internal: centralise config for listeners to use same config system everywhere (#3367)

* centralise config for listeners to use same config system everywhere

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3360

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-08-03 21:33:27 +02:00 committed by GitHub
parent 9a9c826c0b
commit 2ce8e18bab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 60 additions and 58 deletions

View File

@ -7,11 +7,10 @@ postgresql:
port: 5432
password: 'env://POSTGRES_PASSWORD'
web:
listen: 0.0.0.0:9000
listen_tls: 0.0.0.0:9443
listen:
listen_http: 0.0.0.0:9000
listen_https: 0.0.0.0:9443
listen_metrics: 0.0.0.0:9300
outpost_port_offset: 0
redis:
host: localhost

View File

@ -4,7 +4,6 @@ import (
"fmt"
"net/url"
"os"
"strconv"
log "github.com/sirupsen/logrus"
@ -22,8 +21,7 @@ Required environment variables:
- AUTHENTIK_INSECURE: Skip SSL Certificate verification
Optionally, you can set these:
- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST
- AUTHENTIK_PORT_OFFSET: Offset to add to the listening ports, i.e. value of 100 makes proxy listen on 9100`
- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
func main() {
log.SetLevel(log.DebugLevel)
@ -47,15 +45,6 @@ func main() {
fmt.Println(helpMessage)
os.Exit(1)
}
portOffset := 0
portOffsetS := os.Getenv("AUTHENTIK_PORT_OFFSET")
if portOffsetS != "" {
v, err := strconv.Atoi(portOffsetS)
if err != nil {
fmt.Println(err.Error())
}
portOffset = v
}
akURLActual, err := url.Parse(akURL)
if err != nil {
@ -72,7 +61,7 @@ func main() {
os.Exit(1)
}
ac.Server = proxyv2.NewProxyServer(ac, portOffset)
ac.Server = proxyv2.NewProxyServer(ac)
err = ac.Start()
if err != nil {

View File

@ -61,7 +61,7 @@ func main() {
g := gounicorn.NewGoUnicorn()
ws := web.NewWebServer(g)
g.HealthyCallback = func() {
if !config.Get().Web.DisableEmbeddedOutpost {
if !config.Get().DisableEmbeddedOutpost {
go attemptProxyStart(ws, u)
}
}
@ -110,7 +110,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
tw.Check()
})
srv := proxyv2.NewProxyServer(ac, 0)
srv := proxyv2.NewProxyServer(ac)
ws.ProxyServer = srv
ac.Server = srv
l.Debug("attempting to start outpost")

View File

@ -19,6 +19,7 @@ var cfg *Config
func Get() *Config {
if cfg == nil {
cfg = defaultConfig()
cfg.Setup()
}
return cfg
}
@ -26,9 +27,11 @@ func Get() *Config {
func defaultConfig() *Config {
return &Config{
Debug: false,
Web: WebConfig{
Listen: "localhost:9000",
ListenTLS: "localhost:9443",
Listen: ListenConfig{
HTTP: "localhost:9000",
HTTPS: "localhost:9443",
LDAP: "localhost:3389",
LDAPS: "localhost:6636",
},
Paths: PathsConfig{
Media: "./media",

