Update rauthy

2024-08-03 05:48:14 +02:00 · 2024-08-03 05:48:14 +02:00 · 5f825093cc
commit 5f825093cc
parent e8f04f4dde
4 changed files with 83 additions and 60 deletions
--- a/.env
+++ b/.env
@ -40,3 +40,5 @@ SONIC_INGEST_PASS=SecretPassword
 SEARCH_ACTIVE=true
 KANIDM_IDM_ADMIN_PASS=2MScM5Cr2ANyLRps4ccGZjSJdx8bth6yXEwKJDqYU5ZdNfKN
 RAUTHY_API_KEY=oidc$1nrMx5FY6crQaejAKTBAFlx8t8ObnKOUUSBhlBkkUBnyCfwAJvKmlEQ5LoqanRyn
--- a/config/rauth.nginx
+++ b/config/rauth.nginx
@ -3,7 +3,7 @@ server {
    server_name rauthy.lvh;
    location ~ / {
-        proxy_pass http://rauthy:8080;
+        proxy_pass http://rauthy:8301;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/config/rauthy.cfg
+++ b/config/rauthy.cfg
@ -17,7 +17,7 @@
 # If you don't need the extra validations, you can set this to `false` to
 # save some resources, if your clients to a lot of `/userinfo` lookups.
 # default: true
-#USERINFO_STRICT=true
+USERINFO_STRICT=false
 # Can be used when 'OPEN_USER_REG=true' to restrict the domains
 # for a registration. For instance, set it to
@ -60,7 +60,7 @@
 # in the Admin UI. If these are correct, your setup is okay.
 #
 # (default: true)
-# SESSION_VALIDATE_IP=false
+SESSION_VALIDATE_IP=false
 # By default, Rauthy will log a warning into the logs, if an active password
 # reset form is being access multiple times from different hosts. You can set
@ -81,17 +81,17 @@
 # Cloudflare, which adds custom headers in this case.
 # For instance, if your requests are proxied through cloudflare, your would 
 # set `CF-Connecting-IP`.
-# PEER_IP_HEADER_NAME="CF-Connecting-IP"
+PEER_IP_HEADER_NAME="CF-Connecting-IP"
 PEER_IP_HEADER_NAME="X-Forwarded-For"
 # You can enable authn/authz headers which would be added to the response
-# of the `/auth/v1/forward_auth` endpoint. With  `AUTH_HEADERS_ENABLE=true`,
+# of the `/auth/v1/oidc/forward_auth` endpoint. With  `AUTH_HEADERS_ENABLE=true`,
 # the headers below will be added to authenticated requests. These could
 # be used on legacy downstream applications, that don't support OIDC on
 # their own.
 # However, be careful when using this, since this kind of authn/authz has
 # a lot of pitfalls out of the scope of Rauthy.
-# AUTH_HEADERS_ENABLE=true
+# default: false
 AUTH_HEADERS_ENABLE=true
 # Configure the header names being used for the different values.
 # You can change them to your needs, if you cannot easily change your
@ -174,7 +174,7 @@ AUTH_HEADER_MFA=x-forwarded-user-mfa
 #S3_BUCKET=my_s3_bucket_name
 #S3_ACCESS_KEY=
 #S3_ACCESS_SECRET=
-#S3_DANGER_ACCEPT_INVALID_CERTS=false
+#S3_DANGER_ALLOW_INSECURE=false
 # Restores the given backup
 #
@ -217,7 +217,7 @@ BOOTSTRAP_ADMIN_EMAIL=admin@localhost.de
 # If set, this plain text password will be used for the
 # initial admin password instead of generating a random
 # password.
-BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS"
+# BOOTSTRAP_ADMIN_PASSWORD_PLAIN="123SuperSafe"
 # If set, this will take the argon2id hashed password
 # during the initialization of an empty production database.
@ -285,17 +285,17 @@ BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS"
 # If the cache should start in HA mode or standalone
 # accepts 'true|false', defaults to 'false'
-HA_MODE=false
+#HA_MODE=false
 # The connection strings (with hostnames) of the HA instances
 # as a CSV.
 # Format: 'scheme://hostname:port'
-HA_HOSTS="http://rauthy-0.rauthy:8080"
+#HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000"
