diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index 4d0d8146c..e322fc97d 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -20,6 +20,7 @@ redis: cache_db: 0 message_queue_db: 1 ws_db: 2 + outpost_session_db: 3 cache_timeout: 300 cache_timeout_flows: 300 cache_timeout_policies: 300 diff --git a/internal/config/struct.go b/internal/config/struct.go index 7a15de7a1..a71220628 100644 --- a/internal/config/struct.go +++ b/internal/config/struct.go @@ -7,6 +7,23 @@ type Config struct { Paths PathsConfig `yaml:"paths"` LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"` ErrorReporting ErrorReportingConfig `yaml:"error_reporting"` + Redis RedisConfig `yaml:"redis"` +} + +type RedisConfig struct { + Host string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"` + Port int `yaml:"port" env:"AUTHENTIK_REDIS__PORT"` + Password string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"` + TLS bool `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"` + TLSReqs string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"` + CacheDB int `yaml:"cache_db" env:"AUTHENTIK_REDIS__CACHE_DB"` + MessageQueueDB int `yaml:"message_queue_db" env:"AUTHENTIK_REDIS__MESSAGE_QUEUE_DB"` + WSDB int `yaml:"ws_db" env:"AUTHENTIK_REDIS__WS_DB"` + OutpostSessionDB int `yaml:"outpost_session_db" env:"AUTHENTIK_REDIS__OUTPOST_SESSION_DB"` + CacheTimeout int `yaml:"cache_timeout" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT"` + CacheTimeoutFlows int `yaml:"cache_timeout_flows" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS"` + CacheTimeoutPolicies int `yaml:"cache_timeout_policies" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES"` + CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"` } type WebConfig struct { diff --git a/internal/outpost/proxy/common.go b/internal/outpost/proxy/common.go index eab2b9ed8..47203335e 100644 --- a/internal/outpost/proxy/common.go +++ b/internal/outpost/proxy/common.go @@ -1,9 +1,13 @@ package proxy import ( + "fmt" "time" + log "github.com/sirupsen/logrus" + "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" + "goauthentik.io/internal/config" ) func getCommonOptions() *options.Options { @@ -16,5 +20,20 @@ func getCommonOptions() *options.Options { commonOpts.Logging.SilencePing = true commonOpts.SetAuthorization = false commonOpts.Scope = "openid email profile ak_proxy" + if config.G.Redis.Host != "" { + protocol := "redis" + if config.G.Redis.TLS { + protocol = "rediss" + } + url := fmt.Sprintf("%s://@%s:%d/%d", protocol, config.G.Redis.Host, config.G.Redis.Port, config.G.Redis.OutpostSessionDB) + log.WithField("url", url).Info("Using redis session backend") + commonOpts.Session.Redis = options.RedisStoreOptions{ + ConnectionURL: url, + Password: config.G.Redis.Password, + } + if config.G.Redis.TLSReqs != "" { + commonOpts.Session.Redis.InsecureSkipTLSVerify = true + } + } return commonOpts } diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md index 6d987c3b3..c592dc0b5 100644 --- a/website/docs/installation/configuration.md +++ b/website/docs/installation/configuration.md @@ -29,6 +29,7 @@ All of these variables can be set to values, but you can also use a URI-like for - `AUTHENTIK_REDIS__CACHE_DB`: Database for caching, defaults to 0 - `AUTHENTIK_REDIS__MESSAGE_QUEUE_DB`: Database for the message queue, defaults to 1 - `AUTHENTIK_REDIS__WS_DB`: Database for websocket connections, defaults to 2 +- `AUTHENTIK_REDIS__OUTPOST_SESSION_DB`: Database for sessions for the embedded outpost, defaults to 3 - `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached polices until they expire in seconds, defaults to 300