diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index 78527e8e9..3ef5b6193 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -7,11 +7,10 @@ postgresql: port: 5432 password: 'env://POSTGRES_PASSWORD' -web: - listen: 0.0.0.0:9000 - listen_tls: 0.0.0.0:9443 +listen: + listen_http: 0.0.0.0:9000 + listen_https: 0.0.0.0:9443 listen_metrics: 0.0.0.0:9300 - outpost_port_offset: 0 redis: host: localhost diff --git a/cmd/proxy/server.go b/cmd/proxy/server.go index 696f76247..bcf806f32 100644 --- a/cmd/proxy/server.go +++ b/cmd/proxy/server.go @@ -4,7 +4,6 @@ import ( "fmt" "net/url" "os" - "strconv" log "github.com/sirupsen/logrus" @@ -22,8 +21,7 @@ Required environment variables: - AUTHENTIK_INSECURE: Skip SSL Certificate verification Optionally, you can set these: -- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST -- AUTHENTIK_PORT_OFFSET: Offset to add to the listening ports, i.e. value of 100 makes proxy listen on 9100` +- AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST` func main() { log.SetLevel(log.DebugLevel) @@ -47,15 +45,6 @@ func main() { fmt.Println(helpMessage) os.Exit(1) } - portOffset := 0 - portOffsetS := os.Getenv("AUTHENTIK_PORT_OFFSET") - if portOffsetS != "" { - v, err := strconv.Atoi(portOffsetS) - if err != nil { - fmt.Println(err.Error()) - } - portOffset = v - } akURLActual, err := url.Parse(akURL) if err != nil { @@ -72,7 +61,7 @@ func main() { os.Exit(1) } - ac.Server = proxyv2.NewProxyServer(ac, portOffset) + ac.Server = proxyv2.NewProxyServer(ac) err = ac.Start() if err != nil { diff --git a/cmd/server/main.go b/cmd/server/main.go index 3bca268bd..59dfff58d 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -61,7 +61,7 @@ func main() { g := gounicorn.NewGoUnicorn() ws := web.NewWebServer(g) g.HealthyCallback = func() { - if !config.Get().Web.DisableEmbeddedOutpost { + if !config.Get().DisableEmbeddedOutpost { go attemptProxyStart(ws, u) } } @@ -110,7 +110,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) { tw.Check() }) - srv := proxyv2.NewProxyServer(ac, 0) + srv := proxyv2.NewProxyServer(ac) ws.ProxyServer = srv ac.Server = srv l.Debug("attempting to start outpost") diff --git a/internal/config/config.go b/internal/config/config.go index 6e3ebf1fc..74e25e85e 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -19,6 +19,7 @@ var cfg *Config func Get() *Config { if cfg == nil { cfg = defaultConfig() + cfg.Setup() } return cfg } @@ -26,9 +27,11 @@ func Get() *Config { func defaultConfig() *Config { return &Config{ Debug: false, - Web: WebConfig{ - Listen: "localhost:9000", - ListenTLS: "localhost:9443", + Listen: ListenConfig{ + HTTP: "localhost:9000", + HTTPS: "localhost:9443", + LDAP: "localhost:3389", + LDAPS: "localhost:6636", }, Paths: PathsConfig{ Media: "./media", diff --git a/internal/config/struct.go b/internal/config/struct.go index e102fe8d3..9bde3bd3c 100644 --- a/internal/config/struct.go +++ b/internal/config/struct.go @@ -1,13 +1,14 @@ package config type Config struct { - Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG"` - SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"` - Web WebConfig `yaml:"web"` - Paths PathsConfig `yaml:"paths"` - LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"` - ErrorReporting ErrorReportingConfig `yaml:"error_reporting"` - Redis RedisConfig `yaml:"redis"` + Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG"` + SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"` + Listen ListenConfig `yaml:"listen"` + Paths PathsConfig `yaml:"paths"` + LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"` + ErrorReporting ErrorReportingConfig `yaml:"error_reporting"` + Redis RedisConfig `yaml:"redis"` + DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"` } type RedisConfig struct { @@ -26,11 +27,13 @@ type RedisConfig struct { CacheTimeoutReputation int `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"` } -type WebConfig struct { - Listen string `yaml:"listen"` - ListenTLS string `yaml:"listen_tls"` - ListenMetrics string `yaml:"listen_metrics"` - DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_WEB__DISABLE_EMBEDDED_OUTPOST"` +type ListenConfig struct { + HTTP string `yaml:"listen_http" env:"AUTHENTIK_LISTEN__HTTP"` + HTTPS string `yaml:"listen_https" env:"AUTHENTIK_LISTEN__HTTPS"` + LDAP string `yaml:"listen_ldap" env:"AUTHENTIK_LISTEN__LDAP,default=0.0.0.0:3389"` + LDAPS string `yaml:"listen_ldaps" env:"AUTHENTIK_LISTEN__LDAPS,default=0.0.0.0:6636"` + Metrics string `yaml:"listen_metrics" env:"AUTHENTIK_LISTEN__METRICS,default=0.0.0.0:9300"` + Debug