feat(storage): tls connection support (#4233)
This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options.pull/4232/head^2
parent
1ea29cb2c2
commit
69c4c02d03
|
@ -304,18 +304,22 @@ authentication_backend:
|
||||||
# start_tls: false
|
# start_tls: false
|
||||||
|
|
||||||
# tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case it's not set correctly in the URL).
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host portion of the url option.
|
||||||
# server_name: ldap.example.com
|
# server_name: ldap.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
# skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Minimum TLS version for the connection.
|
||||||
# minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Maximum TLS version for the connection.
|
||||||
# maximum_version: TLS1.3
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
@ -717,12 +721,16 @@ session:
|
||||||
|
|
||||||
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
||||||
# tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
# server_name: myredis.example.com
|
# server_name: myredis.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
# skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for the connection.
|
## Minimum TLS version for the connection.
|
||||||
|
@ -882,6 +890,99 @@ regulation:
|
||||||
# password: mypassword
|
# password: mypassword
|
||||||
# timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
|
## MySQL TLS settings. Configuring this requires TLS.
|
||||||
|
# tls:
|
||||||
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
|
# server_name: mysql.example.com
|
||||||
|
|
||||||
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
|
# skip_verify: false
|
||||||
|
|
||||||
|
## Minimum TLS version for the connection.
|
||||||
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for the connection.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
##
|
##
|
||||||
## PostgreSQL (Storage Provider)
|
## PostgreSQL (Storage Provider)
|
||||||
##
|
##
|
||||||
|
@ -894,11 +995,99 @@ regulation:
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
# password: mypassword
|
# password: mypassword
|
||||||
# timeout: 5s
|
# timeout: 5s
|
||||||
# ssl:
|
|
||||||
# mode: disable
|
## PostgreSQL TLS settings. Configuring this requires TLS.
|
||||||
# root_certificate: disable
|
# tls:
|
||||||
# certificate: disable
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
# key: disable
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
|
# server_name: postgres.example.com
|
||||||
|
|
||||||
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
|
# skip_verify: false
|
||||||
|
|
||||||
|
## Minimum TLS version for the connection.
|
||||||
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for the connection.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
##
|
##
|
||||||
## Notification Provider
|
## Notification Provider
|
||||||
|
@ -966,18 +1155,22 @@ notifier:
|
||||||
# disable_html_emails: false
|
# disable_html_emails: false
|
||||||
|
|
||||||
# tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
# server_name: smtp.example.com
|
# server_name: smtp.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
# skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either StartTLS or SMTPS.
|
## Minimum TLS version for the connection.
|
||||||
# minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
## Maximum TLS version for either StartTLS or SMTPS.
|
## Maximum TLS version for the connection.
|
||||||
# maximum_version: TLS1.3
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
|
|
@ -17,12 +17,12 @@ aliases:
|
||||||
|
|
||||||
## Version support
|
## Version support
|
||||||
|
|
||||||
When using MySQL or MariaDB we recommend using the latest version that is officially supported by the MySQL or MariaDB
|
When using [MySQL] or [MariaDB] we recommend using the latest version that is officially supported by the [MySQL] or
|
||||||
developers. We also suggest checking out [PostgreSQL](postgres.md) as an alternative.
|
[MariaDB] developers. We also suggest checking out [PostgreSQL](postgres.md) as an alternative.
|
||||||
|
|
||||||
The oldest versions that have been tested are MySQL 5.7 and MariaDB 10.6.
|
The oldest versions that have been tested are [MySQL] 5.7 and [MariaDB] 10.6.
|
||||||
|
|
||||||
If using MySQL 5.7 or MariaDB 10.6 you may be required to adjust the `explicit_defaults_for_timestamp` setting. This
|
If using [MySQL] 5.7 or [MariaDB] 10.6 you may be required to adjust the `explicit_defaults_for_timestamp` setting. This
|
||||||
will be evident when the container starts with an error similar to `Error 1067: Invalid default value for 'exp'`. You
|
will be evident when the container starts with an error similar to `Error 1067: Invalid default value for 'exp'`. You
|
||||||
can adjust this setting in the mysql.cnf file like so:
|
can adjust this setting in the mysql.cnf file like so:
|
||||||
|
|
||||||
|
@ -43,6 +43,78 @@ storage:
|
||||||
username: authelia
|
username: authelia
|
||||||
password: mypassword
|
password: mypassword
|
||||||
timeout: 5s
|
timeout: 5s
|
||||||
|
tls:
|
||||||
|
server_name: mysql.example.com
|
||||||
|
skip_verify: false
|
||||||
|
minimum_version: TLS1.2
|
||||||
|
maximum_version: TLS1.3
|
||||||
|
certificate_chain: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
/Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
/ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
private_key: |
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
+5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
DO NOT USE==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
```
|
```
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
@ -65,7 +137,7 @@ storage:
|
||||||
host: "[fd00:1111:2222:3333::1]"
|
host: "[fd00:1111:2222:3333::1]"
|
||||||
```
|
```
|
||||||
|
|
||||||
If utilizing a unix socket it must have the `unix:` prefix:
|
If utilizing a unix socket it must have the `/` prefix:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
storage:
|
storage:
|
||||||
|
@ -110,3 +182,11 @@ characters and the user password is changed to this value.
|
||||||
{{< confkey type="duration" default="5s" required="no" >}}
|
{{< confkey type="duration" default="5s" required="no" >}}
|
||||||
|
|
||||||
The SQL connection timeout.
|
The SQL connection timeout.
|
||||||
|
|
||||||
|
### tls
|
||||||
|
|
||||||
|
If defined enables connecting to [MySQL] or [MariaDB] over a TLS socket, and additionally controls the TLS connection
|
||||||
|
validation process. You can see how to configure the tls section [here](../prologue/common.md#tls-configuration).
