authelia/internal/server/server.go

package server

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"net"
	"os"

	"github.com/sirupsen/logrus"
	"github.com/valyala/fasthttp"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/logging"
	"github.com/authelia/authelia/v4/internal/middlewares"
)

// CreateDefaultServer Create Authelia's internal webserver with the given configuration and providers.
func CreateDefaultServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, err error) {
	if err = providers.Templates.LoadTemplatedAssets(assets); err != nil {
		return nil, nil, nil, false, fmt.Errorf("failed to load templated assets: %w", err)
	}

	server = &fasthttp.Server{
		ErrorHandler:          handleError(),
		Handler:               handleRouter(config, providers),
		NoDefaultServerHeader: true,
		ReadBufferSize:        config.Server.Buffers.Read,
		WriteBufferSize:       config.Server.Buffers.Write,
		ReadTimeout:           config.Server.Timeouts.Read,
		WriteTimeout:          config.Server.Timeouts.Write,
		IdleTimeout:           config.Server.Timeouts.Idle,
		Logger:                logging.LoggerPrintf(logrus.DebugLevel),
	}

	var (
		connectionScheme = schemeHTTP
	)

	if listener, err = config.Server.Address.Listener(); err != nil {
		return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize main server listener for address '%s': %w", config.Server.Address.String(), err)
	}

	if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {
		isTLS, connectionScheme = true, schemeHTTPS

		tlsConfig, err := loadTLSCertificates(config)
		if err != nil {
			return nil, nil, nil, false, fmt.Errorf("HTTP server: %w", err)
		}

		// Apply configuration
		listener = tls.NewListener(listener, tlsConfig.Clone())
	}

	if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Address.Hostname(),
		config.Server.Address.Path(), config.Server.Address.Port()); err != nil {
		return nil, nil, nil, false, fmt.Errorf("unable to configure healthcheck: %w", err)
	}

	paths = []string{"/"}

	if config.Server.Address.Path() != "/" {
		paths = append(paths, config.Server.Address.Path())
	}

	return server, listener, paths, isTLS, nil
}

// CreateMetricsServer creates a metrics server.
func CreateMetricsServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, tls bool, err error) {
	if providers.Metrics == nil {
		return
	}

	server = &fasthttp.Server{
		ErrorHandler:          handleError(),
		NoDefaultServerHeader: true,
		Handler:               handleMetrics(config.Telemetry.Metrics.Address.Path()),
		ReadBufferSize:        config.Telemetry.Metrics.Buffers.Read,
		WriteBufferSize:       config.Telemetry.Metrics.Buffers.Write,
		ReadTimeout:           config.Telemetry.Metrics.Timeouts.Read,
		WriteTimeout:          config.Telemetry.Metrics.Timeouts.Write,
		IdleTimeout:           config.Telemetry.Metrics.Timeouts.Idle,
		Logger:                logging.LoggerPrintf(logrus.DebugLevel),
	}

	if listener, err = config.Telemetry.Metrics.Address.Listener(); err != nil {
		return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize metrics telemetry server listener for address '%s': %w", config.Telemetry.Metrics.Address.String(), err)
	}

	return server, listener, []string{config.Telemetry.Metrics.Address.Path()}, false, nil
}

// CreateGRPCServer creates a server for handling gRPC authentication requests from an envoy proxy.
func CreateGRPCServer(config *schema.Configuration, providers middlewares.Providers) (server *grpc.Server, listener net.Listener, tls bool, err error) {
	if config.Server.GRPC.Address == nil {
		return nil, nil, false, nil
	}

	// Initialize gPRC server
	lis, err := config.Server.GRPC.Address.Listener()
	if err != nil {
		return nil, nil, false, fmt.Errorf("error occurred while attempting to initialize grcp server listener for address '%s': %w", config.Server.GRPC.Address, err)
	}

	opts := []grpc.ServerOption{grpc.MaxConcurrentStreams(10)}

	if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" && !config.Server.GRPC.DisableTLS {
		tlsConfig, err := loadTLSCertificates(config)
		if err != nil {
			return nil, nil, false, fmt.Errorf("gRPC server: %w", err)
		}

		opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))
		tls = true
	}

	s := grpc.NewServer(opts...)
	handleGRCP(s, config, providers)

	return s, lis, tls, nil
}

// loadTLSCertificates loads the server and client certificates from the files and returns a
// tls.Config object for the server
func loadTLSCertificates(config *schema.Configuration) (*tls.Config, error) {

	// Load the server certificates
	serverCert, err := tls.LoadX509KeyPair(config.Server.TLS.Certificate, config.Server.TLS.Key)
	if err != nil {
		return nil, fmt.Errorf("unable to load server certificate '%s' or key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
	}

	// Create the tls configuration
	tlsConfig := &tls.Config{
		Certificates: []tls.Certificate{serverCert},
		ClientAuth:   tls.NoClientCert,
	}

