internal: centralise config for listeners to use same config system everywhere (#3367)

* centralise config for listeners to use same config system everywhere

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#3360

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-08-03 21:33:27 +02:00 committed by GitHub
parent 9a9c826c0b
commit 2ce8e18bab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 60 additions and 58 deletions

View file

@ -7,11 +7,10 @@ postgresql:
port: 5432 port: 5432
password: 'env://POSTGRES_PASSWORD' password: 'env://POSTGRES_PASSWORD'
web: listen:
listen: 0.0.0.0:9000 listen_http: 0.0.0.0:9000
listen_tls: 0.0.0.0:9443 listen_https: 0.0.0.0:9443
listen_metrics: 0.0.0.0:9300 listen_metrics: 0.0.0.0:9300
outpost_port_offset: 0
redis: redis:
host: localhost host: localhost

View file

@ -4,7 +4,6 @@ import (
"fmt" "fmt"
"net/url" "net/url"
"os" "os"
"strconv"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
@ -22,8 +21,7 @@ Required environment variables:
- AUTHENTIK_INSECURE: Skip SSL Certificate verification - AUTHENTIK_INSECURE: Skip SSL Certificate verification
Optionally, you can set these: Optionally, you can set these:
- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST - AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
- AUTHENTIK_PORT_OFFSET: Offset to add to the listening ports, i.e. value of 100 makes proxy listen on 9100`
func main() { func main() {
log.SetLevel(log.DebugLevel) log.SetLevel(log.DebugLevel)
@ -47,15 +45,6 @@ func main() {
fmt.Println(helpMessage) fmt.Println(helpMessage)
os.Exit(1) os.Exit(1)
} }
portOffset := 0
portOffsetS := os.Getenv("AUTHENTIK_PORT_OFFSET")
if portOffsetS != "" {
v, err := strconv.Atoi(portOffsetS)
if err != nil {
fmt.Println(err.Error())
}
portOffset = v
}
akURLActual, err := url.Parse(akURL) akURLActual, err := url.Parse(akURL)
if err != nil { if err != nil {
@ -72,7 +61,7 @@ func main() {
os.Exit(1) os.Exit(1)
} }
ac.Server = proxyv2.NewProxyServer(ac, portOffset) ac.Server = proxyv2.NewProxyServer(ac)
err = ac.Start() err = ac.Start()
if err != nil { if err != nil {

View file

@ -61,7 +61,7 @@ func main() {
g := gounicorn.NewGoUnicorn() g := gounicorn.NewGoUnicorn()
ws := web.NewWebServer(g) ws := web.NewWebServer(g)
g.HealthyCallback = func() { g.HealthyCallback = func() {
if !config.Get().Web.DisableEmbeddedOutpost { if !config.Get().DisableEmbeddedOutpost {
go attemptProxyStart(ws, u) go attemptProxyStart(ws, u)
} }
} }
@ -110,7 +110,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
tw.Check() tw.Check()
}) })
srv := proxyv2.NewProxyServer(ac, 0) srv := proxyv2.NewProxyServer(ac)
ws.ProxyServer = srv ws.ProxyServer = srv
ac.Server = srv ac.Server = srv
l.Debug("attempting to start outpost") l.Debug("attempting to start outpost")

View file

@ -19,6 +19,7 @@ var cfg *Config
func Get() *Config { func Get() *Config {
if cfg == nil { if cfg == nil {
cfg = defaultConfig() cfg = defaultConfig()
cfg.Setup()
} }
return cfg return cfg
} }
@ -26,9 +27,11 @@ func Get() *Config {
func defaultConfig() *Config { func defaultConfig() *Config {
return &Config{ return &Config{
Debug: false, Debug: false,
Web: WebConfig{ Listen: ListenConfig{
Listen: "localhost:9000", HTTP: "localhost:9000",
ListenTLS: "localhost:9443", HTTPS: "localhost:9443",
LDAP: "localhost:3389",
LDAPS: "localhost:6636",
}, },
Paths: PathsConfig{ Paths: PathsConfig{
Media: "./media", Media: "./media",

