Update rauthy

This commit is contained in:
eraden 2024-08-03 05:48:14 +02:00
parent e8f04f4dde
commit 5f825093cc
4 changed files with 83 additions and 60 deletions

2
.env
View File

@ -40,3 +40,5 @@ SONIC_INGEST_PASS=SecretPassword
SEARCH_ACTIVE=true
KANIDM_IDM_ADMIN_PASS=2MScM5Cr2ANyLRps4ccGZjSJdx8bth6yXEwKJDqYU5ZdNfKN
RAUTHY_API_KEY=oidc$1nrMx5FY6crQaejAKTBAFlx8t8ObnKOUUSBhlBkkUBnyCfwAJvKmlEQ5LoqanRyn

View File

@ -3,7 +3,7 @@ server {
server_name rauthy.lvh;
location ~ / {
proxy_pass http://rauthy:8080;
proxy_pass http://rauthy:8301;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

View File

@ -17,7 +17,7 @@
# If you don't need the extra validations, you can set this to `false` to
# save some resources, if your clients to a lot of `/userinfo` lookups.
# default: true
#USERINFO_STRICT=true
USERINFO_STRICT=false
# Can be used when 'OPEN_USER_REG=true' to restrict the domains
# for a registration. For instance, set it to
@ -60,7 +60,7 @@
# in the Admin UI. If these are correct, your setup is okay.
#
# (default: true)
# SESSION_VALIDATE_IP=false
SESSION_VALIDATE_IP=false
# By default, Rauthy will log a warning into the logs, if an active password
# reset form is being access multiple times from different hosts. You can set
@ -81,17 +81,17 @@
# Cloudflare, which adds custom headers in this case.
# For instance, if your requests are proxied through cloudflare, your would
# set `CF-Connecting-IP`.
# PEER_IP_HEADER_NAME="CF-Connecting-IP"
PEER_IP_HEADER_NAME="X-Forwarded-For"
PEER_IP_HEADER_NAME="CF-Connecting-IP"
# You can enable authn/authz headers which would be added to the response
# of the `/auth/v1/forward_auth` endpoint. With `AUTH_HEADERS_ENABLE=true`,
# of the `/auth/v1/oidc/forward_auth` endpoint. With `AUTH_HEADERS_ENABLE=true`,
# the headers below will be added to authenticated requests. These could
# be used on legacy downstream applications, that don't support OIDC on
# their own.
# However, be careful when using this, since this kind of authn/authz has
# a lot of pitfalls out of the scope of Rauthy.
# AUTH_HEADERS_ENABLE=true
# default: false
AUTH_HEADERS_ENABLE=true
# Configure the header names being used for the different values.
# You can change them to your needs, if you cannot easily change your
@ -174,7 +174,7 @@ AUTH_HEADER_MFA=x-forwarded-user-mfa
#S3_BUCKET=my_s3_bucket_name
#S3_ACCESS_KEY=
#S3_ACCESS_SECRET=
#S3_DANGER_ACCEPT_INVALID_CERTS=false
#S3_DANGER_ALLOW_INSECURE=false
# Restores the given backup
#
@ -217,7 +217,7 @@ BOOTSTRAP_ADMIN_EMAIL=admin@localhost.de
# If set, this plain text password will be used for the
# initial admin password instead of generating a random
# password.
BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS"
# BOOTSTRAP_ADMIN_PASSWORD_PLAIN="123SuperSafe"
# If set, this will take the argon2id hashed password
# during the initialization of an empty production database.
@ -285,17 +285,17 @@ BOOTSTRAP_ADMIN_PASSWORD_PLAIN="n!U@vNYM9*SQpS"
# If the cache should start in HA mode or standalone
# accepts 'true|false', defaults to 'false'
HA_MODE=false
#HA_MODE=false
# The connection strings (with hostnames) of the HA instances
# as a CSV.
# Format: 'scheme://hostname:port'
HA_HOSTS="http://rauthy-0.rauthy:8080"
#HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000"
# Overwrite the hostname which is used to identify each cache member.
# Useful in scenarios, where for instance all members are on the same host with
# different ports or for testing.
HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080"
#HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080"
## Define buffer sizes for channels between the components
# Buffer for client requests on the incoming stream - server
@ -378,7 +378,6 @@ CACHE_USERS_LIFESPAN=28800
#DATABASE_URL=sqlite::memory:
#DATABASE_URL=sqlite:data/rauthy.db
#DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy
# Max DB connections - irrelevant for SQLite (default: 5)
#DATABASE_MAX_CONN=5
@ -435,7 +434,7 @@ DPOP_NONCE_EXP=900
# handled properly and your users just login blindly to any client
# they get redirected to.
# default: false
ENABLE_DYN_CLIENT_REG=false
#ENABLE_DYN_CLIENT_REG=false