	// Load client certificates
	if len(config.Server.TLS.ClientCertificates) > 0 {
		caCertPool := x509.NewCertPool()

		var cert []byte

		for _, path := range config.Server.TLS.ClientCertificates {
			if cert, err = os.ReadFile(path); err != nil {
				return nil, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
			}

			caCertPool.AppendCertsFromPEM(cert)
		}

		// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication,
		// but we don't want everybody on the Internet to be able to authenticate.
		tlsConfig.ClientCAs = caCertPool
		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
	}

	return tlsConfig, nil
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package server`

			`import (`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`"crypto/tls"`
			`"crypto/x509"`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`"fmt"`
[FEATURE] Add IPv6 support (#1196) 2020-07-16 06:36:37 +00:00			`"net"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`"os"`

refactor(logging): implement common interfaces (#3994) This implements and leverages some common library logging interfaces. 2022-09-10 08:02:57 +00:00			`"github.com/sirupsen/logrus"`
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00			`"github.com/valyala/fasthttp"`
Implement gRPC endpoint for envoy 2023-06-23 19:19:56 +00:00			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/credentials"`
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
build(deps): update module github.com/valyala/fasthttp to v1.35.0 (#3120) Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-05 21:57:23 +00:00			`"github.com/authelia/authelia/v4/internal/logging"`
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/middlewares"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`// CreateDefaultServer Create Authelia's internal webserver with the given configuration and providers.`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`func CreateDefaultServer(config schema.Configuration, providers middlewares.Providers) (server fasthttp.Server, listener net.Listener, paths []string, isTLS bool, err error) {`
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required. 2023-01-03 03:49:02 +00:00			`if err = providers.Templates.LoadTemplatedAssets(assets); err != nil {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("failed to load templated assets: %w", err)`
perf(server): cached openapi document (#4674) This should lead to a small performance gain by caching the openapi.yml with etags as well as eliminating the use of nonce crypto generation when not required. 2023-01-03 03:49:02 +00:00			`}`

feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`server = &fasthttp.Server{`
fix(server): handled errors not logged correctly (#3507) This fixes an issue where errors handled by the ErrorHandler were not correctly logged. It also ensures the errors are logged with fields to make them easy to diagnose. Fixes #3506 2022-06-11 23:26:28 +00:00			`ErrorHandler: handleError(),`
			`Handler: handleRouter(config, providers),`
[SECURITY] Disable HTTP server header (#946) * [SECURITY] Disable HTTP Server Header * alphabetize fasthttp.Server property assignment 2020-04-30 03:16:41 +00:00			`NoDefaultServerHeader: true,`
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc. 2022-08-08 21:50:12 +00:00			`ReadBufferSize: config.Server.Buffers.Read,`
			`WriteBufferSize: config.Server.Buffers.Write,`
			`ReadTimeout: config.Server.Timeouts.Read,`
			`WriteTimeout: config.Server.Timeouts.Write,`
			`IdleTimeout: config.Server.Timeouts.Idle,`
refactor: adjust defaults (#4137) * refactor: adjust defaults * refactor: adjust level * refactor: adjust level * refactor: fix templates 2022-10-07 02:52:01 +00:00			`Logger: logging.LoggerPrintf(logrus.DebugLevel),`
[MISC] Add http debug routes (#848) * [MISC] Add debug endpoints to Authelia * enabled only with trace logging * allows go tool pprof usage when enabled * enables both the expvarhandler and pprofhandler from fasthttp * simplify tls/non-tls listen and serve * make it easy to define custom settings of the fasthttp server in the future * make name param optional * add note about the trace setting in the documentation 2020-04-11 04:59:58 +00:00			`}`
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`var (`
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`connectionScheme = schemeHTTP`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
refactor(configuration): umask from query (#5416) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-09 11:25:56 +00:00			`if listener, err = config.Server.Address.Listener(); err != nil {`
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize main server listener for address '%s': %w", config.Server.Address.String(), err)`
			`}`

fix(server): incorrect remote ip logged in error handler (#3139) This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important. 2022-04-08 04:13:47 +00:00			`if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`isTLS, connectionScheme = true, schemeHTTPS`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00
Implement gRPC endpoint for envoy 2023-06-23 19:19:56 +00:00			`tlsConfig, err := loadTLSCertificates(config)`
			`if err != nil {`
			`return nil, nil, nil, false, fmt.Errorf("HTTP server: %w", err)`
refactor: configuration agnostic healthcheck (#2231) This makes the healthcheck simple and configured directly by Authelia's configuration on startup. 2021-08-05 04:02:07 +00:00			`}`

Implement gRPC endpoint for envoy 2023-06-23 19:19:56 +00:00			`// Apply configuration`
			`listener = tls.NewListener(listener, tlsConfig.Clone())`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`}`
refactor: configuration agnostic healthcheck (#2231) This makes the healthcheck simple and configured directly by Authelia's configuration on startup. 2021-08-05 04:02:07 +00:00
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Address.Hostname(),`
refactor: path from address (#5492) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-30 08:21:19 +00:00			`config.Server.Address.Path(), config.Server.Address.Port()); err != nil {`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("unable to configure healthcheck: %w", err)`
[FEATURE] Add TLS support. (#677) * [FEATURE] Add TLS support. Fixes #368. * [FEATURE] Introduce OnError hook in suites. This hook allows to perform actions following an erroneous suite like displaying the logs of Authelia. * Display Authelia logs of Standalone suite when tests fail. * Fix Standalone suite. * Apply suggestions from code review * Rename ssl_key and ssl_cert into tls_key and tls_cert. 2020-03-03 07:18:25 +00:00			`}`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`paths = []string{"/"}`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00
refactor: path from address (#5492) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-30 08:21:19 +00:00			`if config.Server.Address.Path() != "/" {`
			`paths = append(paths, config.Server.Address.Path())`
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041 2022-04-04 23:57:47 +00:00			`}`

refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`return server, listener, paths, isTLS, nil`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`}`

