diff --git a/.env b/.env index 5654595..0165d4d 100644 --- a/.env +++ b/.env @@ -40,3 +40,5 @@ SONIC_INGEST_PASS=SecretPassword SEARCH_ACTIVE=true KANIDM_IDM_ADMIN_PASS=2MScM5Cr2ANyLRps4ccGZjSJdx8bth6yXEwKJDqYU5ZdNfKN + +RAUTHY_API_KEY=oidc$1nrMx5FY6crQaejAKTBAFlx8t8ObnKOUUSBhlBkkUBnyCfwAJvKmlEQ5LoqanRyn diff --git a/config/rauth.nginx b/config/rauth.nginx index 1c42890..84cb32e 100644 --- a/config/rauth.nginx +++ b/config/rauth.nginx @@ -3,7 +3,7 @@ server { server_name rauthy.lvh; location ~ / { - proxy_pass http://rauthy:8080; + proxy_pass http://rauthy:8301; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/config/rauthy.cfg b/config/rauthy.cfg index d403eb7..eeed024 100644 --- a/config/rauthy.cfg +++ b/config/rauthy.cfg @@ -17,7 +17,7 @@ # If you don't need the extra validations, you can set this to `false` to # save some resources, if your clients to a lot of `/userinfo` lookups. # default: true -#USERINFO_STRICT=true +USERINFO_STRICT=false # Can be used when 'OPEN_USER_REG=true' to restrict the domains # for a registration. For instance, set it to @@ -60,7 +60,7 @@ # in the Admin UI. If these are correct, your setup is okay. # # (default: true) -# SESSION_VALIDATE_IP=false +SESSION_VALIDATE_IP=false # By default, Rauthy will log a warning into the logs, if an active password # reset form is being access multiple times from different hosts. You can set @@ -81,17 +81,17 @@ # Cloudflare, which adds custom headers in this case. # For instance, if your requests are proxied through cloudflare, your would # set `CF-Connecting-IP`. -# PEER_IP_HEADER_NAME="CF-Connecting-IP" -PEER_IP_HEADER_NAME="X-Forwarded-For" +PEER_IP_HEADER_NAME="CF-Connecting-IP" # You can enable authn/authz headers which would be added to the response -# of the `/auth/v1/forward_auth` endpoint. With `AUTH_HEADERS_ENABLE=true`, +# of the `/auth/v1/oidc/forward_auth` endpoint. With `AUTH_HEADERS_ENABLE=true`, # the headers below will be added to authenticated requests. These could # be used on legacy downstream applications, that don't support OIDC on # their own. # However, be careful when using this, since this kind of authn/authz has # a lot of pitfalls out of the scope of Rauthy. -# AUTH_HEADERS_ENABLE=true +# default: false +AUTH_HEADERS_ENABLE=true # Configure the header names being used for the different values. # You can change them to your needs, if you cannot easily change your @@ -174,7 +174,7 @@ AUTH_HEADER_MFA=x-forwarded-user-mfa #S3_BUCKET=my_s3_bucket_name #S3_ACCESS_KEY= #S3_ACCESS_SECRET= -#S3_DANGER_ACCEPT_INVALID_CERTS=false +#S3_DANGER_ALLOW_INSECURE=false # Restores the given backup # @@ -217,7 +217,7 @@ BOOTSTRAP_ADMIN_EMAIL=admin@localhost.de # If set, this plain text password will be used for the # initial admin password instead of generating a random # password. -BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS" +# BOOTSTRAP_ADMIN_PASSWORD_PLAIN="123SuperSafe" # If set, this will take the argon2id hashed password # during the initialization of an empty production database. @@ -285,17 +285,17 @@ BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS" # If the cache should start in HA mode or standalone # accepts 'true|false', defaults to 'false' -HA_MODE=false +#HA_MODE=false # The connection strings (with hostnames) of the HA instances # as a CSV. # Format: 'scheme://hostname:port' -HA_HOSTS="http://rauthy-0.rauthy:8080" +#HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000" # Overwrite the hostname which is used to identify each cache member. # Useful in scenarios, where for instance all members are on the same host with # different ports or for testing. -HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080" +#HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080" ## Define