core: bundle geoip (#4250)
* bundle geoip Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * correctly pass secrets Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add geoip docs and release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
980d2a022c
commit
f4990bb5da
|
@ -1,8 +1,8 @@
|
|||
env
|
||||
static
|
||||
htmlcov
|
||||
*.env.yml
|
||||
**/node_modules
|
||||
dist/**
|
||||
build/**
|
||||
build_docs/**
|
||||
Dockerfile
|
||||
|
|
3
.github/workflows/ci-main.yml
vendored
3
.github/workflows/ci-main.yml
vendored
|
@ -208,6 +208,9 @@ jobs:
|
|||
- name: Building Docker Image
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
secrets: |
|
||||
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
|
||||
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
|
||||
push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
|
||||
tags: |
|
||||
ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
|
||||
|
|
11
.github/workflows/release-publish.yml
vendored
11
.github/workflows/release-publish.yml
vendored
|
@ -31,6 +31,9 @@ jobs:
|
|||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
push: ${{ github.event_name == 'release' }}
|
||||
secrets:
|
||||
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
|
||||
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
|
||||
tags: |
|
||||
beryju/authentik:${{ steps.ev.outputs.version }},
|
||||
beryju/authentik:${{ steps.ev.outputs.versionFamily }},
|
||||
|
@ -39,7 +42,8 @@ jobs:
|
|||
ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
|
||||
ghcr.io/goauthentik/server:latest
|
||||
platforms: linux/amd64,linux/arm64
|
||||
context: .
|
||||
build-args: |
|
||||
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
|
||||
build-outpost:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
|
@ -84,6 +88,11 @@ jobs:
|
|||
ghcr.io/goauthentik/${{ matrix.type }}:latest
|
||||
file: ${{ matrix.type }}.Dockerfile
|
||||
platforms: linux/amd64,linux/arm64
|
||||
secrets: |
|
||||
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
|
||||
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
|
||||
build-args: |
|
||||
VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
|
||||
build-outpost-binary:
|
||||
timeout-minutes: 120
|
||||
runs-on: ubuntu-latest
|
||||
|
|
17
Dockerfile
17
Dockerfile
|
@ -46,7 +46,21 @@ COPY ./go.sum /work/go.sum
|
|||
|
||||
RUN go build -o /work/authentik ./cmd/server/
|
||||
|
||||
# Stage 5: Run
|
||||
# Stage 5: MaxMind GeoIP
|
||||
FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip
|
||||
|
||||
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
|
||||
|
||||
RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
|
||||
--mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
|
||||
mkdir -p /usr/share/GeoIP && \
|
||||
/bin/sh -c "\
|
||||
export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \
|
||||
export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \
|
||||
/usr/bin/entry.sh || exit 0 \
|
||||
"
|
||||
|
||||
# Stage 6: Run
|
||||
FROM docker.io/python:3.11.1-slim-bullseye AS final-image
|
||||
|
||||
LABEL org.opencontainers.image.url https://goauthentik.io
|
||||
|
@ -60,6 +74,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
|||
|
||||
COPY --from=poetry-locker /work/requirements.txt /
|
||||
COPY --from=poetry-locker /work/requirements-dev.txt /
|
||||
COPY --from=geoip /usr/share/GeoIP /geoip
|
||||
|
||||
RUN apt-get update && \
|
||||
# Required for installing pip packages
|
||||
|
|
|
@ -44,7 +44,6 @@ services:
|
|||
volumes:
|
||||
- ./media:/media
|
||||
- ./custom-templates:/templates
|
||||
- geoip:/geoip
|
||||
env_file:
|
||||
- .env
|
||||
ports:
|
||||
|
@ -72,16 +71,6 @@ services:
|
|||
- ./media:/media
|
||||
- ./certs:/certs
|
||||
- ./custom-templates:/templates
|
||||
- geoip:/geoip
|
||||
env_file:
|
||||
- .env
|
||||
geoipupdate:
|
||||
image: "maxmindinc/geoipupdate:latest"
|
||||
volumes:
|
||||
- "geoip:/usr/share/GeoIP"
|
||||
environment:
|
||||
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
|
||||
GEOIPUPDATE_FREQUENCY: "8"
|
||||
env_file:
|
||||
- .env
|
||||
|
||||
|
@ -90,5 +79,3 @@ volumes:
|
|||
driver: local
|
||||
redis:
|
||||
driver: local
|
||||
geoip:
|
||||
driver: local
|
||||
|
|
105
website/docs/core/geoip.mdx
Normal file
105
website/docs/core/geoip.mdx
Normal file
|
@ -0,0 +1,105 @@
|
|||
# GeoIP
|
||||
|
||||
authentik supports GeoIP to add additional information to login/authorization/enrollment requests, and make policy decisions based on the lookup result.