			`// CreateMetricsServer creates a metrics server.`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`func CreateMetricsServer(config schema.Configuration, providers middlewares.Providers) (server fasthttp.Server, listener net.Listener, paths []string, tls bool, err error) {`
			`if providers.Metrics == nil {`
			`return`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`}`

			`server = &fasthttp.Server{`
			`ErrorHandler: handleError(),`
			`NoDefaultServerHeader: true,`
refactor: path from address (#5492) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-30 08:21:19 +00:00			`Handler: handleMetrics(config.Telemetry.Metrics.Address.Path()),`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`ReadBufferSize: config.Telemetry.Metrics.Buffers.Read,`
			`WriteBufferSize: config.Telemetry.Metrics.Buffers.Write,`
			`ReadTimeout: config.Telemetry.Metrics.Timeouts.Read,`
			`WriteTimeout: config.Telemetry.Metrics.Timeouts.Write,`
			`IdleTimeout: config.Telemetry.Metrics.Timeouts.Idle,`
refactor(logging): implement common interfaces (#3994) This implements and leverages some common library logging interfaces. 2022-09-10 08:02:57 +00:00			`Logger: logging.LoggerPrintf(logrus.DebugLevel),`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`}`

refactor(configuration): umask from query (#5416) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-09 11:25:56 +00:00			`if listener, err = config.Telemetry.Metrics.Address.Listener(); err != nil {`
feat(server): listen on unix sockets (#5038) This allows listening on unix sockets. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 05:48:26 +00:00			`return nil, nil, nil, false, fmt.Errorf("error occurred while attempting to initialize metrics telemetry server listener for address '%s': %w", config.Telemetry.Metrics.Address.String(), err)`
refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the 2023-02-11 10:45:26 +00:00			`}`
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc. 2022-08-08 21:50:12 +00:00
refactor: path from address (#5492) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-30 08:21:19 +00:00			`return server, listener, []string{config.Telemetry.Metrics.Address.Path()}, false, nil`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
Implement gRPC endpoint for envoy 2023-06-23 19:19:56 +00:00
			`// CreateGRPCServer creates a server for handling gRPC authentication requests from an envoy proxy.`
			`func CreateGRPCServer(config schema.Configuration, providers middlewares.Providers) (server grpc.Server, listener net.Listener, tls bool, err error) {`
			`if config.Server.GRPC.Address == nil {`
			`return nil, nil, false, nil`
			`}`

			`// Initialize gPRC server`
			`lis, err := config.Server.GRPC.Address.Listener()`
			`if err != nil {`
			`return nil, nil, false, fmt.Errorf("error occurred while attempting to initialize grcp server listener for address '%s': %w", config.Server.GRPC.Address, err)`
			`}`

			`opts := []grpc.ServerOption{grpc.MaxConcurrentStreams(10)}`

			`if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" && !config.Server.GRPC.DisableTLS {`
			`tlsConfig, err := loadTLSCertificates(config)`
			`if err != nil {`
			`return nil, nil, false, fmt.Errorf("gRPC server: %w", err)`
			`}`

			`opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))`
			`tls = true`
			`}`

			`s := grpc.NewServer(opts...)`
			`handleGRCP(s, config, providers)`

			`return s, lis, tls, nil`
			`}`

			`// loadTLSCertificates loads the server and client certificates from the files and returns a`
			`// tls.Config object for the server`
			`func loadTLSCertificates(config schema.Configuration) (tls.Config, error) {`

			`// Load the server certificates`
			`serverCert, err := tls.LoadX509KeyPair(config.Server.TLS.Certificate, config.Server.TLS.Key)`
			`if err != nil {`
			`return nil, fmt.Errorf("unable to load server certificate '%s' or key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)`
			`}`

			`// Create the tls configuration`
			`tlsConfig := &tls.Config{`
			`Certificates: []tls.Certificate{serverCert},`
			`ClientAuth: tls.NoClientCert,`
			`}`

			`// Load client certificates`
			`if len(config.Server.TLS.ClientCertificates) > 0 {`
			`caCertPool := x509.NewCertPool()`

			`var cert []byte`

			`for _, path := range config.Server.TLS.ClientCertificates {`
			`if cert, err = os.ReadFile(path); err != nil {`
			`return nil, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)`
			`}`

			`caCertPool.AppendCertsFromPEM(cert)`
			`}`

			`// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication,`
			`// but we don't want everybody on the Internet to be able to authenticate.`
			`tlsConfig.ClientCAs = caCertPool`
			`tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert`
			`}`

			`return tlsConfig, nil`
			`}`