# If specified, this secret token will be expected during
# dynamic client registrations to be given as a
@ -515,12 +514,12 @@ EMAIL_SUB_PREFIX="Rauthy IAM"
# TLS fails. It will never allow an unencrypted connection.
# You might want to set `SMTP_DANGER_INSECURE=true` if you
# need this for local dev.
SMTP_URL=mailcrab
SMTP_USERNAME=
SMTP_PASSWORD=
#SMTP_URL=
#SMTP_USERNAME=
#SMTP_PASSWORD=
# Format: "Rauthy <rauthy@localhost.de>"
# default: "Rauthy <rauthy@localhost.de>"
SMTP_FROM=notif@example.com
#SMTP_FROM=
# The number of retries that should be done for connecting to
# the given SMTP_URL.
@ -537,7 +536,7 @@ SMTP_FROM=notif@example.com
# ignored and you can modify the target port with
# `SMTP_DANGER_INSECURE_PORT`.
# default: false
SMTP_DANGER_INSECURE=true
#SMTP_DANGER_INSECURE=false
# The port for an insecure SMTP relay.
# This will most likely be used for testing only.
@ -662,7 +661,7 @@ MAX_HASH_THREADS=1
#####################################
# The E-Mail address event notifications should be sent to.
#EVENT_EMAIL=admin@localhost.de
EVENT_EMAIL=admin@localhost.de
# Matrix variables for event notifications.
# `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory.
@ -673,7 +672,7 @@ MAX_HASH_THREADS=1
# you should provide `EVENT_MATRIX_ACCESS_TOKEN`.
# If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred.
#
# If left empty, no messages will be sent to Slack.
# If left empty, no messages will be sent to Matrix.
# Format: `@<user_id>:<server address>`
#EVENT_MATRIX_USER_ID=
# Format: `!<random string>:<server address>`
@ -703,7 +702,7 @@ MAX_HASH_THREADS=1
# The notification level for events. Works the same way as a logging level.
# For instance: 'notice' means send out a notifications for all events with
# the info level or higher.
# the notice level or higher.
# Possible values:
# - info
# - notice
@ -726,11 +725,11 @@ EVENT_NOTIFY_LEVEL_SLACK=notice
# - warning
# - critical
# default: 'info'
EVENT_PERSIST_LEVEL=info
#EVENT_PERSIST_LEVEL=info
# Define the number of days when events should be cleaned up from the database.
# default: 31
EVENT_CLEANUP_DAYS=31
#EVENT_CLEANUP_DAYS=31
# The level for the generated Event after a new user has been registered.
# default: info
@ -790,7 +789,7 @@ EVENT_LEVEL_FAILED_LOGIN=info
# by doing a request to the Github API to check the latest release.
# This ignores any type of prerelease and will only notify for a new stable.
# default: false
DISABLE_APP_VERSION_CHECK=true
#DISABLE_APP_VERSION_CHECK=false
#####################################
############## FED CM ###############
@ -838,14 +837,15 @@ DISABLE_APP_VERSION_CHECK=true
# Session lifetime in seconds - the session can not be
# extended beyond this time and a new login will be forced.
# This is the session for the authorization code flow. (default: 14400)
# This is the session for the authorization code flow.
# (default: 14400)
#SESSION_LIFETIME=14400
# If 'true', a 2FA / MFA check will be done with each automatic
# token generation, even with an active session, which kind of
# makes the session useless with Webauthn enabled, but provides
# maximum amount of security.
# If 'false', the user will not get a MFA prompt with an active
# If 'false', the user will not get an MFA prompt with an active
# session at the authorization endpoint.
# (default: false)
#SESSION_RENEW_MFA=false
@ -873,7 +873,7 @@ DISABLE_APP_VERSION_CHECK=true
# This is the log level for stdout logs
# Accepts: error, info, debug, trace (default: info)
LOG_LEVEL=trace
#LOG_LEVEL=info
# This is a special config which allows the configuration of
# customized access logs. These logs will be logged with each
@ -900,7 +900,7 @@ LOG_LEVEL=trace
# If 'true', MFA for an account must be enabled to access the
# rauthy admin UI (default: true)
#ADMIN_FORCE_MFA=true
ADMIN_FORCE_MFA=false
#####################################
############## POW #################
@ -923,12 +923,12 @@ POW_EXP=30
# The server address to listen on. Can bind to a specific IP.
# default: 0.0.0.0
LISTEN_ADDRESS=0.0.0.0
#LISTEN_ADDRESS=0.0.0.0
# The listen ports for HTTP / HTTPS, depending on the
# activated 'LISTEN_SCHEME'
# default: 8080
LISTEN_PORT_HTTP=8080
#LISTEN_PORT_HTTP=8080
# default: 8443
#LISTEN_PORT_HTTPS=8443