|
||||||
|
|
||||||
|
[MySQL]: https://www.mysql.com/
|
||||||
|
[MariaDB]: https://mariadb.org/
|
||||||
|
|
|
@ -16,10 +16,10 @@ aliases:
|
||||||
|
|
||||||
## Version support
|
## Version support
|
||||||
|
|
||||||
See [PostgreSQL support](https://www.postgresql.org/support/versioning/) for the versions supported by PostgreSQL. We
|
See [PostgreSQL support](https://www.postgresql.org/support/versioning/) for the versions supported by [PostgreSQL]. We
|
||||||
recommend the *current minor* version of one of the versions supported by PostgreSQL.
|
recommend the *current minor* version of one of the versions supported by [PostgreSQL].
|
||||||
|
|
||||||
The versions of PostgreSQL that should be supported by Authelia are:
|
The versions of [PostgreSQL] that should be supported by Authelia are:
|
||||||
|
|
||||||
* 14
|
* 14
|
||||||
* 13
|
* 13
|
||||||
|
@ -40,11 +40,78 @@ storage:
|
||||||
schema: public
|
schema: public
|
||||||
username: authelia
|
username: authelia
|
||||||
password: mypassword
|
password: mypassword
|
||||||
ssl:
|
tls:
|
||||||
mode: disable
|
server_name: psotgres.example.com
|
||||||
root_certificate: /path/to/root_cert.pem
|
skip_verify: false
|
||||||
certificate: /path/to/cert.pem
|
minimum_version: TLS1.2
|
||||||
key: /path/to/key.pem
|
maximum_version: TLS1.3
|
||||||
|
certificate_chain: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
/Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
/ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
private_key: |
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
+5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
DO NOT USE==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
```
|
```
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
@ -67,7 +134,7 @@ storage:
|
||||||
host: "[fd00:1111:2222:3333::1]"
|
host: "[fd00:1111:2222:3333::1]"
|
||||||
```
|
```
|
||||||
|
|
||||||
If utilizing a unix socket it must have the `unix:` prefix:
|
If utilizing a unix socket it must have the `/` prefix:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
storage:
|
storage:
|
||||||
|
@ -120,32 +187,9 @@ characters and the user password is changed to this value.
|
||||||
|
|
||||||
The SQL connection timeout.
|
The SQL connection timeout.
|
||||||
|
|
||||||
### ssl
|
### tls
|
||||||
|
|
||||||
#### mode
|
If defined enables connecting to [PostgreSQL] over a TLS socket, and additionally controls the TLS connection
|
||||||
|
validation process. You can see how to configure the tls section [here](../prologue/common.md#tls-configuration).
|
||||||
|
|
||||||
{{< confkey type="string" default="disable" required="no" >}}
|
[PostgreSQL]: https://www.postgresql.org/
|
||||||
|
|
||||||
SSL mode configures how to handle SSL connections with Postgres.
|
|
||||||
Valid options are 'disable', 'require', 'verify-ca', or 'verify-full'.
|
|
||||||
See the [PostgreSQL Documentation](https://www.postgresql.org/docs/12/libpq-ssl.html)
|
|
||||||
or [pgx - PostgreSQL Driver and Toolkit Documentation](https://pkg.go.dev/github.com/jackc/pgx?tab=doc)
|
|
||||||
for more information.
|
|
||||||
|
|
||||||
#### root_certificate
|
|
||||||
|
|
||||||
{{< confkey type="string" required="no" >}}
|
|
||||||
|
|
||||||
The optional location of the root certificate file encoded in the PEM format for validation purposes.
|
|
||||||
|
|
||||||
#### certificate
|
|
||||||
|
|
||||||
{{< confkey type="string" required="no" >}}
|
|
||||||
|
|
||||||
The optional location of the certificate file encoded in the PEM format for validation purposes.
|
|
||||||
|
|
||||||
#### key
|
|
||||||
|
|
||||||
{{< confkey type="string" required="no" >}}
|
|
||||||
|
|
||||||
The optional location of the key file encoded in the PEM format for authentication purposes.
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -304,18 +304,22 @@ authentication_backend:
|
||||||
# start_tls: false
|
# start_tls: false
|
||||||
|
|
||||||
# tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case it's not set correctly in the URL).
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host portion of the url option.
|
||||||
# server_name: ldap.example.com
|
# server_name: ldap.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
# skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Minimum TLS version for the connection.
|
||||||
# minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
|
## Maximum TLS version for the connection.
|
||||||
# maximum_version: TLS1.3
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
@ -717,12 +721,16 @@ session:
|
||||||
|
|
||||||
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
||||||
# tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
# server_name: myredis.example.com
|
# server_name: myredis.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
# skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for the connection.
|
## Minimum TLS version for the connection.
|
||||||
|
@ -882,6 +890,99 @@ regulation:
|
||||||
# password: mypassword
|
# password: mypassword
|
||||||
# timeout: 5s
|
# timeout: 5s
|
||||||
|
|
||||||
|
## MySQL TLS settings. Configuring this requires TLS.
|
||||||
|
# tls:
|
||||||
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
|
# server_name: mysql.example.com
|
||||||
|
|
||||||
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
|
# skip_verify: false
|
||||||
|
|
||||||
|
## Minimum TLS version for the connection.
|
||||||
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for the connection.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
##
|
##
|
||||||
## PostgreSQL (Storage Provider)
|
## PostgreSQL (Storage Provider)
|
||||||
##
|
##
|
||||||
|
@ -894,11 +995,99 @@ regulation:
|
||||||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
# password: mypassword
|
# password: mypassword
|
||||||
# timeout: 5s
|
# timeout: 5s
|
||||||
# ssl:
|
|
||||||
# mode: disable
|
## PostgreSQL TLS settings. Configuring this requires TLS.
|
||||||
# root_certificate: disable
|
# tls:
|
||||||
# certificate: disable
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
# key: disable
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
|
# server_name: postgres.example.com
|
||||||
|
|
||||||
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
|
# skip_verify: false
|
||||||
|
|
||||||
|
## Minimum TLS version for the connection.
|
||||||
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
|
## Maximum TLS version for the connection.
|
||||||
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# certificate_chain: |
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
|
||||||
|
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
|
||||||
|
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
|
||||||
|
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
|
||||||
|
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
|
||||||
|
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
|
||||||
|
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
|
||||||
|
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
|
||||||
|
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
|
||||||
|
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
|
||||||
|
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
|
||||||
|
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
|
||||||
|
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
# -----BEGIN CERTIFICATE-----
|
||||||
|
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
|
||||||
|
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
|
||||||
|
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
|
||||||
|
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
|
||||||
|
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
|
||||||
|
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
|
||||||
|
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
|
||||||
|
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
|
||||||
|
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
|
||||||
|
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||||
|
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
|
||||||
|
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
|
||||||
|
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
|
||||||
|
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
|
||||||
|
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
|
||||||
|
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
|
||||||
|
# qocikt3WAdU^invalid DO NOT USE=
|
||||||
|
# -----END CERTIFICATE-----
|
||||||
|
|
||||||
|
## The private key used with the certificate_chain if the server requests TLS Client Authentication
|
||||||
|
## i.e. Mutual TLS.
|
||||||
|
# private_key: |
|
||||||
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
|
# MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
|
||||||
|
# T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
|
||||||
|
# KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
|
||||||
|
# +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
|
||||||
|
# LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
|
||||||
|
# txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
|
||||||
|
# aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
|
||||||
|
# Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
|
||||||
|
# ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
|
||||||
|
# LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
|
||||||
|
# jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
|
||||||
|
# BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
|
||||||
|
# Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
|
||||||
|
# R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
|
||||||
|
# tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
|
||||||
|
# ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
|
||||||
|
# lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
|
||||||
|
# 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
|
||||||
|
# fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
|
||||||
|
# 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
|
||||||
|
# jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
|
||||||
|
# rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
|
||||||
|
# n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
|
||||||
|
# yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
|
||||||
|
# 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
|
||||||
|
# DO NOT USE==
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
##
|
##
|
||||||
## Notification Provider
|
## Notification Provider
|
||||||
|
@ -966,18 +1155,22 @@ notifier:
|
||||||
# disable_html_emails: false
|
# disable_html_emails: false
|
||||||
|
|
||||||
# tls:
|
# tls:
|
||||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
## The server subject name to check the servers certificate against during the validation process.
|
||||||
|
## This option is not required if the certificate has a SAN which matches the host option.
|
||||||
# server_name: smtp.example.com
|
# server_name: smtp.example.com
|
||||||
|
|
||||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
|
||||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
|
||||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
## defined by the `certificates_directory` option at the top of the configuration.
|
||||||
|
## It's important to note the public key should be added to the directory, not the private key.
|
||||||
|
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
|
||||||
|
## important to the administrator.
|
||||||
# skip_verify: false
|
# skip_verify: false
|
||||||
|
|
||||||
## Minimum TLS version for either StartTLS or SMTPS.
|
## Minimum TLS version for the connection.
|
||||||
# minimum_version: TLS1.2
|
# minimum_version: TLS1.2
|
||||||
|
|
||||||
## Maximum TLS version for either StartTLS or SMTPS.
|
## Maximum TLS version for the connection.
|
||||||
# maximum_version: TLS1.3
|
# maximum_version: TLS1.3
|
||||||
|
|
||||||
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
## The certificate chain used with the private_key if the server requests TLS Client Authentication
|
||||||
|
|
|
@ -174,6 +174,12 @@ var Keys = []string{
|
||||||
"storage.mysql.username",
|
"storage.mysql.username",
|
||||||
"storage.mysql.password",
|
"storage.mysql.password",
|
||||||
"storage.mysql.timeout",
|
"storage.mysql.timeout",
|
||||||
|
"storage.mysql.tls.minimum_version",
|
||||||
|
"storage.mysql.tls.maximum_version",
|
||||||
|
"storage.mysql.tls.skip_verify",
|
||||||
|
"storage.mysql.tls.server_name",
|
||||||
|
"storage.mysql.tls.private_key",
|
||||||
|
"storage.mysql.tls.certificate_chain",
|
||||||
"storage.postgres.host",
|
"storage.postgres.host",
|
||||||
"storage.postgres.port",
|
"storage.postgres.port",
|
||||||
"storage.postgres.database",
|
"storage.postgres.database",
|
||||||
|
@ -181,6 +187,12 @@ var Keys = []string{
|
||||||
"storage.postgres.password",
|
"storage.postgres.password",
|
||||||
"storage.postgres.timeout",
|
"storage.postgres.timeout",
|
||||||
"storage.postgres.schema",
|
"storage.postgres.schema",
|
||||||
|
"storage.postgres.tls.minimum_version",
|
||||||
|
"storage.postgres.tls.maximum_version",
|
||||||
|
"storage.postgres.tls.skip_verify",
|
||||||
|
"storage.postgres.tls.server_name",
|
||||||
|
"storage.postgres.tls.private_key",
|
||||||
|
"storage.postgres.tls.certificate_chain",
|
||||||
"storage.postgres.ssl.mode",
|
"storage.postgres.ssl.mode",
|
||||||
"storage.postgres.ssl.root_certificate",
|
"storage.postgres.ssl.root_certificate",
|
||||||
"storage.postgres.ssl.certificate",
|
"storage.postgres.ssl.certificate",
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
package schema
|
package schema
|
||||||
|
|
||||||
import "time"
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
// LocalStorageConfiguration represents the configuration when using local storage.
