Documentation
¶
Index ¶
- type Config
- func (c *Config) GetAuthProvider() (auth.Provider, error)
- func (c Config) GetLoadedConfigPath() string
- func (c Config) GetTokenSigningKey() jwk.Key
- func (c *Config) SetLoadedConfigPath(filePath string)
- func (c *Config) SetTokenSigningKey(logger *zerolog.Logger) (err error)
- func (c Config) String() string
- func (c *Config) Validate(log *zerolog.Logger) error
- type Dev
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// The hostname the application is reached at.
// This is used for setting the "redirect_uri" field for OAuth2 callbacks.
// +required
Hostname string `env:"HOSTNAME" yaml:"hostname"`
// Domain name for setting cookies.
// If empty, this is set to the value of the `hostname` property.
// This value must either be the same as the `hostname` property, or the hostname must be a sub-domain of the cookie domain name.
// +recommended
CookieDomain string `env:"COOKIEDOMAIN" yaml:"cookieDomain"`
// Name of the cookie used to store the session.
// +default "tf_sess"
CookieName string `env:"COOKIENAME" yaml:"cookieName"`
// If true, sets cookies as "insecure", which are served on HTTP endpoints too.
// By default, this is false and cookies are sent on HTTPS endpoints only.
// +default false
CookieInsecure bool `env:"COOKIEINSECURE" yaml:"cookieInsecure"`
// Lifetime for sessions after a successful authentication.
// +default 2h
SessionLifetime time.Duration `env:"SESSIONLIFETIME" yaml:"sessionLifetime"`
// Port to bind to.
// +default 4181
Port int `env:"PORT" yaml:"port"`
// Address/interface to bind to.
// +default "0.0.0.0"
Bind string `env:"BIND" yaml:"bind"`
// Base path for all routes.
// Set this if Traefik is forwarding requests to traefik-forward-auth for specific paths only.
// Note: this does not apply to /api and /healthz routes
BasePath string `env:"BASEPATH" yaml:"basePath"`
// Controls log level and verbosity. Supported values: `debug`, `info` (default), `warn`, `error`.
// +default info
LogLevel string `env:"LOGLEVEL" yaml:"logLevel"`
// Enable the metrics server, which exposes a Prometheus-compatible endpoint `/metrics`.
// +default false
EnableMetrics bool `env:"ENABLEMETRICS" yaml:"enableMetrics"`
// Port for the metrics server to bind to.
// +default 2112
MetricsPort int `env:"METRICSPORT" yaml:"metricsPort"`
// Address/interface for the metrics server to bind to.
// +default "0.0.0.0"
MetricsBind string `env:"METRICSBIND" yaml:"metricsBind"`
// If true, calls to the healthcheck endpoint (`/healthz`) are not included in the logs.
// +default true
OmitHealthCheckLogs bool `env:"OMITHEALTHCHECKLOGS" yaml:"omitHealthCheckLogs"`
// String used as key to sign state tokens.
// Can be generated for example with `openssl rand -base64 32`
// If left empty, it will be randomly generated every time the app starts (recommended, unless you need user sessions to persist after the application is restarted).
TokenSigningKey string `env:"TOKENSIGNINGKEY" yaml:"tokenSigningKey"`
// Authentication provider to use
// Currently supported providers:
//
// - `github`
// - `google`
// - `microsoftentraid`
// - `openidconnect`
// - `tailscalewhois`
//
// +required
AuthProvider string `env:"AUTHPROVIDER" yaml:"authProvider"`
// Client ID for the Google auth application
// Ignored if `authProvider` is not `google`
AuthGoogleClientID string `env:"AUTHGOOGLE_CLIENTID" yaml:"authGoogle_clientID"`
// Client secret for the Google auth application
// Ignored if `authProvider` is not `google`
AuthGoogleClientSecret string `env:"AUTHGOOGLE_CLIENTSECRET" yaml:"authGoogle_clientSecret"`
// List of allowed users for Google auth
// This is a list of user IDs
// Ignored if `authProvider` is not `google`
AuthGoogleAllowedUsers []string `env:"AUTHGOOGLE_ALLOWEDUSERS" yaml:"authGoogle_allowedUsers"`
// List of allowed email addresses of users for Google auth
// This is a list of email addresses
// Ignored if `authProvider` is not `google`
AuthGoogleAllowedEmails []string `env:"AUTHGOOGLE_ALLOWEDEMAILS" yaml:"authGoogle_allowedEmails"`
// List of allowed domains for Google auth