View File

@ -3,11 +3,12 @@ package config
type Config struct {
Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG"`
SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"`
Web WebConfig `yaml:"web"`
Listen ListenConfig `yaml:"listen"`
Paths PathsConfig `yaml:"paths"`
LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"`
ErrorReporting ErrorReportingConfig `yaml:"error_reporting"`
Redis RedisConfig `yaml:"redis"`
DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
}
type RedisConfig struct {
@ -26,11 +27,13 @@ type RedisConfig struct {
CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
}
type WebConfig struct {
Listen string `yaml:"listen"`
ListenTLS string `yaml:"listen_tls"`
ListenMetrics string `yaml:"listen_metrics"`
DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
type ListenConfig struct {
HTTP string `yaml:"listen_http" env:"AUTHENTIK_LISTEN__HTTP"`
HTTPS string `yaml:"listen_https" env:"AUTHENTIK_LISTEN__HTTPS"`
LDAP string `yaml:"listen_ldap" env:"AUTHENTIK_LISTEN__LDAP,default=0.0.0.0:3389"`
LDAPS string `yaml:"listen_ldaps" env:"AUTHENTIK_LISTEN__LDAPS,default=0.0.0.0:6636"`
Metrics string `yaml:"listen_metrics" env:"AUTHENTIK_LISTEN__METRICS,default=0.0.0.0:9300"`
Debug string `yaml:"listen_debug" env:"AUTHENTIK_LISTEN__DEBUG,default=0.0.0.0:9900"`
}
type PathsConfig struct {

View File

@ -7,6 +7,7 @@ import (
"strings"
log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
)
func EnableDebugServer() {
@ -21,5 +22,5 @@ func EnableDebugServer() {
h.HandleFunc("/debug/pprof/profile", pprof.Profile)
h.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
h.HandleFunc("/debug/pprof/trace", pprof.Trace)
l.Println(http.ListenAndServe("0.0.0.0:9900", nil))
l.Println(http.ListenAndServe(config.Get().Listen.Debug, nil))
}

View File

@ -7,6 +7,7 @@ import (
"github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
"goauthentik.io/internal/crypto"
"goauthentik.io/internal/outpost/ak"
"goauthentik.io/internal/outpost/ldap/metrics"
@ -48,7 +49,7 @@ func (ls *LDAPServer) Type() string {
}
func (ls *LDAPServer) StartLDAPServer() error {
listen := "0.0.0.0:3389"
listen := config.Get().Listen.LDAP
ln, err := net.Listen("tcp", listen)
if err != nil {

View File

@ -5,6 +5,7 @@ import (
"net"
"github.com/pires/go-proxyproto"
"goauthentik.io/internal/config"
)
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@ -28,7 +29,7 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
}
func (ls *LDAPServer) StartLDAPTLSServer() error {
listen := "0.0.0.0:6636"
listen := config.Get().Listen.LDAPS
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,

View File

@ -4,6 +4,7 @@ import (
"net/http"
log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
"goauthentik.io/internal/utils/sentry"
"github.com/gorilla/mux"
@ -31,7 +32,7 @@ func RunServer() {
rw.WriteHeader(204)
})
m.Path("/metrics").Handler(promhttp.Handler())
listen := "0.0.0.0:9300"
listen := config.Get().Listen.Metrics
l.WithField("listen", listen).Info("Starting Metrics server")
err := http.ListenAndServe(listen, m)
if err != nil {

View File

@ -4,6 +4,7 @@ import (
"net/http"
log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
"goauthentik.io/internal/utils/sentry"
"github.com/gorilla/mux"
@ -31,7 +32,7 @@ func RunServer() {
rw.WriteHeader(204)
})
m.Path("/metrics").Handler(promhttp.Handler())
listen := "0.0.0.0:9300"
listen := config.Get().Listen.Metrics
l.WithField("listen", listen).Info("Starting Metrics server")
err := http.ListenAndServe(listen, m)
if err != nil {

View File

@ -4,7 +4,6 @@ import (
"context"
"crypto/tls"
"errors"
"fmt"
"net"
"net/http"
"sync"
@ -14,6 +13,7 @@ import (
"github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus"
"goauthentik.io/api/v3"
"goauthentik.io/internal/config"
"goauthentik.io/internal/crypto"
"goauthentik.io/internal/outpost/ak"
"goauthentik.io/internal/outpost/proxyv2/application"
@ -23,9 +23,6 @@ import (
)
type ProxyServer struct {
Listen string
PortOffset int
defaultCert tls.Certificate
stop chan struct{} // channel for waiting shutdown
@ -36,7 +33,7 @@ type ProxyServer struct {
akAPI *ak.APIController
}
func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
func NewProxyServer(ac *ak.APIController) *ProxyServer {
l := log.WithField("logger", "authentik.outpost.proxyv2")
defaultCert, err := crypto.GenerateSelfSignedCert()
if err != nil {
@ -55,9 +52,6 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil))
globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
s := &ProxyServer{
Listen: "0.0.0.0:%d",
PortOffset: portOffset,
cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
apps: make(map[string]*application.Application),
log: l,
@ -116,7 +110,7 @@ func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certific
// ServeHTTP constructs a net.Listener and starts handling HTTP requests
func (ps *ProxyServer) ServeHTTP() {
listenAddress := fmt.Sprintf(ps.Listen, 9000+ps.PortOffset)
listenAddress := config.Get().Listen.HTTP
listener, err := net.Listen("tcp", listenAddress)
if err != nil {
ps.log.WithField("listen", listenAddress).WithError(err).Fatalf("listen failed")
@ -131,7 +125,7 @@ func (ps *ProxyServer) ServeHTTP() {
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
func (ps *ProxyServer) ServeHTTPS() {
listenAddress := fmt.Sprintf(ps.Listen, 9443+ps.PortOffset)
listenAddress := config.Get().Listen.HTTPS
config := &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,

View File

@ -54,10 +54,10 @@ func RunMetricsServer() {
return
}
})
l.WithField("listen", config.Get().Web.ListenMetrics).Info("Starting Metrics server")
err := http.ListenAndServe(config.Get().Web.ListenMetrics, m)
l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
err := http.ListenAndServe(config.Get().Listen.Metrics, m)
if err != nil {
l.WithError(err).Warning("Failed to start metrics server")
}
l.WithField("listen", config.Get().Web.ListenMetrics).Info("Stopping Metrics server")
l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
}

View File

@ -41,7 +41,7 @@ func (ws *WebServer) listenTLS() {
GetCertificate: ws.GetCertificate(),
}
ln, err := net.Listen("tcp", config.Get().Web.ListenTLS)
ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
if err != nil {
ws.log.WithError(err).Fatalf("failed to listen (TLS)")
return
@ -50,7 +50,7 @@ func (ws *WebServer) listenTLS() {
defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, tlsConfig)
ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Starting HTTPS server")
ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server")
ws.serve(tlsListener)
ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Stopping HTTPS server")
ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Stopping HTTPS server")
}

View File

@ -68,16 +68,16 @@ func (ws *WebServer) Shutdown() {
}
func (ws *WebServer) listenPlain() {
ln, err := net.Listen("tcp", config.Get().Web.Listen)
ln, err := net.Listen("tcp", config.Get().Listen.HTTP)
if err != nil {
ws.log.WithError(err).Fatal("failed to listen")
}
proxyListener := &proxyproto.Listener{Listener: ln}
defer proxyListener.Close()
ws.log.WithField("listen", config.Get().Web.Listen).Info("Starting HTTP server")
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
ws.serve(proxyListener)
ws.log.WithField("listen", config.Get().Web.Listen).Info("Stopping HTTP server")
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Stopping HTTP server")
}
func (ws *WebServer) serve(listener net.Listener) {

View File

@ -37,6 +37,15 @@ All of these variables can be set to values, but you can also use a URI-like for
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
## Listen Setting
- `AUTHENTIK_LISTEN__HTTP`: Listening port for HTTP (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__HTTPS`: Listening port for HTTPS (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__LDAP`: Listening port for LDAP (LDAP outpost)
- `AUTHENTIK_LISTEN__LDAPS`: Listening port for LDAPS (LDAP outpost)
- `AUTHENTIK_LISTEN__METRICS`: Listening port for Prometheus metrics (All)
- `AUTHENTIK_LISTEN__DEBUG`: Listening port for Go Debugging metrics (All)
## authentik Settings
### `AUTHENTIK_SECRET_KEY`