View file

@ -1,13 +1,14 @@
package config package config
type Config struct { type Config struct {
Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG"` Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG"`
SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"` SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"`
Web WebConfig `yaml:"web"` Listen ListenConfig `yaml:"listen"`
Paths PathsConfig `yaml:"paths"` Paths PathsConfig `yaml:"paths"`
LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"` LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"`
ErrorReporting ErrorReportingConfig `yaml:"error_reporting"` ErrorReporting ErrorReportingConfig `yaml:"error_reporting"`
Redis RedisConfig `yaml:"redis"` Redis RedisConfig `yaml:"redis"`
DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"`
} }
type RedisConfig struct { type RedisConfig struct {
@ -26,11 +27,13 @@ type RedisConfig struct {
CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"` CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
} }
type WebConfig struct { type ListenConfig struct {
Listen string `yaml:"listen"` HTTP string `yaml:"listen_http" env:"AUTHENTIK_LISTEN__HTTP"`
ListenTLS string `yaml:"listen_tls"` HTTPS string `yaml:"listen_https" env:"AUTHENTIK_LISTEN__HTTPS"`
ListenMetrics string `yaml:"listen_metrics"` LDAP string `yaml:"listen_ldap" env:"AUTHENTIK_LISTEN__LDAP,default=0.0.0.0:3389"`
DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"` LDAPS string `yaml:"listen_ldaps" env:"AUTHENTIK_LISTEN__LDAPS,default=0.0.0.0:6636"`
Metrics string `yaml:"listen_metrics" env:"AUTHENTIK_LISTEN__METRICS,default=0.0.0.0:9300"`
Debug string `yaml:"listen_debug" env:"AUTHENTIK_LISTEN__DEBUG,default=0.0.0.0:9900"`
} }
type PathsConfig struct { type PathsConfig struct {

View file

@ -7,6 +7,7 @@ import (
"strings" "strings"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
) )
func EnableDebugServer() { func EnableDebugServer() {
@ -21,5 +22,5 @@ func EnableDebugServer() {
h.HandleFunc("/debug/pprof/profile", pprof.Profile) h.HandleFunc("/debug/pprof/profile", pprof.Profile)
h.HandleFunc("/debug/pprof/symbol", pprof.Symbol) h.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
h.HandleFunc("/debug/pprof/trace", pprof.Trace) h.HandleFunc("/debug/pprof/trace", pprof.Trace)
l.Println(http.ListenAndServe("0.0.0.0:9900", nil)) l.Println(http.ListenAndServe(config.Get().Listen.Debug, nil))
} }

View file

@ -7,6 +7,7 @@ import (
"github.com/pires/go-proxyproto" "github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
"goauthentik.io/internal/crypto" "goauthentik.io/internal/crypto"
"goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/ak"
"goauthentik.io/internal/outpost/ldap/metrics" "goauthentik.io/internal/outpost/ldap/metrics"
@ -48,7 +49,7 @@ func (ls *LDAPServer) Type() string {
} }
func (ls *LDAPServer) StartLDAPServer() error { func (ls *LDAPServer) StartLDAPServer() error {
listen := "0.0.0.0:3389" listen := config.Get().Listen.LDAP
ln, err := net.Listen("tcp", listen) ln, err := net.Listen("tcp", listen)
if err != nil { if err != nil {

View file

@ -5,6 +5,7 @@ import (
"net" "net"
"github.com/pires/go-proxyproto" "github.com/pires/go-proxyproto"
"goauthentik.io/internal/config"
) )
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) { func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@ -28,7 +29,7 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
} }
func (ls *LDAPServer) StartLDAPTLSServer() error { func (ls *LDAPServer) StartLDAPTLSServer() error {
listen := "0.0.0.0:6636" listen := config.Get().Listen.LDAPS
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS12,

View file

@ -4,6 +4,7 @@ import (
"net/http" "net/http"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
"goauthentik.io/internal/utils/sentry" "goauthentik.io/internal/utils/sentry"
"github.com/gorilla/mux" "github.com/gorilla/mux"
@ -31,7 +32,7 @@ func RunServer() {
rw.WriteHeader(204) rw.WriteHeader(204)
}) })
m.Path("/metrics").Handler(promhttp.Handler()) m.Path("/metrics").Handler(promhttp.Handler())
listen := "0.0.0.0:9300" listen := config.Get().Listen.Metrics
l.WithField("listen", listen).Info("Starting Metrics server") l.WithField("listen", listen).Info("Starting Metrics server")
err := http.ListenAndServe(listen, m) err := http.ListenAndServe(listen, m)
if err != nil { if err != nil {

View file

@ -4,6 +4,7 @@ import (
"net/http" "net/http"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
"goauthentik.io/internal/utils/sentry" "goauthentik.io/internal/utils/sentry"
"github.com/gorilla/mux" "github.com/gorilla/mux"
@ -31,7 +32,7 @@ func RunServer() {
rw.WriteHeader(204) rw.WriteHeader(204)
}) })
m.Path("/metrics").Handler(promhttp.Handler()) m.Path("/metrics").Handler(promhttp.Handler())
listen := "0.0.0.0:9300" listen := config.Get().Listen.Metrics
l.WithField("listen", listen).Info("Starting Metrics server") l.WithField("listen", listen).Info("Starting Metrics server")
err := http.ListenAndServe(listen, m) err := http.ListenAndServe(listen, m)
if err != nil { if err != nil {

View file

@ -4,7 +4,6 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"errors" "errors"
"fmt"
"net" "net"
"net/http" "net/http"
"sync" "sync"
@ -14,6 +13,7 @@ import (
"github.com/pires/go-proxyproto" "github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/api/v3" "goauthentik.io/api/v3"
"goauthentik.io/internal/config"
"goauthentik.io/internal/crypto" "goauthentik.io/internal/crypto"
"goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/ak"
"goauthentik.io/internal/outpost/proxyv2/application" "goauthentik.io/internal/outpost/proxyv2/application"
@ -23,9 +23,6 @@ import (
) )
type ProxyServer struct { type ProxyServer struct {
Listen string
PortOffset int
defaultCert tls.Certificate defaultCert tls.Certificate
stop chan struct{} // channel for waiting shutdown stop chan struct{} // channel for waiting shutdown
@ -36,7 +33,7 @@ type ProxyServer struct {
akAPI *ak.APIController akAPI *ak.APIController
} }
func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer { func NewProxyServer(ac *ak.APIController) *ProxyServer {
l := log.WithField("logger", "authentik.outpost.proxyv2") l := log.WithField("logger", "authentik.outpost.proxyv2")
defaultCert, err := crypto.GenerateSelfSignedCert() defaultCert, err := crypto.GenerateSelfSignedCert()
if err != nil { if err != nil {
@ -55,9 +52,6 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil)) globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil))
globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle) globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle)
s := &ProxyServer{ s := &ProxyServer{
Listen: "0.0.0.0:%d",
PortOffset: portOffset,
cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi), cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
apps: make(map[string]*application.Application), apps: make(map[string]*application.Application),
log: l, log: l,
@ -116,7 +110,7 @@ func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certific
// ServeHTTP constructs a net.Listener and starts handling HTTP requests // ServeHTTP constructs a net.Listener and starts handling HTTP requests
func (ps *ProxyServer) ServeHTTP() { func (ps *ProxyServer) ServeHTTP() {
listenAddress := fmt.Sprintf(ps.Listen, 9000+ps.PortOffset) listenAddress := config.Get().Listen.HTTP
listener, err := net.Listen("tcp", listenAddress) listener, err := net.Listen("tcp", listenAddress)
if err != nil { if err != nil {
ps.log.WithField("listen", listenAddress).WithError(err).Fatalf("listen failed") ps.log.WithField("listen", listenAddress).WithError(err).Fatalf("listen failed")
@ -131,7 +125,7 @@ func (ps *ProxyServer) ServeHTTP() {
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests // ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
func (ps *ProxyServer) ServeHTTPS() { func (ps *ProxyServer) ServeHTTPS() {
listenAddress := fmt.Sprintf(ps.Listen, 9443+ps.PortOffset) listenAddress := config.Get().Listen.HTTPS
config := &tls.Config{ config := &tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS12,