// This is a list of domains for email addresses
// Ignored if `authProvider` is not `google`
AuthGoogleAllowedDomains []string `env:"AUTHGOOGLE_ALLOWEDDOMAINS" yaml:"authGoogle_allowedDomains"`
// Timeout for network requests for Google auth
// Ignored if `authProvider` is not `google`
// +default 10s
AuthGoogleRequestTimeout time.Duration `env:"AUTHGOOGLE_REQUESTTIMEOUT" yaml:"authGoogle_requestTimeout"`
// Client ID for the GitHub auth application
// Ignored if `authProvider` is not `github`
AuthGitHubClientID string `env:"AUTHGITHUB_CLIENTID" yaml:"authGitHub_clientID"`
// Client secret for the GitHub auth application
// Ignored if `authProvider` is not `github`
AuthGitHubClientSecret string `env:"AUTHGITHUB_CLIENTSECRET" yaml:"authGitHub_clientSecret"`
// List of allowed users for GitHub auth
// This is a list of usernames
// Ignored if `authProvider` is not `github`
AuthGitHubAllowedUsers []string `env:"AUTHGITHUB_ALLOWEDUSERS" yaml:"authGitHub_allowedUsers"`
// Timeout for network requests for GitHub auth
// Ignored if `authProvider` is not `github`
// +default 10s
AuthGitHubRequestTimeout time.Duration `env:"AUTHGITHUB_REQUESTTIMEOUT" yaml:"authGitHub_requestTimeout"`
// Tenant ID for the Microsoft Entra ID auth application
// Ignored if `authProvider` is not `microsoftentraid`
AuthMicrosoftEntraIDTenantID string `env:"AUTHMICROSOFTENTRAID_TENANTID" yaml:"authMicrosoftEntraID_tenantID"`
// Client ID for the Microsoft Entra ID auth application
// Ignored if `authProvider` is not `microsoftentraid`
AuthMicrosoftEntraIDClientID string `env:"AUTHMICROSOFTENTRAID_CLIENTID" yaml:"authMicrosoftEntraID_clientID"`
// Client secret for the Microsoft Entra ID auth application
// Ignored if `authProvider` is not `microsoftentraid`
AuthMicrosoftEntraIDClientSecret string `env:"AUTHMICROSOFTENTRAID_CLIENTSECRET" yaml:"authMicrosoftEntraID_clientSecret"`
// List of allowed users for Microsoft Entra ID auth
// This is a list of user IDs
// Ignored if `authProvider` is not `microsoftentraid`
AuthMicrosoftEntraIDAllowedUsers []string `env:"AUTHMICROSOFTENTRAID_ALLOWEDUSERS" yaml:"authMicrosoftEntraID_allowedUsers"`
// List of allowed email addresses of users for Microsoft Entra ID auth
// This is a list of email addresses
// Ignored if `authProvider` is not `microsoftentraid`
AuthMicrosoftEntraIDAllowedEmails []string `env:"AUTHMICROSOFTENTRAID_ALLOWEDEMAILS" yaml:"authMicrosoftEntraID_allowedEmails"`
// Timeout for network requests for Microsoft Entra ID auth
// Ignored if `authProvider` is not `microsoftentraid`
// +default 10s
AuthMicrosoftEntraIDRequestTimeout time.Duration `env:"AUTHMICROSOFTENTRAID_REQUESTTIMEOUT" yaml:"authMicrosoftEntraID_requestTimeout"`
// Client ID for the OpenID Connect auth application
// Ignored if `authProvider` is not `openidconnect`
AuthOpenIDConnectClientID string `env:"AUTHOPENIDCONNECT_CLIENTID" yaml:"authOpenIDConnect_clientID"`
// Client secret for the OpenID Connect auth application
// Ignored if `authProvider` is not `openidconnect`
AuthOpenIDConnectClientSecret string `env:"AUTHOPENIDCONNECT_CLIENTSECRET" yaml:"authOpenIDConnect_clientSecret"`
// OpenID Connect token issuer
// The OpenID Connect configuration document will be fetched at `<token-issuer>/.well-known/openid-configuration`
// Ignored if `authProvider` is not `openidconnect`
AuthOpenIDConnectTokenIssuer string `env:"AUTHOPENIDCONNECT_TOKENISSUER" yaml:"authOpenIDConnect_tokenIssuer"`
// List of allowed users for OpenID Connect auth
// This is a list of user IDs, as returned by the ID provider in the "sub" claim
// Ignored if `authProvider` is not `openidconnect`
AuthOpenIDConnectAllowedUsers []string `env:"AUTHOPENIDCONNECT_ALLOWEDUSERS" yaml:"authOpenIDConnect_allowedUsers"`
// List of allowed email addresses for users for OpenID Connect auth
// This is a list of email addresses, as returned by the ID provider in the "email" claim
// Ignored if `authProvider` is not `openidconnect`
AuthOpenIDConnectAllowedEmails []string `env:"AUTHOPENIDCONNECT_ALLOWEDEMAILS" yaml:"authOpenIDConnect_allowedEmails"`
// Timeout for network requests for OpenID Connect auth