string `yaml:"listen_debug" env:"AUTHENTIK_LISTEN__DEBUG,default=0.0.0.0:9900"` } type PathsConfig struct { diff --git a/internal/debug/debug.go b/internal/debug/debug.go index 231ba005d..199367445 100644 --- a/internal/debug/debug.go +++ b/internal/debug/debug.go @@ -7,6 +7,7 @@ import ( "strings" log "github.com/sirupsen/logrus" + "goauthentik.io/internal/config" ) func EnableDebugServer() { @@ -21,5 +22,5 @@ func EnableDebugServer() { h.HandleFunc("/debug/pprof/profile", pprof.Profile) h.HandleFunc("/debug/pprof/symbol", pprof.Symbol) h.HandleFunc("/debug/pprof/trace", pprof.Trace) - l.Println(http.ListenAndServe("0.0.0.0:9900", nil)) + l.Println(http.ListenAndServe(config.Get().Listen.Debug, nil)) } diff --git a/internal/outpost/ldap/ldap.go b/internal/outpost/ldap/ldap.go index ebec8d5e5..2388b62b0 100644 --- a/internal/outpost/ldap/ldap.go +++ b/internal/outpost/ldap/ldap.go @@ -7,6 +7,7 @@ import ( "github.com/pires/go-proxyproto" log "github.com/sirupsen/logrus" + "goauthentik.io/internal/config" "goauthentik.io/internal/crypto" "goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/ldap/metrics" @@ -48,7 +49,7 @@ func (ls *LDAPServer) Type() string { } func (ls *LDAPServer) StartLDAPServer() error { - listen := "0.0.0.0:3389" + listen := config.Get().Listen.LDAP ln, err := net.Listen("tcp", listen) if err != nil { diff --git a/internal/outpost/ldap/ldap_tls.go b/internal/outpost/ldap/ldap_tls.go index d5afe8b3a..764ec086a 100644 --- a/internal/outpost/ldap/ldap_tls.go +++ b/internal/outpost/ldap/ldap_tls.go @@ -5,6 +5,7 @@ import ( "net" "github.com/pires/go-proxyproto" + "goauthentik.io/internal/config" ) func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) { @@ -28,7 +29,7 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica } func (ls *LDAPServer) StartLDAPTLSServer() error { - listen := "0.0.0.0:6636" + listen := config.Get().Listen.LDAPS tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS12, diff --git a/internal/outpost/ldap/metrics/metrics.go b/internal/outpost/ldap/metrics/metrics.go index bbe233691..d644964d4 100644 --- a/internal/outpost/ldap/metrics/metrics.go +++ b/internal/outpost/ldap/metrics/metrics.go @@ -4,6 +4,7 @@ import ( "net/http" log "github.com/sirupsen/logrus" + "goauthentik.io/internal/config" "goauthentik.io/internal/utils/sentry" "github.com/gorilla/mux" @@ -31,7 +32,7 @@ func RunServer() { rw.WriteHeader(204) }) m.Path("/metrics").Handler(promhttp.Handler()) - listen := "0.0.0.0:9300" + listen := config.Get().Listen.Metrics l.WithField("listen", listen).Info("Starting Metrics server") err := http.ListenAndServe(listen, m) if err != nil { diff --git a/internal/outpost/proxyv2/metrics/metrics.go b/internal/outpost/proxyv2/metrics/metrics.go index 2848fff94..048ddaf79 100644 --- a/internal/outpost/proxyv2/metrics/metrics.go +++ b/internal/outpost/proxyv2/metrics/metrics.go @@ -4,6 +4,7 @@ import ( "net/http" log "github.com/sirupsen/logrus" + "goauthentik.io/internal/config" "goauthentik.io/internal/utils/sentry" "github.com/gorilla/mux" @@ -31,7 +32,7 @@ func RunServer() { rw.WriteHeader(204) }) m.Path("/metrics").Handler(promhttp.Handler()) - listen := "0.0.0.0:9300" + listen := config.Get().Listen.Metrics l.WithField("listen", listen).Info("Starting Metrics server") err := http.ListenAndServe(listen, m) if err != nil { diff --git a/internal/outpost/proxyv2/proxyv2.go b/internal/outpost/proxyv2/proxyv2.go index 7cf87b66a..3acaccef9 100644 --- a/internal/outpost/proxyv2/proxyv2.go +++ b/internal/outpost/proxyv2/proxyv2.go @@ -4,7 +4,6 @@ import ( "context" "crypto/tls" "errors" - "fmt" "net" "net/http" "sync" @@ -14,6 +13,7 @@ import ( "github.com/pires/go-proxyproto" log "github.com/sirupsen/logrus" "goauthentik.io/api/v3" + "goauthentik.io/internal/config" "goauthentik.io/internal/crypto" "goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/proxyv2/application" @@ -23,9 +23,6 @@ import ( ) type ProxyServer struct { - Listen string - PortOffset int - defaultCert tls.Certificate stop chan struct{} // channel for waiting shutdown @@ -36,7 +33,7 @@ type ProxyServer struct { akAPI *ak.APIController } -func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer { +func NewProxyServer(ac *ak.APIController) *ProxyServer { l := log.WithField("logger", "authentik.outpost.proxyv2") defaultCert, err := crypto.GenerateSelfSignedCert() if err != nil { @@ -55,9 +52,6 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer { globalMux.Use(web.NewLoggingHandler(l.WithField("logger", "authentik.outpost.proxyv2.http"), nil)) globalMux.Use(sentryhttp.New(sentryhttp.Options{}).Handle) s := &ProxyServer{ - Listen: "0.0.0.0:%d", - PortOffset: portOffset, - cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi), apps: make(map[string]*application.Application), log: l, @@ -116,7 +110,7 @@ func (ps *ProxyServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certific // ServeHTTP constructs a net.Listener and starts handling HTTP requests func (ps *ProxyServer) ServeHTTP() { - listenAddress := fmt.Sprintf(ps.Listen, 9000+ps.PortOffset) + listenAddress := config.Get().Listen.HTTP listener, err := net.Listen("tcp", listenAddress) if err != nil { ps.log.WithField("listen", listenAddress).WithError(err).Fatalf("listen failed") @@ -131,7 +125,7 @@ func (ps *ProxyServer) ServeHTTP() { // ServeHTTPS constructs a net.Listener and starts handling HTTPS requests func (ps *ProxyServer) ServeHTTPS() { - listenAddress := fmt.Sprintf(ps.Listen, 9443+ps.PortOffset) + listenAddress := config.Get().Listen.HTTPS config := &tls.Config{ MinVersion: tls.VersionTLS12, MaxVersion: tls.VersionTLS12, diff --git a/internal/web/metrics.go b/internal/web/metrics.go index 2831abd4f..e7e58cce5 100644 --- a/internal/web/metrics.go +++ b/internal/web/metrics.go @@ -54,10 +54,10 @@ func RunMetricsServer() { return } }) - l.WithField("listen", config.Get().Web.ListenMetrics).Info("Starting Metrics server") - err := http.ListenAndServe(config.Get().Web.ListenMetrics, m) + l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server") + err := http.ListenAndServe(config.Get().Listen.Metrics, m) if err != nil { l.WithError(err).Warning("Failed to start metrics server") } - l.WithField("listen", config.Get().Web.ListenMetrics).Info("Stopping Metrics server") + l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server") } diff --git a/internal/web/tls.go b/internal/web/tls.go index 38f6c93cd..21af2f1ee 100644 --- a/internal/web/tls.go +++ b/internal/web/tls.go @@ -41,7 +41,7 @@ func (ws *WebServer) listenTLS() { GetCertificate: ws.GetCertificate(), } - ln, err := net.Listen("tcp", config.Get().Web.ListenTLS) + ln, err := net.Listen("tcp", config.Get().Listen.HTTPS) if err != nil { ws.log.WithError(err).Fatalf("failed to listen (TLS)") return @@ -50,7 +50,7 @@ func (ws *WebServer) listenTLS() { defer proxyListener.Close() tlsListener := tls.NewListener(proxyListener, tlsConfig) - ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Starting HTTPS server") + ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server") ws.serve(tlsListener) - ws.log.WithField("listen", config.Get().Web.ListenTLS).Info("Stopping HTTPS server") + ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Stopping HTTPS server") } diff --git a/internal/web/web.go b/internal/web/web.go index 86a5d7f8e..8714e8363 100644 --- a/internal/web/web.go +++ b/internal/web/web.go @@ -68,16 +68,16 @@ func (ws *WebServer) Shutdown() { } func (ws *WebServer) listenPlain() { - ln, err := net.Listen("tcp", config.Get().Web.Listen) + ln, err := net.Listen("tcp", config.Get().Listen.HTTP) if err != nil { ws.log.WithError(err).Fatal("failed to listen") } proxyListener := &proxyproto.Listener{Listener: ln} defer proxyListener.Close() - ws.log.WithField("listen", config.Get().Web.Listen).Info("Starting HTTP server") + ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server") ws.serve(proxyListener) - ws.log.WithField("listen", config.Get().Web.Listen).Info("Stopping HTTP server") + ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Stopping HTTP server") } func (ws *WebServer) serve(listener net.Listener) { diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md index 02ab63992..b7a176cd6 100644 --- a/website/docs/installation/configuration.md +++ b/website/docs/installation/configuration.md @@ -37,6 +37,15 @@ All of these variables can be set to values, but you can also use a URI-like for - `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300 - `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300 +## Listen Setting + +- `AUTHENTIK_LISTEN__HTTP`: Listening port for HTTP (Server and Proxy outpost) +- `AUTHENTIK_LISTEN__HTTPS`: Listening port for HTTPS (Server and Proxy outpost) +- `AUTHENTIK_LISTEN__LDAP`: Listening port for LDAP (LDAP outpost) +- `AUTHENTIK_LISTEN__LDAPS`: Listening port for LDAPS (LDAP outpost) +- `AUTHENTIK_LISTEN__METRICS`: Listening port for Prometheus metrics (All) +- `AUTHENTIK_LISTEN__DEBUG`: Listening port for Go Debugging metrics (All) + ## authentik Settings ### `AUTHENTIK_SECRET_KEY`