|
||||
|
||||
### Configuration
|
||||
|
||||
:::info
|
||||
Starting with authentik 2022.12, GeoIP is bundled and does not require any additional setup.
|
||||
:::
|
||||
|
||||
By default, the GeoIP database is loaded from `/geoip/GeoLite2-City.mmdb`. If more frequent database updates are desired, a volume can be mounted to `/geoip` to update this file externally. authentik will automatically re-load the file when it changes.
|
||||
|
||||
### Deactivating GeoIP
|
||||
|
||||
If you want to disable GeoIP, you can set the path to a non-existent path and authentik will skip the GeoIP.
|
||||
|
||||
import Tabs from "@theme/Tabs";
|
||||
import TabItem from "@theme/TabItem";
|
||||
|
||||
<Tabs
|
||||
defaultValue="docker-compose"
|
||||
values={[
|
||||
{label: 'docker-compose', value: 'docker-compose'},
|
||||
{label: 'Kubernetes', value: 'kubernetes'},
|
||||
]}>
|
||||
<TabItem value="docker-compose">
|
||||
Add the following block to your `.env` file:
|
||||
|
||||
```shell
|
||||
AUTHENTIK_GEOIP=/tmp/non-existent-file
|
||||
```
|
||||
|
||||
Afterwards, run the upgrade commands from the latest release notes.
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="kubernetes">
|
||||
Add the following block to your `values.yml` file:
|
||||
|
||||
```yaml
|
||||
authentik:
|
||||
geoip: /tmp/non-existent-file
|
||||
```
|
||||
|
||||
Afterwards, run the upgrade commands from the latest release notes.
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
### External updates
|
||||
|
||||
Sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
|
||||
|
||||
<Tabs
|
||||
defaultValue="docker-compose"
|
||||
values={[
|
||||
{label: 'docker-compose', value: 'docker-compose'},
|
||||
{label: 'Kubernetes', value: 'kubernetes'},
|
||||
]}>
|
||||
<TabItem value="docker-compose">
|
||||
Add the following block to a `docker-compose.override.yml` file in the same folder as the authentik docker-compose file:
|
||||
|
||||
```yaml
|
||||
version: "3.2"
|
||||
|
||||
services:
|
||||
server:
|
||||
volumes:
|
||||
- geoip:/geoip
|
||||
worker:
|
||||
volumes:
|
||||
- geoip:/geoip
|
||||
geoipupdate:
|
||||
image: "maxmindinc/geoipupdate:latest"
|
||||
volumes:
|
||||
- "geoip:/usr/share/GeoIP"
|
||||
environment:
|
||||
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
|
||||
GEOIPUPDATE_FREQUENCY: "8"
|
||||
GEOIPUPDATE_ACCOUNT_ID: "*your account ID*"
|
||||
GEOIPUPDATE_LICENSE_KEY: "*your license key*"
|
||||
volumes:
|
||||
geoip:
|
||||
driver: local
|
||||
```
|
||||
|
||||
Afterwards, run the upgrade commands from the latest release notes.
|
||||
|
||||
</TabItem>
|
||||
<TabItem value="kubernetes">
|
||||
Add the following block to your `values.yml` file:
|
||||
|
||||
```yaml
|
||||
geoip:
|
||||
enabled: true
|
||||
accountId: "*your account ID*"
|
||||
licenseKey: "*your license key*"
|
||||
editionIds: "GeoLite2-City"
|
||||
image: maxmindinc/geoipupdate:v4.8
|
||||
updateInterval: 8
|
||||
```
|
||||
|
||||
Afterwards, run the upgrade commands from the latest release notes.