|
// LocalStorageConfiguration represents the configuration when using local storage.
|
||||||
type LocalStorageConfiguration struct {
|
type LocalStorageConfiguration struct {
|
||||||
|
@ -20,6 +23,8 @@ type SQLStorageConfiguration struct {
|
||||||
// MySQLStorageConfiguration represents the configuration of a MySQL database.
|
// MySQLStorageConfiguration represents the configuration of a MySQL database.
|
||||||
type MySQLStorageConfiguration struct {
|
type MySQLStorageConfiguration struct {
|
||||||
SQLStorageConfiguration `koanf:",squash"`
|
SQLStorageConfiguration `koanf:",squash"`
|
||||||
|
|
||||||
|
TLS *TLSConfig `koanf:"tls"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// PostgreSQLStorageConfiguration represents the configuration of a PostgreSQL database.
|
// PostgreSQLStorageConfiguration represents the configuration of a PostgreSQL database.
|
||||||
|
@ -27,7 +32,9 @@ type PostgreSQLStorageConfiguration struct {
|
||||||
SQLStorageConfiguration `koanf:",squash"`
|
SQLStorageConfiguration `koanf:",squash"`
|
||||||
Schema string `koanf:"schema"`
|
Schema string `koanf:"schema"`
|
||||||
|
|
||||||
SSL PostgreSQLSSLStorageConfiguration `koanf:"ssl"`
|
TLS *TLSConfig `koanf:"tls"`
|
||||||
|
|
||||||
|
SSL *PostgreSQLSSLStorageConfiguration `koanf:"ssl"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// PostgreSQLSSLStorageConfiguration represents the SSL configuration of a PostgreSQL database.
|
// PostgreSQLSSLStorageConfiguration represents the SSL configuration of a PostgreSQL database.
|
||||||
|
@ -52,10 +59,20 @@ var DefaultSQLStorageConfiguration = SQLStorageConfiguration{
|
||||||
Timeout: 5 * time.Second,
|
Timeout: 5 * time.Second,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DefaultMySQLStorageConfiguration represents the default MySQL configuration.
|
||||||
|
var DefaultMySQLStorageConfiguration = MySQLStorageConfiguration{
|
||||||
|
TLS: &TLSConfig{
|
||||||
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
// DefaultPostgreSQLStorageConfiguration represents the default PostgreSQL configuration.
|
// DefaultPostgreSQLStorageConfiguration represents the default PostgreSQL configuration.
|
||||||
var DefaultPostgreSQLStorageConfiguration = PostgreSQLStorageConfiguration{
|
var DefaultPostgreSQLStorageConfiguration = PostgreSQLStorageConfiguration{
|
||||||
Schema: "public",
|
Schema: "public",
|
||||||
SSL: PostgreSQLSSLStorageConfiguration{
|
TLS: &TLSConfig{
|
||||||
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||||
|
},
|
||||||
|
SSL: &PostgreSQLSSLStorageConfiguration{
|
||||||
Mode: "disable",
|
Mode: "disable",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -121,12 +121,15 @@ const (
|
||||||
|
|
||||||
// Storage Error constants.
|
// Storage Error constants.
|
||||||
const (
|
const (
|
||||||
errStrStorage = "storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided"
|
errStrStorage = "storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided"
|
||||||
errStrStorageEncryptionKeyMustBeProvided = "storage: option 'encryption_key' is required"
|
errStrStorageEncryptionKeyMustBeProvided = "storage: option 'encryption_key' is required"
|
||||||
errStrStorageEncryptionKeyTooShort = "storage: option 'encryption_key' must be 20 characters or longer"
|
errStrStorageEncryptionKeyTooShort = "storage: option 'encryption_key' must be 20 characters or longer"
|
||||||
errFmtStorageUserPassMustBeProvided = "storage: %s: option 'username' and 'password' are required" //nolint:gosec
|
errFmtStorageUserPassMustBeProvided = "storage: %s: option 'username' and 'password' are required" //nolint:gosec
|
||||||
errFmtStorageOptionMustBeProvided = "storage: %s: option '%s' is required"
|
errFmtStorageOptionMustBeProvided = "storage: %s: option '%s' is required"
|
||||||
errFmtStoragePostgreSQLInvalidSSLMode = "storage: postgres: ssl: option 'mode' must be one of '%s' but it is configured as '%s'"
|
errFmtStorageTLSConfigInvalid = "storage: %s: tls: %w"
|
||||||
|
errFmtStoragePostgreSQLInvalidSSLMode = "storage: postgres: ssl: option 'mode' must be one of '%s' but it is configured as '%s'"
|
||||||
|
errFmtStoragePostgreSQLInvalidSSLAndTLSConfig = "storage: postgres: can't define both 'tls' and 'ssl' configuration options"
|
||||||
|
warnFmtStoragePostgreSQLInvalidSSLDeprecated = "storage: postgres: ssl: the ssl configuration options are deprecated and we recommend the tls options instead"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Telemetry Error constants.
|
// Telemetry Error constants.
