trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

root: add support for PROXY protocol on listeners 

closes #1161

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-07-20 11:03:09 +02:00
parent 49d0ccd9c7
commit d678d33756
6 changed files with 42 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
go.mod
View File

@ -29,6 +29,7 @@ require (
github.com/nmcclain/ldap v0.0.0-20191021200707-3b3b69a7e9e3 github.com/nmcclain/ldap v0.0.0-20191021200707-3b3b69a7e9e3
github.com/oauth2-proxy/oauth2-proxy v0.0.0-20200831161845-e4e5580852dc github.com/oauth2-proxy/oauth2-proxy v0.0.0-20200831161845-e4e5580852dc
github.com/pelletier/go-toml v1.9.1 // indirect github.com/pelletier/go-toml v1.9.1 // indirect
github.com/pires/go-proxyproto v0.6.0 // indirect
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1
github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect
github.com/recws-org/recws v1.3.1 github.com/recws-org/recws v1.3.1

2
go.sum
View File

@ -528,6 +528,8 @@ github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUM
github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8= github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
github.com/pires/go-proxyproto v0.6.0 h1:cLJUPnuQdiNf7P/wbeOKmM1khVdaMgTFDLj8h9ZrVYk=
github.com/pires/go-proxyproto v0.6.0/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

20
internal/outpost/ldap/api.go
View File

@ -5,11 +5,13 @@ import (
"crypto/tls" "crypto/tls"
"errors" "errors"
"fmt" "fmt"
"net"
"net/http" "net/http"
"strings" "strings"
"sync" "sync"
"github.com/go-openapi/strfmt" "github.com/go-openapi/strfmt"
"github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/ak"
) )
@ -70,7 +72,20 @@ func (ls *LDAPServer) StartHTTPServer() error {
func (ls *LDAPServer) StartLDAPServer() error { func (ls *LDAPServer) StartLDAPServer() error {
listen := "0.0.0.0:3389" listen := "0.0.0.0:3389"
ln, err := net.Listen("tcp", listen)
if err != nil {
ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err)
}
proxyListener := &proxyproto.Listener{Listener: ln}
defer proxyListener.Close()
ls.log.WithField("listen", listen).Info("Starting ldap server") ls.log.WithField("listen", listen).Info("Starting ldap server")
err = ls.s.Serve(proxyListener)
if err != nil {
return err
}
ls.log.Printf("closing %s", ln.Addr())
return ls.s.ListenAndServe(listen) return ls.s.ListenAndServe(listen)
} }
@ -86,8 +101,11 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
if err != nil { if err != nil {
ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err) ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err)
} }
proxyListener := &proxyproto.Listener{Listener: ln}
defer proxyListener.Close()
ls.log.WithField("listen", listen).Info("Starting ldap tls server") ls.log.WithField("listen", listen).Info("Starting ldap tls server")
err = ls.s.Serve(ln) err = ls.s.Serve(proxyListener)
if err != nil { if err != nil {
return err return err
} }

12
internal/outpost/proxy/server_https.go
View File

@ -4,6 +4,8 @@ import (
"crypto/tls" "crypto/tls"
"net" "net"
"sync" "sync"
"github.com/pires/go-proxyproto"
) )
// ServeHTTP constructs a net.Listener and starts handling HTTP requests // ServeHTTP constructs a net.Listener and starts handling HTTP requests
@ -13,8 +15,11 @@ func (s *Server) ServeHTTP() {
if err != nil { if err != nil {
s.logger.Fatalf("FATAL: listen (%s) failed - %s", listenAddress, err) s.logger.Fatalf("FATAL: listen (%s) failed - %s", listenAddress, err)
} }
proxyListener := &proxyproto.Listener{Listener: listener}
defer proxyListener.Close()
s.logger.Printf("listening on %s", listener.Addr()) s.logger.Printf("listening on %s", listener.Addr())
s.serve(listener) s.serve(proxyListener)
s.logger.Printf("closing %s", listener.Addr()) s.logger.Printf("closing %s", listener.Addr())
} }
@ -46,7 +51,10 @@ func (s *Server) ServeHTTPS() {
} }
s.logger.Printf("listening on %s", ln.Addr()) s.logger.Printf("listening on %s", ln.Addr())
tlsListener := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, config) proxyListener := &proxyproto.Listener{Listener: tcpKeepAliveListener{ln.(*net.TCPListener)}}
defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, config)
s.serve(tlsListener) s.serve(tlsListener)
s.logger.Printf("closing %s", tlsListener.Addr()) s.logger.Printf("closing %s", tlsListener.Addr())
} }

6
internal/web/web.go
View File

@ -8,6 +8,7 @@ import (
"github.com/gorilla/handlers" "github.com/gorilla/handlers"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config" "goauthentik.io/internal/config"
) )
@ -63,7 +64,10 @@ func (ws *WebServer) listenPlain() {
} }
ws.log.WithField("addr", config.G.Web.Listen).Info("Running") ws.log.WithField("addr", config.G.Web.Listen).Info("Running")
ws.serve(ln) proxyListener := &proxyproto.Listener{Listener: ln}
defer proxyListener.Close()
ws.serve(proxyListener)
ws.log.WithField("addr", config.G.Web.Listen).Info("Running") ws.log.WithField("addr", config.G.Web.Listen).Info("Running")
err = http.ListenAndServe(config.G.Web.Listen, ws.m) err = http.ListenAndServe(config.G.Web.Listen, ws.m)

6
internal/web/web_ssl.go
View File

@ -4,6 +4,7 @@ import (
"crypto/tls" "crypto/tls"
"net" "net"
"github.com/pires/go-proxyproto"
"goauthentik.io/internal/config" "goauthentik.io/internal/config"
"goauthentik.io/internal/crypto" "goauthentik.io/internal/crypto"
) )
@ -27,7 +28,10 @@ func (ws *WebServer) listenTLS() {
} }
ws.log.WithField("addr", config.G.Web.ListenTLS).Info("Running") ws.log.WithField("addr", config.G.Web.ListenTLS).Info("Running")
tlsListener := tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, tlsConfig) proxyListener := &proxyproto.Listener{Listener: tcpKeepAliveListener{ln.(*net.TCPListener)}}
defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, tlsConfig)
ws.serve(tlsListener) ws.serve(tlsListener)
ws.log.Printf("closing %s", tlsListener.Addr()) ws.log.Printf("closing %s", tlsListener.Addr())
} }