 # Overwrite the hostname which is used to identify each cache member.
 # Useful in scenarios, where for instance all members are on the same host with
 # different ports or for testing.
-HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080"
+#HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080"
 ## Define buffer sizes for channels between the components
 # Buffer for client requests on the incoming stream - server
@ -377,8 +377,7 @@ CACHE_USERS_LIFESPAN=28800
 #
 #DATABASE_URL=sqlite::memory:
 #DATABASE_URL=sqlite:data/rauthy.db
-# DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
+#DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
 DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy
 # Max DB connections - irrelevant for SQLite (default: 5)
 #DATABASE_MAX_CONN=5
@ -435,7 +434,7 @@ DPOP_NONCE_EXP=900
 # handled properly and your users just login blindly to any client
 # they get redirected to.
 # default: false
-ENABLE_DYN_CLIENT_REG=false
+#ENABLE_DYN_CLIENT_REG=false
 # If specified, this secret token will be expected during
 # dynamic client registrations to be given as a
@ -515,12 +514,12 @@ EMAIL_SUB_PREFIX="Rauthy IAM"
 # TLS fails. It will never allow an unencrypted connection.
 # You might want to set `SMTP_DANGER_INSECURE=true` if you
 # need this for local dev.
-SMTP_URL=mailcrab
+#SMTP_URL=
-SMTP_USERNAME=
+#SMTP_USERNAME=
-SMTP_PASSWORD=
+#SMTP_PASSWORD=
 # Format: "Rauthy <rauthy@localhost.de>"
 # default: "Rauthy <rauthy@localhost.de>"
-SMTP_FROM=notif@example.com
+#SMTP_FROM=
 # The number of retries that should be done for connecting to
 # the given SMTP_URL.
@ -537,7 +536,7 @@ SMTP_FROM=notif@example.com
 # ignored and you can modify the target port with
 # `SMTP_DANGER_INSECURE_PORT`.
 # default: false
-SMTP_DANGER_INSECURE=true
+#SMTP_DANGER_INSECURE=false
 # The port for an insecure SMTP relay.
 # This will most likely be used for testing only.
@ -662,7 +661,7 @@ MAX_HASH_THREADS=1
 #####################################
 # The E-Mail address event notifications should be sent to.
-#EVENT_EMAIL=admin@localhost.de
+EVENT_EMAIL=admin@localhost.de
 # Matrix variables for event notifications.
 # `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory.
@ -673,7 +672,7 @@ MAX_HASH_THREADS=1
 # you should provide `EVENT_MATRIX_ACCESS_TOKEN`.
 # If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred.
 #
-# If left empty, no messages will be sent to Slack.
+# If left empty, no messages will be sent to Matrix.
 # Format: `@<user_id>:<server address>`
 #EVENT_MATRIX_USER_ID=
 # Format: `!<random string>:<server address>`
@ -703,7 +702,7 @@ MAX_HASH_THREADS=1
 # The notification level for events. Works the same way as a logging level. 
 # For instance: 'notice' means send out a notifications for all events with 
-# the info level or higher.
+# the notice level or higher.
 # Possible values:
 # - info
 # - notice
@ -726,11 +725,11 @@ EVENT_NOTIFY_LEVEL_SLACK=notice
 # - warning
 # - critical
 # default: 'info'
-EVENT_PERSIST_LEVEL=info
+#EVENT_PERSIST_LEVEL=info
 # Define the number of days when events should be cleaned up from the database.
 # default: 31
-EVENT_CLEANUP_DAYS=31
+#EVENT_CLEANUP_DAYS=31
 # The level for the generated Event after a new user has been registered.
 # default: info
@ -790,7 +789,7 @@ EVENT_LEVEL_FAILED_LOGIN=info
 # by doing a request to the Github API to check the latest release.
 # This ignores any type of prerelease and will only notify for a new stable.
 # default: false
-DISABLE_APP_VERSION_CHECK=true
+#DISABLE_APP_VERSION_CHECK=false
 #####################################
 ############## FED CM ###############
@ -838,14 +837,15 @@ DISABLE_APP_VERSION_CHECK=true
 # Session lifetime in seconds - the session can not be
 # extended beyond this time and a new login will be forced.
-# This is the session for the authorization code flow. (default: 14400)
+# This is the session for the authorization code flow. 