buffer sizes for channels between the components # Buffer for client requests on the incoming stream - server @@ -377,8 +377,7 @@ CACHE_USERS_LIFESPAN=28800 # #DATABASE_URL=sqlite::memory: #DATABASE_URL=sqlite:data/rauthy.db -# DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy -DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy +#DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy # Max DB connections - irrelevant for SQLite (default: 5) #DATABASE_MAX_CONN=5 @@ -435,7 +434,7 @@ DPOP_NONCE_EXP=900 # handled properly and your users just login blindly to any client # they get redirected to. # default: false -ENABLE_DYN_CLIENT_REG=false +#ENABLE_DYN_CLIENT_REG=false # If specified, this secret token will be expected during # dynamic client registrations to be given as a @@ -515,12 +514,12 @@ EMAIL_SUB_PREFIX="Rauthy IAM" # TLS fails. It will never allow an unencrypted connection. # You might want to set `SMTP_DANGER_INSECURE=true` if you # need this for local dev. -SMTP_URL=mailcrab -SMTP_USERNAME= -SMTP_PASSWORD= +#SMTP_URL= +#SMTP_USERNAME= +#SMTP_PASSWORD= # Format: "Rauthy " # default: "Rauthy " -SMTP_FROM=notif@example.com +#SMTP_FROM= # The number of retries that should be done for connecting to # the given SMTP_URL. @@ -537,7 +536,7 @@ SMTP_FROM=notif@example.com # ignored and you can modify the target port with # `SMTP_DANGER_INSECURE_PORT`. # default: false -SMTP_DANGER_INSECURE=true +#SMTP_DANGER_INSECURE=false # The port for an insecure SMTP relay. # This will most likely be used for testing only. @@ -662,7 +661,7 @@ MAX_HASH_THREADS=1 ##################################### # The E-Mail address event notifications should be sent to. -#EVENT_EMAIL=admin@localhost.de +EVENT_EMAIL=admin@localhost.de # Matrix variables for event notifications. # `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory. @@ -673,7 +672,7 @@ MAX_HASH_THREADS=1 # you should provide `EVENT_MATRIX_ACCESS_TOKEN`. # If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred. # -# If left empty, no messages will be sent to Slack. +# If left empty, no messages will be sent to Matrix. # Format: `@:` #EVENT_MATRIX_USER_ID= # Format: `!:` @@ -703,7 +702,7 @@ MAX_HASH_THREADS=1 # The notification level for events. Works the same way as a logging level. # For instance: 'notice' means send out a notifications for all events with -# the info level or higher. +# the notice level or higher. # Possible values: # - info # - notice @@ -726,11 +725,11 @@ EVENT_NOTIFY_LEVEL_SLACK=notice # - warning # - critical # default: 'info' -EVENT_PERSIST_LEVEL=info +#EVENT_PERSIST_LEVEL=info # Define the number of days when events should be cleaned up from the database. # default: 31 -EVENT_CLEANUP_DAYS=31 +#EVENT_CLEANUP_DAYS=31 # The level for the generated Event after a new user has been registered. # default: info @@ -790,7 +789,7 @@ EVENT_LEVEL_FAILED_LOGIN=info # by doing a request to the Github API to check the latest release. # This ignores any type of prerelease and will only notify for a new stable. # default: false -DISABLE_APP_VERSION_CHECK=true +#DISABLE_APP_VERSION_CHECK=false ##################################### ############## FED CM ############### @@ -838,14 +837,15 @@ DISABLE_APP_VERSION_CHECK=true # Session lifetime in seconds - the session can not be # extended beyond this time and a new login will be forced. -# This is the session for the authorization code flow. (default: 14400) +# This is the session for the authorization code flow. +# (default: 14400) #SESSION_LIFETIME=14400 # If 'true', a 2FA / MFA check will be done with each automatic # token generation, even with an active session, which kind of # makes the session useless with Webauthn enabled, but provides # maximum amount of