK_LISTEN__HTTPS`: Listening port for HTTPS (Server and Proxy outpost)
+-   `AUTHENTIK_LISTEN__LDAP`: Listening port for LDAP (LDAP outpost)
+-   `AUTHENTIK_LISTEN__LDAPS`: Listening port for LDAPS (LDAP outpost)
+-   `AUTHENTIK_LISTEN__METRICS`: Listening port for Prometheus metrics (All)
+-   `AUTHENTIK_LISTEN__DEBUG`: Listening port for Go Debugging metrics (All)
+
 ## authentik Settings
 
 ### `AUTHENTIK_SECRET_KEY`