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
|
@ -2,8 +2,18 @@
|
|||
title: Captcha stage
|
||||
---
|
||||
|
||||
This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html).
|
||||
This stage adds a form of verification using [Google's ReCaptcha](https://www.google.com/recaptcha/intro/v3.html) or compatible services.
|
||||
|
||||
### Google ReCaptcha
|
||||
|
||||
This stage has two required fields: Public key and private key. These can both be acquired at https://www.google.com/recaptcha/admin.
|
||||
|
||||
![](captcha-admin.png)
|
||||
|
||||
### hCaptcha
|
||||
|
||||
See https://docs.hcaptcha.com/switch
|
||||
|
||||
### Turnstile
|
||||
|
||||
See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha
|
||||
|
|
|
@ -78,6 +78,10 @@ Defaults to `info`.
|
|||
|
||||
Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.
|
||||
|
||||
### `AUTHENTIK_GEOIP`
|
||||
|
||||
Path to the GeoIP database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support.
|
||||
|
||||
### `AUTHENTIK_DISABLE_UPDATE_CHECK`
|
||||
|
||||
Disable the inbuilt update-checker. Defaults to `false`.
|
||||
|
|
|
@ -49,22 +49,6 @@ AUTHENTIK_EMAIL__TIMEOUT=10
|
|||
AUTHENTIK_EMAIL__FROM=authentik@localhost
|
||||
```
|
||||
|
||||
## GeoIP configuration (optional)
|
||||
|
||||
authentik can use a MaxMind-formatted GeoIP Database to extract location data from IPs. You can then use this location data in policies, and location data is saved in events.
|
||||
|
||||
To configure GeoIP, sign up for a free MaxMind account [here](https://www.maxmind.com/en/geolite2/signup).
|
||||
|
||||
After you have your account ID and license key, add the following block to your `.env` file:
|
||||
|
||||
```shell
|
||||
GEOIPUPDATE_ACCOUNT_ID=*your account ID*
|
||||
GEOIPUPDATE_LICENSE_KEY=* your license key*
|
||||
AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb
|
||||
```
|
||||
|
||||
The GeoIP database will automatically be updated every 8 hours.
|
||||
|
||||
## Running on Port 80/443
|
||||
|
||||
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in `.env`:
|
||||
|
|
|
@ -70,7 +70,7 @@ import Objects from "../expressions/_objects.md";
|
|||
- `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
|
||||
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
|
||||
|
||||
- `geoip`: GeoIP object, which is added when GeoIP is enabled. See [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
|
||||
- `geoip`: GeoIP object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.City)
|
||||
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
|
||||
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example
|
||||
|
||||
|
|
194
website/docs/releases/v2022.12.md
Normal file
194
website/docs/releases/v2022.12.md
Normal file
|
@ -0,0 +1,194 @@
|
|||
---
|
||||
title: Release 2022.12
|
||||
slug: "2022.12"
|
||||
---
|
||||
|
||||
## New features
|
||||
|
||||
- Bundled GeoIP City database
|
||||
|
||||
authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../core/geoip)
|
||||
|
||||
- Customisable Captcha stage
|
||||
|
||||
The captcha stage now supports alternate compatible providers, like [hCaptcha](https://docs.hcaptcha.com/switch/) and [Turnstile](https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha/).
|
||||
|
||||
## Upgrading
|
||||
|
||||
This release does not introduce any new requirements.
|
||||
|
||||
### docker-compose
|
||||
|
||||
Download the docker-compose file for 2022.12 from [here](https://goauthentik.io/version/2022.12/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
||||
|
||||
### Kubernetes
|
||||
|
||||
Update your values to use the new images:
|
||||
|
||||
```yaml
|
||||
image:
|
||||
repository: ghcr.io/goauthentik/server
|
||||
tag: 2022.12.0
|
||||
```
|
||||
|
||||
## Minor changes/fixes
|
||||
|
||||
## API Changes
|
||||
|
||||
#### What's Changed
|
||||
|
||||
---
|
||||
|
||||
##### `GET` /stages/captcha/{stage_uuid}/
|
||||
|
||||
###### Return Type:
|
||||
|
||||
Changed response : **200 OK**
|
||||
|
||||
- Changed content type : `application/json`
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
> Public key, acquired your captcha Provider.