|
||||||
|
|
|
@ -17,7 +17,7 @@ func ValidateStorage(config schema.StorageConfiguration, validator *schema.Struc
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case config.MySQL != nil:
|
case config.MySQL != nil:
|
||||||
validateSQLConfiguration(&config.MySQL.SQLStorageConfiguration, validator, "mysql")
|
validateMySQLConfiguration(config.MySQL, validator)
|
||||||
case config.PostgreSQL != nil:
|
case config.PostgreSQL != nil:
|
||||||
validatePostgreSQLConfiguration(config.PostgreSQL, validator)
|
validatePostgreSQLConfiguration(config.PostgreSQL, validator)
|
||||||
case config.Local != nil:
|
case config.Local != nil:
|
||||||
|
@ -49,6 +49,22 @@ func validateSQLConfiguration(config *schema.SQLStorageConfiguration, validator
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func validateMySQLConfiguration(config *schema.MySQLStorageConfiguration, validator *schema.StructValidator) {
|
||||||
|
validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "mysql")
|
||||||
|
|
||||||
|
if config.TLS != nil {
|
||||||
|
configDefaultTLS := &schema.TLSConfig{
|
||||||
|
ServerName: config.Host,
|
||||||
|
MinimumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MinimumVersion,
|
||||||
|
MaximumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MaximumVersion,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {
|
||||||
|
validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "mysql", err))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func validatePostgreSQLConfiguration(config *schema.PostgreSQLStorageConfiguration, validator *schema.StructValidator) {
|
func validatePostgreSQLConfiguration(config *schema.PostgreSQLStorageConfiguration, validator *schema.StructValidator) {
|
||||||
validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "postgres")
|
validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "postgres")
|
||||||
|
|
||||||
|
@ -56,10 +72,28 @@ func validatePostgreSQLConfiguration(config *schema.PostgreSQLStorageConfigurati
|
||||||
config.Schema = schema.DefaultPostgreSQLStorageConfiguration.Schema
|
config.Schema = schema.DefaultPostgreSQLStorageConfiguration.Schema
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.SSL.Mode == "" {
|
switch {
|
||||||
config.SSL.Mode = schema.DefaultPostgreSQLStorageConfiguration.SSL.Mode
|
case config.TLS != nil && config.SSL != nil:
|
||||||
} else if !utils.IsStringInSlice(config.SSL.Mode, validStoragePostgreSQLSSLModes) {
|
validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLAndTLSConfig))
|
||||||
validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLMode, strings.Join(validStoragePostgreSQLSSLModes, "', '"), config.SSL.Mode))
|
case config.TLS != nil:
|
||||||
|
configDefaultTLS := &schema.TLSConfig{
|
||||||
|
ServerName: config.Host,
|
||||||
|
MinimumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MinimumVersion,
|
||||||
|
MaximumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MaximumVersion,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {
|
||||||
|
validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "postgres", err))
|
||||||
|
}
|
||||||
|
case config.SSL != nil:
|
||||||
|
validator.PushWarning(fmt.Errorf(warnFmtStoragePostgreSQLInvalidSSLDeprecated))
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case config.SSL.Mode == "":
|
||||||
|
config.SSL.Mode = schema.DefaultPostgreSQLStorageConfiguration.SSL.Mode
|
||||||
|
case !utils.IsStringInSlice(config.SSL.Mode, validStoragePostgreSQLSSLModes):
|
||||||
|
validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLMode, strings.Join(validStoragePostgreSQLSSLModes, "', '"), config.SSL.Mode))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package validator
|
package validator
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/suite"
|
"github.com/stretchr/testify/suite"
|
||||||
|
@ -79,6 +80,70 @@ func (suite *StorageSuite) TestShouldValidateMySQLHostUsernamePasswordAndDatabas
|
||||||
suite.Require().Len(suite.validator.Errors(), 0)
|
suite.Require().Len(suite.validator.Errors(), 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldSetDefaultMySQLTLSServerName() {
|
||||||
|
suite.config.MySQL = &schema.MySQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "mysql1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
TLS: &schema.TLSConfig{
|
||||||
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS12},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Assert().Len(suite.validator.Errors(), 0)
|
||||||
|
|
||||||
|
suite.Assert().Equal(suite.config.MySQL.Host, suite.config.MySQL.TLS.ServerName)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidMySQLTLSVersion() {
|
||||||
|
suite.config.MySQL = &schema.MySQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "db1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
TLS: &schema.TLSConfig{
|
||||||
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionSSL30}, //nolint:staticcheck
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
|
|
||||||
|
suite.Assert().EqualError(suite.validator.Errors()[0], "storage: mysql: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidMySQLTLSMinVersionGreaterThanMaximum() {
|
||||||
|
suite.config.MySQL = &schema.MySQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "db1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
TLS: &schema.TLSConfig{
|
||||||
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS13},
|
||||||
|
MaximumVersion: schema.TLSVersion{Value: tls.VersionTLS11},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
|
|
||||||
|
suite.Assert().EqualError(suite.validator.Errors()[0], "storage: mysql: tls: option combination of 'minimum_version' and 'maximum_version' is invalid: minimum version TLS1.3 is greater than the maximum version TLS1.1")
|
||||||
|
}
|
||||||
|
|
||||||
func (suite *StorageSuite) TestShouldValidatePostgreSQLHostUsernamePasswordAndDatabaseAreProvided() {
|
func (suite *StorageSuite) TestShouldValidatePostgreSQLHostUsernamePasswordAndDatabaseAreProvided() {
|
||||||
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{}
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{}
|
||||||
suite.config.MySQL = nil
|
suite.config.MySQL = nil
|
||||||
|
@ -104,7 +169,7 @@ func (suite *StorageSuite) TestShouldValidatePostgreSQLHostUsernamePasswordAndDa
|
||||||
suite.Assert().Len(suite.validator.Errors(), 0)
|
suite.Assert().Len(suite.validator.Errors(), 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (suite *StorageSuite) TestShouldValidatePostgresSSLModeAndSchemaDefaults() {
|
func (suite *StorageSuite) TestShouldValidatePostgresSchemaDefault() {
|
||||||
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
Host: "db1",
|
Host: "db1",
|
||||||
|
@ -119,10 +184,140 @@ func (suite *StorageSuite) TestShouldValidatePostgresSSLModeAndSchemaDefaults()
|
||||||
suite.Assert().Len(suite.validator.Warnings(), 0)
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
suite.Assert().Len(suite.validator.Errors(), 0)
|
suite.Assert().Len(suite.validator.Errors(), 0)
|
||||||
|
|
||||||