// Ignored if `authProvider` is not `openidconnect`
// +default 10s
AuthOpenIDConnectRequestTimeout time.Duration `env:"AUTHOPENIDCONNECT_REQUESTTIMEOUT" yaml:"authOpenIDConnect_requestTimeout"`
// If non-empty, requires the Tailnet of the user to match this value
// Ignored if `authProvider` is not `tailscalewhois`
AuthTailscaleWhoisAllowedTailnet string `env:"AUTHTAILSCALEWHOIS_ALLOWEDTAILNET" yaml:"authTailscaleWhois_allowedTailnet"`
// List of allowed users for Tailscale Whois auth
// This is a list of user IDs as returned by the ID provider
// Ignored if `authProvider` is not `tailscalewhois`
AuthTailscaleConnectAllowedUsers []string `env:"AUTHTAILSCALECONNECT_ALLOWEDUSERS" yaml:"authTailscaleConnect_allowedUsers"`
// Timeout for network requests for Tailscale Whois auth
// Ignored if `authProvider` is not `tailscalewhois`
// +default 10s
AuthTailscaleWhoisRequestTimeout time.Duration `env:"AUTHTAILSCALEWHOIS_REQUESTTIMEOUT" yaml:"authTailscaleWhois_requestTimeout"`
// Timeout for authenticating with the authentication provider.
// +default 5m
AuthenticationTimeout time.Duration `env:"AUTHENTICATIONTIMEOUT" yaml:"authenticationTimeout"`
// Path where to load TLS certificates from. Within the folder, the files must be named `tls-cert.pem` and `tls-key.pem` (and optionally `tls-ca.pem`).
// Vault watches for changes in this folder and automatically reloads the TLS certificates when they're updated.
// If empty, certificates are loaded from the same folder where the loaded `config.yaml` is located.
// +default Folder where the `config.yaml` file is located
TLSPath string `env:"TLSPATH" yaml:"tlsPath"`
// Full, PEM-encoded TLS certificate.
// Using `tlsCertPEM` and `tlsKeyPEM` is an alternative method of passing TLS certificates than using `tlsPath`.
TLSCertPEM string `env:"TLSCERTPEM" yaml:"tlsCertPEM"`
// Full, PEM-encoded TLS key.
// Using `tlsCertPEM` and `tlsKeyPEM` is an alternative method of passing TLS certificates than using `tlsPath`.
TLSKeyPEM string `env:"TLSKEYPEM" yaml:"tlsKeyPEM"`
// Full, PEM-encoded TLS CA certificate, used for TLS client authentication (mTLS).
// This is an alternative method of passing the CA certificate than using `tlsPath`.
// Note that this is ignored unless `tlsClientAuth` is set to `true`.
TLSCAPEM string `env:"TLSCAPEM" yaml:"tlsCAPEM"`
// If true, enables mTLS for client authentication.
// Requests to the root endpoint (normally used by Traefik) must have a valid client certificate signed by the CA.
// +default false
TLSClientAuth bool `env:"TLSCLIENTAUTH" yaml:"tlsClientAuth"`
// String with the name of a header to trust as ID of each request. The ID is included in logs and in responses as `X-Request-ID` header.
// Common values include:
//
// - `X-Request-ID`: a [de-facto standard](https://http.dev/x-request-id) that's vendor agnostic
// - `CF-Ray`: when the application is served by a [Cloudflare CDN](https://developers.cloudflare.com/fundamentals/get-started/reference/cloudflare-ray-id/)
//
// If this option is empty, or if it contains the name of a header that is not found in an incoming request, a random UUID is generated as request ID.
TrustedRequestIdHeader string `env:"TRUSTEDREQUESTIDHEADER" yaml:"trustedRequestIdHeader"`
// Dev is meant for development only; it's undocumented
Dev Dev `yaml:"-"`
// contains filtered or unexported fields
}
Config is the struct containing configuration
func GetDefaultConfig ¶
func GetDefaultConfig() *Config
GetDefaultConfig returns the default configuration.
func (*Config) GetAuthProvider ¶
GetProvider returns the auth provider.
func (Config) GetLoadedConfigPath ¶
GetLoadedConfigPath returns the path to the config file that was loaded
func (Config) GetTokenSigningKey ¶
GetTokenSigningKey returns the (parsed) token signing key
func (*Config) SetLoadedConfigPath ¶
SetLoadedConfigPath sets the path to the config file that was loaded
func (*Config) SetTokenSigningKey ¶
SetTokenSigningKey parses the token signing key. If it's empty, will generate a new one.
Source Files
Click to show internal directories.
Click to hide internal directories.