security. -# If 'false', the user will not get a MFA prompt with an active +# If 'false', the user will not get an MFA prompt with an active # session at the authorization endpoint. # (default: false) #SESSION_RENEW_MFA=false @@ -873,7 +873,7 @@ DISABLE_APP_VERSION_CHECK=true # This is the log level for stdout logs # Accepts: error, info, debug, trace (default: info) -LOG_LEVEL=trace +#LOG_LEVEL=info # This is a special config which allows the configuration of # customized access logs. These logs will be logged with each @@ -900,7 +900,7 @@ LOG_LEVEL=trace # If 'true', MFA for an account must be enabled to access the # rauthy admin UI (default: true) -#ADMIN_FORCE_MFA=true +ADMIN_FORCE_MFA=false ##################################### ############## POW ################# @@ -923,12 +923,12 @@ POW_EXP=30 # The server address to listen on. Can bind to a specific IP. # default: 0.0.0.0 -LISTEN_ADDRESS=0.0.0.0 +#LISTEN_ADDRESS=0.0.0.0 # The listen ports for HTTP / HTTPS, depending on the # activated 'LISTEN_SCHEME' # default: 8080 -LISTEN_PORT_HTTP=8080 +#LISTEN_PORT_HTTP=8080 # default: 8443 #LISTEN_PORT_HTTPS=8443 @@ -941,43 +941,43 @@ LISTEN_SCHEME=http # HEADER later on, which is especially important when running # rauthy behind a reverse proxy. In case of a non-standard # port (80/443), you need to add the port to the PUB_URL -PUB_URL=rauthy.lvh +PUB_URL=localhost:8301 # default value: number of available physical cores -HTTP_WORKERS=10 +#HTTP_WORKERS=1 # When rauthy is running behind a reverse proxy, set to true # default: false -PROXY_MODE=true +PROXY_MODE=false # A `\n` separated list of trusted proxy CIDRs. # When `PROXY_MODE=true` or `PEER_IP_HEADER_NAME` is set, # these are mandatory to be able to extract the real client # IP properly and safely to prevent IP header spoofing. # All requests with a different source will be blocked. -TRUSTED_PROXIES=" -192.168.14.0/24 -" +#TRUSTED_PROXIES=" +#192.168.14.0/24 +#" # To enable or disable the additional HTTP server to expose the /metrics endpoint # default: true -METRICS_ENABLE=true +# METRICS_ENABLE=true # The IP address to listen on for the /metrics endpoint. # You do not want to expose your metrics on a publicly reachable endpoint! # default: 0.0.0.0 -METRICS_ADDR=0.0.0.0 +# METRICS_ADDR=0.0.0.0 # The post to listen on for the /metrics endpoint. # You do not want to expose your metrics on a publicly reachable endpoint! # default: 9090 -METRICS_PORT=8302 +# METRICS_PORT=9090 # If the Swagger UI should be served together with the /metrics route on the internal # server. It it then reachable via: # http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/ # default: true -SWAGGER_UI_INTERNAL=true +# SWAGGER_UI_INTERNAL=true # If the Swagger UI should be served externally as well. This makes the link in the # Admin UI work. @@ -986,7 +986,7 @@ SWAGGER_UI_INTERNAL=true # Rauthy is open source, which means anyone could just download it and see on their # own, but it may be a security concern to just expose less information. # default: false -SWAGGER_UI_EXTERNAL=true +#SWAGGER_UI_EXTERNAL=false # The interval in seconds in which keep-alives should be sent to SSE clients. # Depending on your network setup, proxy timeouts, ... @@ -1061,7 +1061,7 @@ SWAGGER_UI_EXTERNAL=true # Enable / disable TLS for the cache communication # (default: true) -CACHE_TLS=false +CACHE_TLS=true # The path to the server TLS certificate PEM file # default: tls/redhac.cert-chain.pem @@ -1089,7 +1089,7 @@ CACHE_TLS_SERVER_KEY=tls/key.pem # 'X509v3 Subject Alternative Name' when you take a look at # the servers certificate with the openssl tool. # default: redhac.local -CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh +CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local # Can be used if you need to overwrite the SNI when the # client connects to the server, for instance if you are @@ -1105,12 +1105,12 @@ CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh # (default: localhost) # CAUTION: When this changes, already registered devices will stop # working and users cannot log in anymore! -RP_ID=rauthy.lvh +RP_ID=localhost # Url containing the effective domain name # (default: http://localhost:8080) # CAUTION: Must include the port number! -RP_ORIGIN=http://rauthy.lvh +RP_ORIGIN=http://localhost:8080 # Non critical RP Name # Has no security properties and may be changed without issues @@ -1141,7 +1141,7 @@ RP_NAME='Rauthy Webauthn' # again. That is why we should ask for the original password # in addition once in a while to set the cookie. # The value is in hours (default: 2160) -#WEBAUTHN_RENEW_EXP=2160 +WEBAUTHN_RENEW_EXP=2160 # This feature can be set to 'true' to force User verification # during the Webauthn ceremony. UV will be true, if the user @@ -1153,7 +1153,7 @@ RP_NAME='Rauthy Webauthn' # option, since Android and some special combinations of OS + # browser to not support UV yet. # (default: false) -#WEBAUTHN_FORCE_UV=false +WEBAUTHN_FORCE_UV=false # Can be set to 'true' to disable password expiry for users # that have at least one active passkey. When set to 'false', @@ -1162,4 +1162,4 @@ RP_NAME='Rauthy Webauthn' # With this option active, rauthy will ignore any password # expiry set by the password policy for Webauthn users. # default: true -WEBAUTHN_NO_PASSWORD_EXPIRY=true +#WEBAUTHN_NO_PASSWORD_EXPIRY=true diff --git a/docker-compose.yml b/docker-compose.yml index d52e76f..c49d65d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,15 +2,17 @@ version: '3' services: rumqqtd: image: bytebeamio/rumqttd + restart: no ports: - 1883:1883 - 1884:1884 + rauthy-nginx: image: nginx:latest + restart: no ports: - 80:80 volumes: - # /etc/nginx/conf.d/*.conf; - ./config/rauth.nginx:/etc/nginx/conf.d/rauth.conf:ro depends_on: - rauthy @@ -21,20 +23,36 @@ services: POSTGRES_PASSWORD: 123SuperSafe POSTGRES_USER: rauthy POSTGRES_DB: rauthy - DATABASE_URL: postgresql://rauthy:123SuperSafe@localhost:5432/rauthy + ports: + - 6677:5432 volumes: - rauthy-psql:/var/lib/postgresql/data rauthy: - image: ghcr.io/sebadob/rauthy:0.23.5 + image: ghcr.io/sebadob/rauthy:0.24.1 depends_on: - rauthy-psql + - mailcrab ports: - 8302:8302 - - 8301:9090 + - 8301:8301 + - 9090:9090 environment: - COOKIE_MODE: danger-insecure - SWAGGER_UI_EXTERNAL: true + - COOKIE_MODE=danger-insecure + - SWAGGER_UI_EXTERNAL=true + - RUSY_LOG=actix_http::h1::dispatcher=error,actix_server::signals=error,trace + - DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy + - LISTEN_PORT_HTTP=8301 + - SMTP_URL=mailcrab + - SMTP_USERNAME="" + - SMTP_PASSWORD="" + - SMTP_DANGER_INSECURE=true + - SMTP_DANGER_INSECURE_PORT=1025 + - METRICS_ENABLE=true + - METRICS_ADDR=0.0.0.0 + - METRICS_PORT=9090 + - SWAGGER_UI_INTERNAL=true + - SWAGGER_UI_EXTERNAL=true volumes: - rauthy:/app/data - ./config/rauthy.cfg:/app/rauthy.cfg @@ -42,7 +60,7 @@ services: quickwit: image: quickwit/quickwit:v0.5.2 command: run - restart: always + restart: no environment: QW_ENABLE_OTLP_ENDPOINT: true QW_ENABLE_JAEGER_ENDPOINT: true @@ -54,7 +72,7 @@ services: jaeger: image: jaegertracing/jaeger-query:1.45 - restart: always + restart: no depends_on: - quickwit environment: @@ -65,7 +83,7 @@ services: grafana: image: grafana/grafana-enterprise:10.0.0 - restart: always + restart: no depends_on: - quickwit environment: @@ -77,7 +95,10 @@ services: mailcrab: image: 'marlonb/mailcrab:latest' - restart: unless-stopped + restart: no + environment: + - ENABLE_TLS_AUTH=false + - RUST_LOG=debug ports: - 1125:1025 - 1180:1080