suite.Assert().Equal("disable", suite.config.PostgreSQL.SSL.Mode)
|
suite.Assert().Nil(suite.config.PostgreSQL.SSL)
|
||||||
|
suite.Assert().Nil(suite.config.PostgreSQL.TLS)
|
||||||
|
|
||||||
suite.Assert().Equal("public", suite.config.PostgreSQL.Schema)
|
suite.Assert().Equal("public", suite.config.PostgreSQL.Schema)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldValidatePostgresTLSDefaults() {
|
||||||
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "db1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
TLS: &schema.TLSConfig{},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Assert().Len(suite.validator.Errors(), 0)
|
||||||
|
|
||||||
|
suite.Assert().Nil(suite.config.PostgreSQL.SSL)
|
||||||
|
suite.Require().NotNil(suite.config.PostgreSQL.TLS)
|
||||||
|
|
||||||
|
suite.Assert().Equal(uint16(tls.VersionTLS12), suite.config.PostgreSQL.TLS.MinimumVersion.Value)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldSetDefaultPostgreSQLTLSServerName() {
|
||||||
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "mysql1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
TLS: &schema.TLSConfig{
|
||||||
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS12},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Assert().Len(suite.validator.Errors(), 0)
|
||||||
|
|
||||||
|
suite.Assert().Equal(suite.config.PostgreSQL.Host, suite.config.PostgreSQL.TLS.ServerName)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidPostgreSQLTLSVersion() {
|
||||||
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "db1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
TLS: &schema.TLSConfig{
|
||||||
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionSSL30}, //nolint:staticcheck
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
|
|
||||||
|
suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidPostgreSQLMinVersionGreaterThanMaximum() {
|
||||||
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "db1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
TLS: &schema.TLSConfig{
|
||||||
|
MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS13},
|
||||||
|
MaximumVersion: schema.TLSVersion{Value: tls.VersionTLS11},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
|
|
||||||
|
suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: tls: option combination of 'minimum_version' and 'maximum_version' is invalid: minimum version TLS1.3 is greater than the maximum version TLS1.1")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldValidatePostgresSSLDefaults() {
|
||||||
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "db1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
SSL: &schema.PostgreSQLSSLStorageConfiguration{},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 1)
|
||||||
|
suite.Assert().Len(suite.validator.Errors(), 0)
|
||||||
|
|
||||||
|
suite.Assert().NotNil(suite.config.PostgreSQL.SSL)
|
||||||
|
suite.Require().Nil(suite.config.PostgreSQL.TLS)
|
||||||
|
|
||||||
|
suite.Assert().Equal(schema.DefaultPostgreSQLStorageConfiguration.SSL.Mode, suite.config.PostgreSQL.SSL.Mode)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (suite *StorageSuite) TestShouldRaiseErrorOnTLSAndLegacySSL() {
|
||||||
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
Host: "db1",
|
||||||
|
Username: "myuser",
|
||||||
|
Password: "pass",
|
||||||
|
Database: "database",
|
||||||
|
},
|
||||||
|
SSL: &schema.PostgreSQLSSLStorageConfiguration{},
|
||||||
|
TLS: &schema.TLSConfig{},
|
||||||
|
}
|
||||||
|
|
||||||
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
|
suite.Assert().Len(suite.validator.Warnings(), 0)
|
||||||
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
|
|
||||||
|
suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: can't define both 'tls' and 'ssl' configuration options")
|
||||||
|
}
|
||||||
|
|
||||||
func (suite *StorageSuite) TestShouldValidatePostgresDefaultsDontOverrideConfiguration() {
|
func (suite *StorageSuite) TestShouldValidatePostgresDefaultsDontOverrideConfiguration() {
|
||||||
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
|
||||||
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
SQLStorageConfiguration: schema.SQLStorageConfiguration{
|
||||||
|
@ -132,18 +327,20 @@ func (suite *StorageSuite) TestShouldValidatePostgresDefaultsDontOverrideConfigu
|
||||||
Database: "database",
|
Database: "database",
|
||||||
},
|
},
|
||||||
Schema: "authelia",
|
Schema: "authelia",
|
||||||
SSL: schema.PostgreSQLSSLStorageConfiguration{
|
SSL: &schema.PostgreSQLSSLStorageConfiguration{
|
||||||
Mode: "require",
|
Mode: "require",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
ValidateStorage(suite.config, suite.validator)
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
suite.Assert().Len(suite.validator.Warnings(), 0)
|
suite.Require().Len(suite.validator.Warnings(), 1)
|
||||||
suite.Assert().Len(suite.validator.Errors(), 0)
|
suite.Assert().Len(suite.validator.Errors(), 0)
|
||||||
|
|
||||||
suite.Assert().Equal("require", suite.config.PostgreSQL.SSL.Mode)
|
suite.Assert().Equal("require", suite.config.PostgreSQL.SSL.Mode)
|
||||||
suite.Assert().Equal("authelia", suite.config.PostgreSQL.Schema)
|
suite.Assert().Equal("authelia", suite.config.PostgreSQL.Schema)
|
||||||
|
|
||||||
|
suite.Assert().EqualError(suite.validator.Warnings()[0], "storage: postgres: ssl: the ssl configuration options are deprecated and we recommend the tls options instead")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (suite *StorageSuite) TestShouldValidatePostgresSSLModeMustBeValid() {
|
func (suite *StorageSuite) TestShouldValidatePostgresSSLModeMustBeValid() {
|
||||||
|
@ -154,14 +351,14 @@ func (suite *StorageSuite) TestShouldValidatePostgresSSLModeMustBeValid() {
|
||||||
Password: "pass",
|
Password: "pass",
|
||||||
Database: "database",
|
Database: "database",
|
||||||
},
|
},
|
||||||
SSL: schema.PostgreSQLSSLStorageConfiguration{
|
SSL: &schema.PostgreSQLSSLStorageConfiguration{
|
||||||
Mode: "unknown",
|
Mode: "unknown",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
ValidateStorage(suite.config, suite.validator)
|
ValidateStorage(suite.config, suite.validator)
|
||||||
|
|
||||||
suite.Assert().Len(suite.validator.Warnings(), 0)
|
suite.Assert().Len(suite.validator.Warnings(), 1)
|
||||||
suite.Require().Len(suite.validator.Errors(), 1)
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: ssl: option 'mode' must be one of 'disable', 'require', 'verify-ca', 'verify-full' but it is configured as 'unknown'")
|
suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: ssl: option 'mode' must be one of 'disable', 'require', 'verify-ca', 'verify-full' but it is configured as 'unknown'")
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"github.com/go-sql-driver/mysql"
|
"github.com/go-sql-driver/mysql"
|
||||||
|
|
||||||
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||||
|
"github.com/authelia/authelia/v4/internal/utils"
|
||||||
)
|
)
|
||||||
|
|
||||||
// MySQLProvider is a MySQL provider.