 # (default: 14400)
 #SESSION_LIFETIME=14400
 # If 'true', a 2FA / MFA check will be done with each automatic
 # token generation, even with an active session, which kind of
 # makes the session useless with Webauthn enabled, but provides
 # maximum amount of security.
-# If 'false', the user will not get a MFA prompt with an active
+# If 'false', the user will not get an MFA prompt with an active
 # session at the authorization endpoint.
 # (default: false)
 #SESSION_RENEW_MFA=false
@ -873,7 +873,7 @@ DISABLE_APP_VERSION_CHECK=true
 # This is the log level for stdout logs
 # Accepts: error, info, debug, trace (default: info)
-LOG_LEVEL=trace
+#LOG_LEVEL=info
 # This is a special config which allows the configuration of
 # customized access logs. These logs will be logged with each
@ -900,7 +900,7 @@ LOG_LEVEL=trace
 # If 'true', MFA for an account must be enabled to access the
 # rauthy admin UI (default: true)
-#ADMIN_FORCE_MFA=true
+ADMIN_FORCE_MFA=false
 #####################################
 ############## POW  #################
@ -923,12 +923,12 @@ POW_EXP=30
 # The server address to listen on. Can bind to a specific IP.
 # default: 0.0.0.0
-LISTEN_ADDRESS=0.0.0.0
+#LISTEN_ADDRESS=0.0.0.0
 # The listen ports for HTTP / HTTPS, depending on the
 # activated 'LISTEN_SCHEME'
 # default: 8080
-LISTEN_PORT_HTTP=8080
+#LISTEN_PORT_HTTP=8080
 # default: 8443
 #LISTEN_PORT_HTTPS=8443
@ -941,43 +941,43 @@ LISTEN_SCHEME=http
 # HEADER later on, which is especially important when running
 # rauthy behind a reverse proxy. In case of a non-standard
 # port (80/443), you need to add the port to the PUB_URL
-PUB_URL=rauthy.lvh
+PUB_URL=localhost:8301
 # default value: number of available physical cores
-HTTP_WORKERS=10
+#HTTP_WORKERS=1
 # When rauthy is running behind a reverse proxy, set to true
 # default: false
-PROXY_MODE=true
+PROXY_MODE=false
 # A `\n` separated list of trusted proxy CIDRs.
 # When `PROXY_MODE=true` or `PEER_IP_HEADER_NAME` is set,
 # these are mandatory to be able to extract the real client
 # IP properly and safely to prevent IP header spoofing.
 # All requests with a different source will be blocked.
-TRUSTED_PROXIES="
+#TRUSTED_PROXIES="
-192.168.14.0/24
+#192.168.14.0/24
-"
+#"
 # To enable or disable the additional HTTP server to expose the /metrics endpoint
 # default: true
-METRICS_ENABLE=true
+# METRICS_ENABLE=true
 # The IP address to listen on for the /metrics endpoint.
 # You do not want to expose your metrics on a publicly reachable endpoint!
 # default: 0.0.0.0
-METRICS_ADDR=0.0.0.0
+# METRICS_ADDR=0.0.0.0
 # The post to listen on for the /metrics endpoint.
 # You do not want to expose your metrics on a publicly reachable endpoint!
 # default: 9090
-METRICS_PORT=8302
+# METRICS_PORT=9090
 # If the Swagger UI should be served together with the /metrics route on the internal
 # server. It it then reachable via:
 # http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/
 # default: true
-SWAGGER_UI_INTERNAL=true
+# SWAGGER_UI_INTERNAL=true
 # If the Swagger UI should be served externally as well. This makes the link in the
 # Admin UI work.
@ -986,7 +986,7 @@ SWAGGER_UI_INTERNAL=true
 # Rauthy is open source, which means anyone could just download it and see on their
 # own, but it may be a security concern to just expose less information.
 # default: false
-SWAGGER_UI_EXTERNAL=true
+#SWAGGER_UI_EXTERNAL=false
 # The interval in seconds in which keep-alives should be sent to SSE clients.
 # Depending on your network setup, proxy timeouts, ...
@ -1061,7 +1061,7 @@ SWAGGER_UI_EXTERNAL=true
 # Enable / disable TLS for the cache communication
 # (default: true)
-CACHE_TLS=false
+CACHE_TLS=true
 # The path to the server TLS certificate PEM file
 # default: tls/redhac.cert-chain.pem
@ -1089,7 +1089,7 @@ CACHE_TLS_SERVER_KEY=tls/key.pem
 # 'X509v3 Subject Alternative Name' when you take a look at
 # the servers certificate with the openssl tool.
 # default: redhac.local
-CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh
+CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local
 # Can be used if you need to overwrite the SNI when the
 # client connects to the server, for instance if you are
@ -1105,12 +1105,12 @@ CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh
 # (default: localhost)
 # CAUTION: When this changes, already registered devices will stop
 # working and users cannot log in anymore!
-RP_ID=rauthy.lvh
+RP_ID=localhost
 # Url containing the effective domain name
 # (default: http://localhost:8080)
 # CAUTION: Must include the port number!
-RP_ORIGIN=http://rauthy.lvh
+RP_ORIGIN=http://localhost:8080
 # Non critical RP Name
 # Has no security properties and may be changed without issues
@ -1141,7 +1141,7 @@ RP_NAME='Rauthy Webauthn'
 # again. That is why we should ask for the original password
 # in addition once in a while to set the cookie.
 # The value is in hours (default: 2160)
-#WEBAUTHN_RENEW_EXP=2160
+WEBAUTHN_RENEW_EXP=2160
 # This feature can be set to 'true' to force User verification
 # during the Webauthn ceremony. UV will be true, if the user
@ -1153,7 +1153,7 @@ RP_NAME='Rauthy Webauthn'
 # option, since Android and some special combinations of OS +
 # browser to not support UV yet.
 # (default: false)
-#WEBAUTHN_FORCE_UV=false
+WEBAUTHN_FORCE_UV=false
 # Can be set to 'true' to disable password expiry for users
 # that have at least one active passkey. When set to 'false',
@ -1162,4 +1162,4 @@ RP_NAME='Rauthy Webauthn'
 # With this option active, rauthy will ignore any password
 # expiry set by the password policy for Webauthn users.
 # default: true
-WEBAUTHN_NO_PASSWORD_EXPIRY=true
+#WEBAUTHN_NO_PASSWORD_EXPIRY=true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,15 +2,17 @@ version: '3'
 services:
  rumqqtd:
    image: bytebeamio/rumqttd
    restart: no
    ports:
      - 1883:1883
      - 1884:1884
  rauthy-nginx:
    image: nginx:latest
    restart: no
    ports:
      - 80:80
    volumes:
      # /etc/nginx/conf.d/*.conf;
      - ./config/rauth.nginx:/etc/nginx/conf.d/rauth.conf:ro
    depends_on:
      - rauthy
@ -21,20 +23,36 @@ services:
      POSTGRES_PASSWORD: 123SuperSafe
      POSTGRES_USER: rauthy
      POSTGRES_DB: rauthy
-      DATABASE_URL: postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
+    ports:
      - 6677:5432
    volumes:
      - rauthy-psql:/var/lib/postgresql/data
  rauthy:
-    image: ghcr.io/sebadob/rauthy:0.23.5
+    image: ghcr.io/sebadob/rauthy:0.24.1
    depends_on:
      - rauthy-psql
      - mailcrab
    ports:
      - 8302:8302
-      - 8301:9090
+      - 8301:8301
      - 9090:9090
    environment:
-      COOKIE_MODE: danger-insecure
+      - COOKIE_MODE=danger-insecure
-      SWAGGER_UI_EXTERNAL: true
+      - SWAGGER_UI_EXTERNAL=true
      - RUSY_LOG=actix_http::h1::dispatcher=error,actix_server::signals=error,trace
      - DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy
      - LISTEN_PORT_HTTP=8301
      - SMTP_URL=mailcrab
      - SMTP_USERNAME=""
      - SMTP_PASSWORD=""
      - SMTP_DANGER_INSECURE=true
      - SMTP_DANGER_INSECURE_PORT=1025
      - METRICS_ENABLE=true
      - METRICS_ADDR=0.0.0.0
      - METRICS_PORT=9090
      - SWAGGER_UI_INTERNAL=true
      - SWAGGER_UI_EXTERNAL=true
    volumes:
      - rauthy:/app/data
      - ./config/rauthy.cfg:/app/rauthy.cfg
@ -42,7 +60,7 @@ services:
  quickwit:
    image: quickwit/quickwit:v0.5.2
    command: run
-    restart: always
+    restart: no
    environment:
      QW_ENABLE_OTLP_ENDPOINT: true
      QW_ENABLE_JAEGER_ENDPOINT: true
@ -54,7 +72,7 @@ services:
  jaeger:
    image: jaegertracing/jaeger-query:1.45
-    restart: always
+    restart: no
    depends_on:
      - quickwit
    environment:
@ -65,7 +83,7 @@ services:
  grafana:
    image: grafana/grafana-enterprise:10.0.0
-    restart: always
+    restart: no
    depends_on:
      - quickwit
    environment:
@ -77,7 +95,10 @@ services:
  mailcrab:
    image: 'marlonb/mailcrab:latest'
-    restart: unless-stopped
+    restart: no
    environment:
      - ENABLE_TLS_AUTH=false
      - RUST_LOG=debug
    ports:
      - 1125:1025
      - 1180:1080