From 4c3a9e69f21db3f0dda9c78b01da97ad975626bf Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 9 Sep 2021 10:23:46 +0200 Subject: [PATCH] outposts/proxy: fix securecookie: no codecs provided error with redis Signed-off-by: Jens Langhammer --- cmd/proxy/server.go | 15 +++++++++++++-- cmd/server/main.go | 2 +- internal/config/struct.go | 1 - internal/outpost/proxyv2/application/session.go | 5 ++++- internal/outpost/proxyv2/proxyv2.go | 5 ++--- 5 files changed, 20 insertions(+), 8 deletions(-) diff --git a/cmd/proxy/server.go b/cmd/proxy/server.go index 97c4c1147..a39e85630 100644 --- a/cmd/proxy/server.go +++ b/cmd/proxy/server.go @@ -4,6 +4,7 @@ import ( "fmt" "net/url" "os" + "strconv" log "github.com/sirupsen/logrus" @@ -20,7 +21,8 @@ Required environment variables: - AUTHENTIK_INSECURE: Skip SSL Certificate verification Optionally, you can set these: -- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST` +- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST +- AUTHENTIK_PORT_OFFSET: Offset to add to the listening ports, i.e. value of 100 makes proxy listen on 9100` func main() { log.SetLevel(log.DebugLevel) @@ -36,6 +38,15 @@ func main() { fmt.Println(helpMessage) os.Exit(1) } + portOffset := 0 + portOffsetS := os.Getenv("AUTHENTIK_PORT_OFFSET") + if portOffsetS != "" { + v, err := strconv.Atoi(portOffsetS) + if err != nil { + fmt.Println(err.Error()) + } + portOffset = v + } akURLActual, err := url.Parse(akURL) if err != nil { @@ -49,7 +60,7 @@ func main() { ac := ak.NewAPIController(*akURLActual, akToken) - ac.Server = proxyv2.NewProxyServer(ac) + ac.Server = proxyv2.NewProxyServer(ac, portOffset) err = ac.Start() if err != nil { diff --git a/cmd/server/main.go b/cmd/server/main.go index aad8c7f47..c278598bc 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -99,7 +99,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) { } continue } - srv := proxyv2.NewProxyServer(ac) + srv := proxyv2.NewProxyServer(ac, 0) ws.ProxyServer = srv ac.Server = srv log.WithField("logger", "authentik").Debug("attempting to start outpost") diff --git a/internal/config/struct.go b/internal/config/struct.go index cea63ba39..b28bb7df4 100644 --- a/internal/config/struct.go +++ b/internal/config/struct.go @@ -31,7 +31,6 @@ type WebConfig struct { ListenTLS string `yaml:"listen_tls"` LoadLocalFiles bool `yaml:"load_local_files" env:"AUTHENTIK_WEB_LOAD_LOCAL_FILES"` DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"` - OutpostPortOffset int `yaml:"outpost_port_offset"` } type PathsConfig struct { diff --git a/internal/outpost/proxyv2/application/session.go b/internal/outpost/proxyv2/application/session.go index 2f0695f79..06b8abb21 100644 --- a/internal/outpost/proxyv2/application/session.go +++ b/internal/outpost/proxyv2/application/session.go @@ -5,6 +5,7 @@ import ( "strconv" "github.com/gorilla/sessions" + log "github.com/sirupsen/logrus" "goauthentik.io/api" "goauthentik.io/internal/config" "gopkg.in/boj/redistore.v1" @@ -13,15 +14,17 @@ import ( func GetStore(p api.ProxyOutpostConfig) sessions.Store { var store sessions.Store if config.G.Redis.Host != "" { - rs, err := redistore.NewRediStoreWithDB(10, "tcp", fmt.Sprintf("%s:%d", config.G.Redis.Host, config.G.Redis.Port), config.G.Redis.Password, strconv.Itoa(config.G.Redis.OutpostSessionDB)) + rs, err := redistore.NewRediStoreWithDB(10, "tcp", fmt.Sprintf("%s:%d", config.G.Redis.Host, config.G.Redis.Port), config.G.Redis.Password, strconv.Itoa(config.G.Redis.OutpostSessionDB), []byte(*p.CookieSecret)) if err != nil { panic(err) } rs.Options.Domain = *p.CookieDomain + log.Info("using redis session backend") store = rs } else { cs := sessions.NewCookieStore([]byte(*p.CookieSecret)) cs.Options.Domain = *p.CookieDomain + log.Info("using cookie session backend") store = cs } return store diff --git a/internal/outpost/proxyv2/proxyv2.go b/internal/outpost/proxyv2/proxyv2.go index 7469f6c01..18ccdda52 100644 --- a/internal/outpost/proxyv2/proxyv2.go +++ b/internal/outpost/proxyv2/proxyv2.go @@ -14,7 +14,6 @@ import ( "github.com/pires/go-proxyproto" log "github.com/sirupsen/logrus" "goauthentik.io/api" - "goauthentik.io/internal/config" "goauthentik.io/internal/crypto" "goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/proxyv2/application" @@ -36,7 +35,7 @@ type ProxyServer struct { akAPI *ak.APIController } -func NewProxyServer(ac *ak.APIController) *ProxyServer { +func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer { l := log.WithField("logger", "authentik.outpost.proxyv2") defaultCert, err := crypto.GenerateSelfSignedCert() if err != nil { @@ -55,7 +54,7 @@ func NewProxyServer(ac *ak.APIController) *ProxyServer { globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil)) s := &ProxyServer{ Listen: "0.0.0.0:%d", - PortOffset: config.G.Web.OutpostPortOffset, + PortOffset: portOffset, cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi), apps: make(map[string]*application.Application),