|
// MySQLProvider is a MySQL provider.
|
||||||
|
@ -19,7 +20,7 @@ type MySQLProvider struct {
|
||||||
// NewMySQLProvider a MySQL provider.
|
// NewMySQLProvider a MySQL provider.
|
||||||
func NewMySQLProvider(config *schema.Configuration, caCertPool *x509.CertPool) (provider *MySQLProvider) {
|
func NewMySQLProvider(config *schema.Configuration, caCertPool *x509.CertPool) (provider *MySQLProvider) {
|
||||||
provider = &MySQLProvider{
|
provider = &MySQLProvider{
|
||||||
SQLProvider: NewSQLProvider(config, providerMySQL, providerMySQL, dsnMySQL(config.Storage.MySQL)),
|
SQLProvider: NewSQLProvider(config, providerMySQL, providerMySQL, dsnMySQL(config.Storage.MySQL, caCertPool)),
|
||||||
}
|
}
|
||||||
|
|
||||||
// All providers have differing SELECT existing table statements.
|
// All providers have differing SELECT existing table statements.
|
||||||
|
@ -31,7 +32,7 @@ func NewMySQLProvider(config *schema.Configuration, caCertPool *x509.CertPool) (
|
||||||
return provider
|
return provider
|
||||||
}
|
}
|
||||||
|
|
||||||
func dsnMySQL(config *schema.MySQLStorageConfiguration) (dataSourceName string) {
|
func dsnMySQL(config *schema.MySQLStorageConfiguration, caCertPool *x509.CertPool) (dataSourceName string) {
|
||||||
dsnConfig := mysql.NewConfig()
|
dsnConfig := mysql.NewConfig()
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
|
@ -46,6 +47,12 @@ func dsnMySQL(config *schema.MySQLStorageConfiguration) (dataSourceName string)
|
||||||
dsnConfig.Addr = fmt.Sprintf("%s:%d", config.Host, config.Port)
|
dsnConfig.Addr = fmt.Sprintf("%s:%d", config.Host, config.Port)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if config.TLS != nil {
|
||||||
|
_ = mysql.RegisterTLSConfig("storage", utils.NewTLSConfig(config.TLS, caCertPool))
|
||||||
|
|
||||||
|
dsnConfig.TLSConfig = "storage"
|
||||||
|
}
|
||||||
|
|
||||||
switch config.Port {
|
switch config.Port {
|
||||||
case 0:
|
case 0:
|
||||||
dsnConfig.Addr = config.Host
|
dsnConfig.Addr = config.Host
|
||||||
|
|
|
@ -12,6 +12,7 @@ import (
|
||||||
"github.com/jackc/pgx/v5/stdlib"
|
"github.com/jackc/pgx/v5/stdlib"
|
||||||
|
|
||||||
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||||
|
"github.com/authelia/authelia/v4/internal/utils"
|
||||||
)
|
)
|
||||||
|
|
||||||
// PostgreSQLProvider is a PostgreSQL provider.
|
// PostgreSQLProvider is a PostgreSQL provider.