|
||||
|
||||
##### `PUT` /stages/captcha/{stage_uuid}/
|
||||
|
||||
###### Request:
|
||||
|
||||
Changed content type : `application/json`
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
|
||||
> Public key, acquired your captcha Provider.
|
||||
|
||||
- Changed property `private_key` (string)
|
||||
> Private key, acquired your captcha Provider.
|
||||
|
||||
###### Return Type:
|
||||
|
||||
Changed response : **200 OK**
|
||||
|
||||
- Changed content type : `application/json`
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
> Public key, acquired your captcha Provider.
|
||||
|
||||
##### `PATCH` /stages/captcha/{stage_uuid}/
|
||||
|
||||
###### Request:
|
||||
|
||||
Changed content type : `application/json`
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
|
||||
> Public key, acquired your captcha Provider.
|
||||
|
||||
- Changed property `private_key` (string)
|
||||
> Private key, acquired your captcha Provider.
|
||||
|
||||
###### Return Type:
|
||||
|
||||
Changed response : **200 OK**
|
||||
|
||||
- Changed content type : `application/json`
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
> Public key, acquired your captcha Provider.
|
||||
|
||||
##### `GET` /flows/executor/{flow_slug}/
|
||||
|
||||
###### Return Type:
|
||||
|
||||
Changed response : **200 OK**
|
||||
|
||||
- Changed content type : `application/json`
|
||||
|
||||
Updated `ak-stage-captcha` component:
|
||||
New required properties:
|
||||
|
||||
- `js_url`
|
||||
|
||||
* Added property `js_url` (string)
|
||||
|
||||
##### `POST` /flows/executor/{flow_slug}/
|
||||
|
||||
###### Return Type:
|
||||
|
||||
Changed response : **200 OK**
|
||||
|
||||
- Changed content type : `application/json`
|
||||
|
||||
Updated `ak-stage-captcha` component:
|
||||
New required properties:
|
||||
|
||||
- `js_url`
|
||||
|
||||
* Added property `js_url` (string)
|
||||
|
||||
##### `POST` /stages/captcha/
|
||||
|
||||
###### Request:
|
||||
|
||||
Changed content type : `application/json`
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
|
||||
> Public key, acquired your captcha Provider.
|
||||
|
||||
- Changed property `private_key` (string)
|
||||
> Private key, acquired your captcha Provider.
|
||||
|
||||
###### Return Type:
|
||||
|
||||
Changed response : **201 Created**
|
||||
|
||||
- Changed content type : `application/json`
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
> Public key, acquired your captcha Provider.
|
||||
|
||||
##### `GET` /stages/captcha/
|
||||
|
||||
###### Return Type:
|
||||
|
||||
Changed response : **200 OK**
|
||||
|
||||
- Changed content type : `application/json`
|
||||
|
||||
- Changed property `results` (array)
|
||||
|
||||
Changed items (object): > CaptchaStage Serializer
|
||||
|
||||
- Added property `js_url` (string)
|
||||
|
||||
- Added property `api_url` (string)
|
||||
|
||||
- Changed property `public_key` (string)
|
||||
> Public key, acquired your captcha Provider.
|
|
@ -34,6 +34,7 @@ module.exports = {
|
|||
"core/applications",
|
||||
"core/tenants",
|
||||
"core/certificates",
|
||||
"core/geoip",
|
||||
],
|
||||
},
|
||||
{
|
||||
|
@ -217,13 +218,14 @@ module.exports = {
|
|||
description: "Release notes for recent authentik versions",
|
||||
},
|
||||
items: [
|
||||
"releases/v2022.12",
|
||||
"releases/v2022.11",
|
||||
"releases/v2022.10",
|
||||
"releases/v2022.9",
|
||||
{
|
||||
type: "category",
|
||||
label: "Previous versions",
|
||||
items: [
|
||||
"releases/v2022.9",
|
||||
"releases/v2022.8",
|
||||
"releases/v2022.7",
|
||||
"releases/v2022.6",
|
||||
|
|
Reference in a new issue