@ -941,43 +941,43 @@ LISTEN_SCHEME=http
# HEADER later on, which is especially important when running
# rauthy behind a reverse proxy. In case of a non-standard
# port (80/443), you need to add the port to the PUB_URL
PUB_URL=rauthy.lvh
PUB_URL=localhost:8301
# default value: number of available physical cores
HTTP_WORKERS=10
#HTTP_WORKERS=1
# When rauthy is running behind a reverse proxy, set to true
# default: false
PROXY_MODE=true
PROXY_MODE=false
# A `\n` separated list of trusted proxy CIDRs.
# When `PROXY_MODE=true` or `PEER_IP_HEADER_NAME` is set,
# these are mandatory to be able to extract the real client
# IP properly and safely to prevent IP header spoofing.
# All requests with a different source will be blocked.
TRUSTED_PROXIES="
192.168.14.0/24
"
#TRUSTED_PROXIES="
#192.168.14.0/24
#"
# To enable or disable the additional HTTP server to expose the /metrics endpoint
# default: true
METRICS_ENABLE=true
# METRICS_ENABLE=true
# The IP address to listen on for the /metrics endpoint.
# You do not want to expose your metrics on a publicly reachable endpoint!
# default: 0.0.0.0
METRICS_ADDR=0.0.0.0
# METRICS_ADDR=0.0.0.0
# The post to listen on for the /metrics endpoint.
# You do not want to expose your metrics on a publicly reachable endpoint!
# default: 9090
METRICS_PORT=8302
# METRICS_PORT=9090
# If the Swagger UI should be served together with the /metrics route on the internal
# server. It it then reachable via:
# http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/
# default: true
SWAGGER_UI_INTERNAL=true
# SWAGGER_UI_INTERNAL=true
# If the Swagger UI should be served externally as well. This makes the link in the
# Admin UI work.
@ -986,7 +986,7 @@ SWAGGER_UI_INTERNAL=true
# Rauthy is open source, which means anyone could just download it and see on their
# own, but it may be a security concern to just expose less information.
# default: false
SWAGGER_UI_EXTERNAL=true
#SWAGGER_UI_EXTERNAL=false
# The interval in seconds in which keep-alives should be sent to SSE clients.
# Depending on your network setup, proxy timeouts, ...
@ -1061,7 +1061,7 @@ SWAGGER_UI_EXTERNAL=true
# Enable / disable TLS for the cache communication
# (default: true)
CACHE_TLS=false
CACHE_TLS=true
# The path to the server TLS certificate PEM file
# default: tls/redhac.cert-chain.pem
@ -1089,7 +1089,7 @@ CACHE_TLS_SERVER_KEY=tls/key.pem
# 'X509v3 Subject Alternative Name' when you take a look at
# the servers certificate with the openssl tool.
# default: redhac.local
CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh
CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local
# Can be used if you need to overwrite the SNI when the
# client connects to the server, for instance if you are
@ -1105,12 +1105,12 @@ CACHE_TLS_CLIENT_VALIDATE_DOMAIN=rauthy.lvh
# (default: localhost)
# CAUTION: When this changes, already registered devices will stop
# working and users cannot log in anymore!
RP_ID=rauthy.lvh
RP_ID=localhost
# Url containing the effective domain name
# (default: http://localhost:8080)
# CAUTION: Must include the port number!
RP_ORIGIN=http://rauthy.lvh
RP_ORIGIN=http://localhost:8080
# Non critical RP Name
# Has no security properties and may be changed without issues
@ -1141,7 +1141,7 @@ RP_NAME='Rauthy Webauthn'
# again. That is why we should ask for the original password
# in addition once in a while to set the cookie.
# The value is in hours (default: 2160)
#WEBAUTHN_RENEW_EXP=2160
WEBAUTHN_RENEW_EXP=2160
# This feature can be set to 'true' to force User verification
# during the Webauthn ceremony. UV will be true, if the user
@ -1153,7 +1153,7 @@ RP_NAME='Rauthy Webauthn'
# option, since Android and some special combinations of OS +
# browser to not support UV yet.
# (default: false)
#WEBAUTHN_FORCE_UV=false
WEBAUTHN_FORCE_UV=false
# Can be set to 'true' to disable password expiry for users
# that have at least one active passkey. When set to 'false',
@ -1162,4 +1162,4 @@ RP_NAME='Rauthy Webauthn'
# With this option active, rauthy will ignore any password
# expiry set by the password policy for Webauthn users.
# default: true
WEBAUTHN_NO_PASSWORD_EXPIRY=true
#WEBAUTHN_NO_PASSWORD_EXPIRY=true