|
||||||
|
@ -135,42 +136,12 @@ func NewPostgreSQLProvider(config *schema.Configuration, caCertPool *x509.CertPo
|
||||||
func dsnPostgreSQL(config *schema.PostgreSQLStorageConfiguration, globalCACertPool *x509.CertPool) (dsn string) {
|
func dsnPostgreSQL(config *schema.PostgreSQLStorageConfiguration, globalCACertPool *x509.CertPool) (dsn string) {
|
||||||
dsnConfig, _ := pgx.ParseConfig("")
|
dsnConfig, _ := pgx.ParseConfig("")
|
||||||
|
|
||||||
ca, certs := loadPostgreSQLLegacyTLS(config)
|
|
||||||
|
|
||||||
switch config.SSL.Mode {
|
|
||||||
case "disable":
|
|
||||||
break
|
|
||||||
default:
|
|
||||||
var caCertPool *x509.CertPool
|
|
||||||
|
|
||||||
switch ca {
|
|
||||||
case nil:
|
|
||||||
caCertPool = globalCACertPool
|
|
||||||
default:
|
|
||||||
caCertPool = globalCACertPool.Clone()
|
|
||||||
caCertPool.AddCert(ca)
|
|
||||||
}
|
|
||||||
|
|
||||||
dsnConfig.TLSConfig = &tls.Config{
|
|
||||||
Certificates: certs,
|
|
||||||
RootCAs: caCertPool,
|
|
||||||
InsecureSkipVerify: true, //nolint:gosec
|
|
||||||
}
|
|
||||||
|
|
||||||
switch {
|
|
||||||
case config.SSL.Mode == "require" && config.SSL.RootCertificate != "" || config.SSL.Mode == "verify-ca":
|
|
||||||
dsnConfig.TLSConfig.VerifyPeerCertificate = newPostgreSQLVerifyCAFunc(dsnConfig.TLSConfig)
|
|
||||||
case config.SSL.Mode == "verify-full":
|
|
||||||
dsnConfig.TLSConfig.InsecureSkipVerify = false
|
|
||||||
dsnConfig.TLSConfig.ServerName = config.Host
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
dsnConfig.Host = config.Host
|
dsnConfig.Host = config.Host
|
||||||
dsnConfig.Port = uint16(config.Port)
|
dsnConfig.Port = uint16(config.Port)
|
||||||
dsnConfig.Database = config.Database
|
dsnConfig.Database = config.Database
|
||||||
dsnConfig.User = config.Username
|
dsnConfig.User = config.Username
|
||||||
dsnConfig.Password = config.Password
|
dsnConfig.Password = config.Password
|
||||||
|
dsnConfig.TLSConfig = loadPostgreSQLTLSConfig(config, globalCACertPool)
|
||||||
dsnConfig.ConnectTimeout = config.Timeout
|
dsnConfig.ConnectTimeout = config.Timeout
|
||||||
dsnConfig.RuntimeParams = map[string]string{
|
dsnConfig.RuntimeParams = map[string]string{
|
||||||
"search_path": config.Schema,
|
"search_path": config.Schema,
|
||||||
|
@ -183,7 +154,50 @@ func dsnPostgreSQL(config *schema.PostgreSQLStorageConfiguration, globalCACertPo
|
||||||
return stdlib.RegisterConnConfig(dsnConfig)
|
return stdlib.RegisterConnConfig(dsnConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
func loadPostgreSQLLegacyTLS(config *schema.PostgreSQLStorageConfiguration) (ca *x509.Certificate, certs []tls.Certificate) {
|
func loadPostgreSQLTLSConfig(config *schema.PostgreSQLStorageConfiguration, globalCACertPool *x509.CertPool) (tlsConfig *tls.Config) {
|
||||||
|
if config.TLS == nil && config.SSL == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.TLS != nil {
|
||||||
|
return utils.NewTLSConfig(config.TLS, globalCACertPool)
|
||||||
|
}
|
||||||
|
|
||||||
|
ca, certs := loadPostgreSQLLegacyTLSConfig(config)
|
||||||
|
|
||||||
|
switch config.SSL.Mode {
|
||||||
|
case "disable":
|
||||||
|
return nil
|
||||||
|
default:
|
||||||
|
var caCertPool *x509.CertPool
|
||||||
|
|
||||||
|
switch ca {
|
||||||
|
case nil:
|
||||||
|
caCertPool = globalCACertPool
|
||||||
|
default:
|
||||||
|
caCertPool = globalCACertPool.Clone()
|
||||||
|
caCertPool.AddCert(ca)
|
||||||
|
}
|
||||||
|
|
||||||
|
tlsConfig = &tls.Config{
|
||||||
|
Certificates: certs,
|
||||||
|
RootCAs: caCertPool,
|
||||||
|
InsecureSkipVerify: true, //nolint:gosec
|
||||||
|
}
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case config.SSL.Mode == "require" && config.SSL.RootCertificate != "" || config.SSL.Mode == "verify-ca":
|
||||||
|
tlsConfig.VerifyPeerCertificate = newPostgreSQLVerifyCAFunc(tlsConfig)
|
||||||
|
case config.SSL.Mode == "verify-full":
|
||||||
|
tlsConfig.InsecureSkipVerify = false
|
||||||
|
tlsConfig.ServerName = config.Host
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return tlsConfig
|
||||||
|
}
|
||||||
|
|
||||||
|
func loadPostgreSQLLegacyTLSConfig(config *schema.PostgreSQLStorageConfiguration) (ca *x509.Certificate, certs []tls.Certificate) {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
|
|
|
@ -235,7 +235,7 @@ func IsX509PrivateKey(i any) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
|
// NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
|
||||||
func NewTLSConfig(config *schema.TLSConfig, certPool *x509.CertPool) (tlsConfig *tls.Config) {
|
func NewTLSConfig(config *schema.TLSConfig, caCertPool *x509.CertPool) (tlsConfig *tls.Config) {
|
||||||
var certificates []tls.Certificate
|
var certificates []tls.Certificate
|
||||||
|
|
||||||
if config.CertificateChain.HasCertificates() && config.PrivateKey != nil {
|
if config.CertificateChain.HasCertificates() && config.PrivateKey != nil {
|
||||||
|
@ -253,7 +253,7 @@ func NewTLSConfig(config *schema.TLSConfig, certPool *x509.CertPool) (tlsConfig
|
||||||
InsecureSkipVerify: config.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
|
InsecureSkipVerify: config.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
|
||||||
MinVersion: config.MinimumVersion.MinVersion(),
|
MinVersion: config.MinimumVersion.MinVersion(),
|
||||||
MaxVersion: config.MinimumVersion.MaxVersion(),
|
MaxVersion: config.MinimumVersion.MaxVersion(),
|
||||||
RootCAs: certPool,
|
RootCAs: caCertPool,
|
||||||
Certificates: certificates,
|
Certificates: certificates,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue