outpost/embedded: use redis session backend

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-08-07 22:12:22 +02:00
parent 3eafa4711e
commit e02207f38d
4 changed files with 38 additions and 0 deletions

View file

@ -20,6 +20,7 @@ redis:
cache_db: 0 cache_db: 0
message_queue_db: 1 message_queue_db: 1
ws_db: 2 ws_db: 2
outpost_session_db: 3
cache_timeout: 300 cache_timeout: 300
cache_timeout_flows: 300 cache_timeout_flows: 300
cache_timeout_policies: 300 cache_timeout_policies: 300

View file

@ -7,6 +7,23 @@ type Config struct {
Paths PathsConfig `yaml:"paths"` Paths PathsConfig `yaml:"paths"`
LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"` LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"`
ErrorReporting ErrorReportingConfig `yaml:"error_reporting"` ErrorReporting ErrorReportingConfig `yaml:"error_reporting"`
Redis RedisConfig `yaml:"redis"`
}
type RedisConfig struct {
Host string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"`
Port int `yaml:"port" env:"AUTHENTIK_REDIS__PORT"`
Password string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"`
TLS bool `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"`
TLSReqs string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"`
CacheDB int `yaml:"cache_db" env:"AUTHENTIK_REDIS__CACHE_DB"`
MessageQueueDB int `yaml:"message_queue_db" env:"AUTHENTIK_REDIS__MESSAGE_QUEUE_DB"`
WSDB int `yaml:"ws_db" env:"AUTHENTIK_REDIS__WS_DB"`
OutpostSessionDB int `yaml:"outpost_session_db" env:"AUTHENTIK_REDIS__OUTPOST_SESSION_DB"`
CacheTimeout int `yaml:"cache_timeout" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT"`
CacheTimeoutFlows int `yaml:"cache_timeout_flows" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS"`
CacheTimeoutPolicies int `yaml:"cache_timeout_policies" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES"`
CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
} }
type WebConfig struct { type WebConfig struct {

View file

@ -1,9 +1,13 @@
package proxy package proxy
import ( import (
"fmt"
"time" "time"
log "github.com/sirupsen/logrus"
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options" "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options"
"goauthentik.io/internal/config"
) )
func getCommonOptions() *options.Options { func getCommonOptions() *options.Options {
@ -16,5 +20,20 @@ func getCommonOptions() *options.Options {
commonOpts.Logging.SilencePing = true commonOpts.Logging.SilencePing = true
commonOpts.SetAuthorization = false commonOpts.SetAuthorization = false
commonOpts.Scope = "openid email profile ak_proxy" commonOpts.Scope = "openid email profile ak_proxy"
if config.G.Redis.Host != "" {
protocol := "redis"
if config.G.Redis.TLS {
protocol = "rediss"
}
url := fmt.Sprintf("%s://@%s:%d/%d", protocol, config.G.Redis.Host, config.G.Redis.Port, config.G.Redis.OutpostSessionDB)
log.WithField("url", url).Info("Using redis session backend")
commonOpts.Session.Redis = options.RedisStoreOptions{
ConnectionURL: url,
Password: config.G.Redis.Password,
}
if config.G.Redis.TLSReqs != "" {
commonOpts.Session.Redis.InsecureSkipTLSVerify = true
}
}
return commonOpts return commonOpts
} }

View file

@ -29,6 +29,7 @@ All of these variables can be set to values, but you can also use a URI-like for
- `AUTHENTIK_REDIS__CACHE_DB`: Database for caching, defaults to 0 - `AUTHENTIK_REDIS__CACHE_DB`: Database for caching, defaults to 0
- `AUTHENTIK_REDIS__MESSAGE_QUEUE_DB`: Database for the message queue, defaults to 1 - `AUTHENTIK_REDIS__MESSAGE_QUEUE_DB`: Database for the message queue, defaults to 1
- `AUTHENTIK_REDIS__WS_DB`: Database for websocket connections, defaults to 2 - `AUTHENTIK_REDIS__WS_DB`: Database for websocket connections, defaults to 2
- `AUTHENTIK_REDIS__OUTPOST_SESSION_DB`: Database for sessions for the embedded outpost, defaults to 3
- `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached polices until they expire in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached polices until they expire in seconds, defaults to 300