View File

@ -2,15 +2,17 @@ version: '3'
services:
rumqqtd:
image: bytebeamio/rumqttd
restart: no
ports:
- 1883:1883
- 1884:1884
rauthy-nginx:
image: nginx:latest
restart: no
ports:
- 80:80
volumes:
# /etc/nginx/conf.d/*.conf;
- ./config/rauth.nginx:/etc/nginx/conf.d/rauth.conf:ro
depends_on:
- rauthy
@ -21,20 +23,36 @@ services:
POSTGRES_PASSWORD: 123SuperSafe
POSTGRES_USER: rauthy
POSTGRES_DB: rauthy
DATABASE_URL: postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
ports:
- 6677:5432
volumes:
- rauthy-psql:/var/lib/postgresql/data
rauthy:
image: ghcr.io/sebadob/rauthy:0.23.5
image: ghcr.io/sebadob/rauthy:0.24.1
depends_on:
- rauthy-psql
- mailcrab
ports:
- 8302:8302
- 8301:9090
- 8301:8301
- 9090:9090
environment:
COOKIE_MODE: danger-insecure
SWAGGER_UI_EXTERNAL: true
- COOKIE_MODE=danger-insecure
- SWAGGER_UI_EXTERNAL=true
- RUSY_LOG=actix_http::h1::dispatcher=error,actix_server::signals=error,trace
- DATABASE_URL=postgresql://rauthy:123SuperSafe@rauthy-psql:5432/rauthy
- LISTEN_PORT_HTTP=8301
- SMTP_URL=mailcrab
- SMTP_USERNAME=""
- SMTP_PASSWORD=""
- SMTP_DANGER_INSECURE=true
- SMTP_DANGER_INSECURE_PORT=1025
- METRICS_ENABLE=true
- METRICS_ADDR=0.0.0.0
- METRICS_PORT=9090
- SWAGGER_UI_INTERNAL=true
- SWAGGER_UI_EXTERNAL=true
volumes:
- rauthy:/app/data
- ./config/rauthy.cfg:/app/rauthy.cfg
@ -42,7 +60,7 @@ services:
quickwit:
image: quickwit/quickwit:v0.5.2
command: run
restart: always
restart: no
environment:
QW_ENABLE_OTLP_ENDPOINT: true
QW_ENABLE_JAEGER_ENDPOINT: true
@ -54,7 +72,7 @@ services:
jaeger:
image: jaegertracing/jaeger-query:1.45
restart: always
restart: no
depends_on:
- quickwit
environment:
@ -65,7 +83,7 @@ services:
grafana:
image: grafana/grafana-enterprise:10.0.0
restart: always
restart: no
depends_on:
- quickwit
environment:
@ -77,7 +95,10 @@ services:
mailcrab:
image: 'marlonb/mailcrab:latest'
restart: unless-stopped
restart: no
environment:
- ENABLE_TLS_AUTH=false
- RUST_LOG=debug
ports:
- 1125:1025
- 1180:1080