View file

@ -54,10 +54,10 @@ func RunMetricsServer() {
return return
} }
}) })
l.WithField("listen", config.Get().Web.ListenMetrics).Info("Starting Metrics server") l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
err := http.ListenAndServe(config.Get().Web.ListenMetrics, m) err := http.ListenAndServe(config.Get().Listen.Metrics, m)
if err != nil { if err != nil {
l.WithError(err).Warning("Failed to start metrics server") l.WithError(err).Warning("Failed to start metrics server")
} }
l.WithField("listen", config.Get().Web.ListenMetrics).Info("Stopping Metrics server") l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
} }

View file

@ -41,7 +41,7 @@ func (ws *WebServer) listenTLS() {
GetCertificate: ws.GetCertificate(), GetCertificate: ws.GetCertificate(),
} }
ln, err := net.Listen("tcp", config.Get().Web.ListenTLS) ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
if err != nil { if err != nil {
ws.log.WithError(err).Fatalf("failed to listen (TLS)") ws.log.WithError(err).Fatalf("failed to listen (TLS)")
return return
@ -50,7 +50,7 @@ func (ws *WebServer) listenTLS() {
defer proxyListener.Close() defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, tlsConfig) tlsListener := tls.NewListener(proxyListener, tlsConfig)
ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Starting HTTPS server") ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server")
ws.serve(tlsListener) ws.serve(tlsListener)
ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Stopping HTTPS server") ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Stopping HTTPS server")
} }

View file

@ -68,16 +68,16 @@ func (ws *WebServer) Shutdown() {
} }
func (ws *WebServer) listenPlain() { func (ws *WebServer) listenPlain() {
ln, err := net.Listen("tcp", config.Get().Web.Listen) ln, err := net.Listen("tcp", config.Get().Listen.HTTP)
if err != nil { if err != nil {
ws.log.WithError(err).Fatal("failed to listen") ws.log.WithError(err).Fatal("failed to listen")
} }
proxyListener := &proxyproto.Listener{Listener: ln} proxyListener := &proxyproto.Listener{Listener: ln}
defer proxyListener.Close() defer proxyListener.Close()
ws.log.WithField("listen", config.Get().Web.Listen).Info("Starting HTTP server") ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
ws.serve(proxyListener) ws.serve(proxyListener)
ws.log.WithField("listen", config.Get().Web.Listen).Info("Stopping HTTP server") ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Stopping HTTP server")
} }
func (ws *WebServer) serve(listener net.Listener) { func (ws *WebServer) serve(listener net.Listener) {

View file

@ -37,6 +37,15 @@ All of these variables can be set to values, but you can also use a URI-like for
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
## Listen Setting
- `AUTHENTIK_LISTEN__HTTP`: Listening port for HTTP (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__HTTPS`: Listening port for HTTPS (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__LDAP`: Listening port for LDAP (LDAP outpost)
- `AUTHENTIK_LISTEN__LDAPS`: Listening port for LDAPS (LDAP outpost)
- `AUTHENTIK_LISTEN__METRICS`: Listening port for Prometheus metrics (All)
- `AUTHENTIK_LISTEN__DEBUG`: Listening port for Go Debugging metrics (All)
## authentik Settings ## authentik Settings
### `AUTHENTIK_SECRET_KEY` ### `AUTHENTIK_SECRET_KEY`