authelia/internal/server/server.go

package server

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"net"
	"os"

	"github.com/sirupsen/logrus"
	"github.com/valyala/fasthttp"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/logging"
	"github.com/authelia/authelia/v4/internal/middlewares"
)

// CreateDefaultServer Create Authelia's internal webserver with the given configuration and providers.
func CreateDefaultServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, err error) {
	if err = providers.Templates.LoadTemplatedAssets(assets); err != nil {
		return nil, nil, nil, false, fmt.Errorf("failed to load templated assets: %w", err)
	}

	server = &fasthttp.Server{
		ErrorHandler:          handleError(),
		Handler:               handleRouter(config, providers),
		NoDefaultServerHeader: true,
		ReadBufferSize:        config.Server.Buffers.Read,
		WriteBufferSize:       config.Server.Buffers.Write,
		ReadTimeout:           config.Server.Timeouts.Read,
		WriteTimeout:          config.Server.Timeouts.Write,
		IdleTimeout:           config.Server.Timeouts.Idle,
		Logger:                logging.LoggerPrintf(logrus.DebugLevel),
	}

	var (
		connectionScheme = schemeHTTP
	)

	if listener, err = config.Server.Address.Listener(); err != nil {
		return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize main server listener for address '%s': %w", config.Server.Address.String(), err)
	}

	if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {
		isTLS, connectionScheme = true, schemeHTTPS

		if err = server.AppendCert(config.Server.TLS.Certificate, config.Server.TLS.Key); err != nil {
			return nil, nil, nil, false, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
		}

		if len(config.Server.TLS.ClientCertificates) > 0 {
			caCertPool := x509.NewCertPool()

			var cert []byte

			for _, path := range config.Server.TLS.ClientCertificates {
				if cert, err = os.ReadFile(path); err != nil {
					return nil, nil, nil, false, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
				}

				caCertPool.AppendCertsFromPEM(cert)
			}

			// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication
			// but we don't want everybody on the Internet to be able to authenticate.
			server.TLSConfig.ClientCAs = caCertPool
			server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
		}

		listener = tls.NewListener(listener, server.TLSConfig.Clone())
	}

	if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Address.Hostname(),
		config.Server.Path, config.Server.Address.Port()); err != nil {
		return nil, nil, nil, false, fmt.Errorf("unable to configure healthcheck: %w", err)
	}

	paths = []string{"/"}

	if config.Server.Path != "" {
		paths = append(paths, config.Server.Path)
	}

	return server, listener, paths, isTLS, nil
}

// CreateMetricsServer creates a metrics server.
func CreateMetricsServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, tls bool, err error) {
	if providers.Metrics == nil {
		return
	}

	server = &fasthttp.Server{
		ErrorHandler:          handleError(),
		NoDefaultServerHeader: true,
		Handler:               handleMetrics(),
		ReadBufferSize:        config.Telemetry.Metrics.Buffers.Read,
		WriteBufferSize:       config.Telemetry.Metrics.Buffers.Write,
		ReadTimeout:           config.Telemetry.Metrics.Timeouts.Read,
		WriteTimeout:          config.Telemetry.Metrics.Timeouts.Write,
		IdleTimeout:           config.Telemetry.Metrics.Timeouts.Idle,
		Logger:                logging.LoggerPrintf(logrus.DebugLevel),
	}

	if listener, err = config.Telemetry.Metrics.Address.Listener(); err != nil {
		return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize metrics telemetry server listener for address '%s': %w", config.Telemetry.Metrics.Address.String(), err)
	}

	return server, listener, []string{"/metrics"}, false, nil
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package server`

			`import (`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`"crypto/tls"`
			`"crypto/x509"`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`"fmt"`
[FEATURE] Add IPv6 support (#1196) 2020-07-16 06:36:37 +00:00			`"net"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`"os"`

refactor(logging): implement common interfaces (#3994) This implements and leverages some common library logging interfaces. 2022-09-10 08:02:57 +00:00			`"github.com/sirupsen/logrus"`
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00			`"github.com/valyala/fasthttp"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
build(deps): update module github.com/valyala/fasthttp to v1.35.0 (#3120) Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-05 21:57:23 +00:00			`"github.com/authelia/authelia/v4/internal/logging"`
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/middlewares"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`// CreateDefaultServer Create Authelia's internal webserver with the given configuration and providers.`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`func CreateDefaultServer(config schema.Configuration, providers middlewares.Providers) (server fasthttp.Server, listener net.Listener, paths []string, isTLS bool, err error) {`
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required. 2023-01-03 03:49:02 +00:00			`if err = providers.Templates.LoadTemplatedAssets(assets); err != nil {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("failed to load templated assets: %w", err)`
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required. 2023-01-03 03:49:02 +00:00			`}`

feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`server = &fasthttp.Server{`
fix(server): handled errors not logged correctly (#3507) This fixes an issue where errors handled by the ErrorHandler were not correctly logged. It also ensures the errors are logged with fields to make them easy to diagnose. Fixes #3506 2022-06-11 23:26:28 +00:00			`ErrorHandler: handleError(),`
			`Handler: handleRouter(config, providers),`
[SECURITY] Disable HTTP server header (#946) * [SECURITY] Disable HTTP Server Header * alphabetize fasthttp.Server property assignment 2020-04-30 03:16:41 +00:00			`NoDefaultServerHeader: true,`
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc. 2022-08-08 21:50:12 +00:00			`ReadBufferSize: config.Server.Buffers.Read,`
			`WriteBufferSize: config.Server.Buffers.Write,`
			`ReadTimeout: config.Server.Timeouts.Read,`
			`WriteTimeout: config.Server.Timeouts.Write,`
			`IdleTimeout: config.Server.Timeouts.Idle,`
refactor: adjust defaults (#4137) * refactor: adjust defaults * refactor: adjust level * refactor: adjust level * refactor: fix templates 2022-10-07 02:52:01 +00:00			`Logger: logging.LoggerPrintf(logrus.DebugLevel),`
[MISC] Add http debug routes (#848) * [MISC] Add debug endpoints to Authelia * enabled only with trace logging * allows go tool pprof usage when enabled * enables both the expvarhandler and pprofhandler from fasthttp * simplify tls/non-tls listen and serve * make it easy to define custom settings of the fasthttp server in the future * make name param optional * add note about the trace setting in the documentation 2020-04-11 04:59:58 +00:00			`}`
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`var (`
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`connectionScheme = schemeHTTP`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
refactor(configuration): umask from query (#5416) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-09 11:25:56 +00:00			`if listener, err = config.Server.Address.Listener(); err != nil {`
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize main server listener for address '%s': %w", config.Server.Address.String(), err)`
			`}`

fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important. 2022-04-08 04:13:47 +00:00			`if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`isTLS, connectionScheme = true, schemeHTTPS`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00
fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important. 2022-04-08 04:13:47 +00:00			`if err = server.AppendCert(config.Server.TLS.Certificate, config.Server.TLS.Key); err != nil {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)`
refactor: configuration agnostic healthcheck (#2231) This makes the healthcheck simple and configured directly by Authelia's configuration on startup. 2021-08-05 04:02:07 +00:00			`}`

fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important. 2022-04-08 04:13:47 +00:00			`if len(config.Server.TLS.ClientCertificates) > 0 {`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`caCertPool := x509.NewCertPool()`

feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`var cert []byte`

fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important. 2022-04-08 04:13:47 +00:00			`for _, path := range config.Server.TLS.ClientCertificates {`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`if cert, err = os.ReadFile(path); err != nil {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`}`

			`caCertPool.AppendCertsFromPEM(cert)`
			`}`

			`// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication`
			`// but we don't want everybody on the Internet to be able to authenticate.`
			`server.TLSConfig.ClientCAs = caCertPool`
			`server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert`
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-08-10 00:31:08 +00:00			`}`

feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`listener = tls.NewListener(listener, server.TLSConfig.Clone())`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`}`
refactor: configuration agnostic healthcheck (#2231) This makes the healthcheck simple and configured directly by Authelia's configuration on startup. 2021-08-05 04:02:07 +00:00
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Address.Hostname(),`
			`config.Server.Path, config.Server.Address.Port()); err != nil {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("unable to configure healthcheck: %w", err)`
[FEATURE] Add TLS support. (#677) * [FEATURE] Add TLS support. Fixes #368. * [FEATURE] Introduce OnError hook in suites. This hook allows to perform actions following an erroneous suite like displaying the logs of Authelia. * Display Authelia logs of Standalone suite when tests fail. * Fix Standalone suite. * Apply suggestions from code review * Rename ssl_key and ssl_cert into tls_key and tls_cert. 2020-03-03 07:18:25 +00:00			`}`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`paths = []string{"/"}`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc. 2022-08-08 21:50:12 +00:00			`if config.Server.Path != "" {`
			`paths = append(paths, config.Server.Path)`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`}`

refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return server, listener, paths, isTLS, nil`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`}`

			`// CreateMetricsServer creates a metrics server.`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`func CreateMetricsServer(config schema.Configuration, providers middlewares.Providers) (server fasthttp.Server, listener net.Listener, paths []string, tls bool, err error) {`
			`if providers.Metrics == nil {`
			`return`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`}`

			`server = &fasthttp.Server{`
			`ErrorHandler: handleError(),`
			`NoDefaultServerHeader: true,`
			`Handler: handleMetrics(),`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`ReadBufferSize: config.Telemetry.Metrics.Buffers.Read,`
			`WriteBufferSize: config.Telemetry.Metrics.Buffers.Write,`
			`ReadTimeout: config.Telemetry.Metrics.Timeouts.Read,`
			`WriteTimeout: config.Telemetry.Metrics.Timeouts.Write,`
			`IdleTimeout: config.Telemetry.Metrics.Timeouts.Idle,`
refactor(logging): implement common interfaces (#3994) This implements and leverages some common library logging interfaces. 2022-09-10 08:02:57 +00:00			`Logger: logging.LoggerPrintf(logrus.DebugLevel),`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`}`

refactor(configuration): umask from query (#5416) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-09 11:25:56 +00:00			`if listener, err = config.Telemetry.Metrics.Address.Listener(); err != nil {`
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize metrics telemetry server listener for address '%s': %w", config.Telemetry.Metrics.Address.String(), err)`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`}`
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc. 2022-08-08 21:50:12 +00:00
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return server, listener, []string{"/metrics"}, false, nil`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`