diff --git a/.dockerignore b/.dockerignore
index 1a3b8262..c14a03ac 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -21,3 +21,6 @@ examples
internal/server/public_html
authelia.service
bootstrap.sh
+
+# Overrides
+!.healthcheck.env
diff --git a/.healthcheck.env b/.healthcheck.env
new file mode 100644
index 00000000..20df13dd
--- /dev/null
+++ b/.healthcheck.env
@@ -0,0 +1,5 @@
+# Default Template
+X_AUTHELIA_HEALTHCHECK_SCHEME=http
+X_AUTHELIA_HEALTHCHECK_HOST=localhost
+X_AUTHELIA_HEALTHCHECK_PORT=9091
+X_AUTHELIA_HEALTHCHECK_PATH=
diff --git a/Dockerfile b/Dockerfile
index ced510a5..3274125f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA
RUN \
mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build..." && \
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -tags netgo \
-ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@@ -30,7 +31,7 @@ WORKDIR /app
RUN apk --no-cache add ca-certificates su-exec tzdata
-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
EXPOSE 9091
diff --git a/Dockerfile.arm32v7 b/Dockerfile.arm32v7
index bfced427..ec4724dc 100644
--- a/Dockerfile.arm32v7
+++ b/Dockerfile.arm32v7
@@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA
RUN \
mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build..." && \
GOOS=linux GOARCH=arm CGO_ENABLED=0 go build -tags netgo \
-ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@@ -31,7 +32,7 @@ WORKDIR /app
RUN \
apk --no-cache add ca-certificates su-exec tzdata
-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
EXPOSE 9091
diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8
index 9d098574..a645e19d 100644
--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA
RUN \
mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build..." && \
GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -tags netgo \
-ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@@ -31,7 +32,7 @@ WORKDIR /app
RUN \
apk --no-cache add ca-certificates su-exec tzdata
-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
EXPOSE 9091
diff --git a/Dockerfile.coverage b/Dockerfile.coverage
index 225ed9a0..6c34d60d 100644
--- a/Dockerfile.coverage
+++ b/Dockerfile.coverage
@@ -32,6 +32,7 @@ ARG LDFLAGS_EXTRA
RUN \
mv api internal/server/public_html/api && \
cd cmd/authelia && \
+chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build (coverage via go test)..." && \
CGO_ENABLED=0 go test -c --tags coverage -covermode=atomic \
-ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
@@ -45,7 +46,7 @@ RUN apk --no-cache add ca-certificates tzdata
WORKDIR /app
-COPY --from=builder-backend /go/src/app/cmd/authelia/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/cmd/authelia/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
EXPOSE 9091
diff --git a/config.template.yml b/config.template.yml
index c552a45a..356e909d 100644
--- a/config.template.yml
+++ b/config.template.yml
@@ -53,6 +53,10 @@ server:
## Enables the expvars endpoint.
enable_expvars: false
+ ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
+ ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
+ disable_healthcheck: false
+
## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
tls:
## The path to the DER base64/PEM format private key.
diff --git a/docs/configuration/server.md b/docs/configuration/server.md
index 40172e93..3acbb509 100644
--- a/docs/configuration/server.md
+++ b/docs/configuration/server.md
@@ -20,6 +20,7 @@ server:
write_buffer_size: 4096
enable_pprof: false
enable_expvars: false
+ disable_healthcheck: false
tls:
key: ""
certificate: ""
@@ -134,6 +135,23 @@ required: no
Enables the go expvars endpoints.
+### disable_healthcheck
+
+type: boolean
+{: .label .label-config .label-purple }
+default: false
+{: .label .label-config .label-blue }
+required: no
+{: .label .label-config .label-green }
+
+
+On startup Authelia checks for the existence of /app/healthcheck.sh and /app/.healthcheck.env and if both of these exist
+it writes the configuration vars for the healthcheck to the /app/.healthcheck.env file. In instances where this is not
+desirable it's possible to disable these interactions entirely.
+
+An example situation where this is the case is in Kubernetes when set security policies that prevent writing to the
+ephemeral storage of a container or just don't want to enable the internal health check.
+
### tls
Authelia typically listens for plain unencrypted connections. This is by design as most environments allow to
diff --git a/healthcheck.sh b/healthcheck.sh
index 147e18d7..afd152fa 100755
--- a/healthcheck.sh
+++ b/healthcheck.sh
@@ -1,23 +1,21 @@
#!/bin/sh
-AUTHELIA_CONFIG=$(pgrep -af authelia | awk '{print $NF}')
-AUTHELIA_SCHEME=$(grep ^tls "${AUTHELIA_CONFIG}")
-AUTHELIA_HOST=$(grep ^host "${AUTHELIA_CONFIG}" | sed -e 's/host: //' -e 's/\r//')
-AUTHELIA_PORT=$(grep ^port "${AUTHELIA_CONFIG}" | sed -e 's/port: //' -e 's/\r//')
-AUTHELIA_PATH=$(grep ^\ \ path "${AUTHELIA_CONFIG}" | sed -e 's/ path: //' -e 's/\r//' -e 's/^/\//')
-
-if [ -z "${AUTHELIA_SCHEME}" ]; then
- AUTHELIA_SCHEME=http
-else
- AUTHELIA_SCHEME=https
+if [ -z "${X_AUTHELIA_HEALTHCHECK}" ]; then
+ exit 0
fi
-if [ -z "${AUTHELIA_HOST}" ] || [ "${AUTHELIA_HOST}" = "0.0.0.0" ]; then
- AUTHELIA_HOST=localhost
+source /app/.healthcheck.env
+
+if [ -z "${X_AUTHELIA_HEALTHCHECK_SCHEME}" ]; then
+ X_AUTHELIA_HEALTHCHECK_SCHEME=http
fi
-if [ -z "${AUTHELIA_PORT}" ]; then
- AUTHELIA_PORT=9091
+if [ -z "${X_AUTHELIA_HEALTHCHECK_HOST}" ]; then
+ X_AUTHELIA_HEALTHCHECK_HOST=localhost
fi
-wget --quiet --no-check-certificate --tries=1 --spider "${AUTHELIA_SCHEME}://${AUTHELIA_HOST}:${AUTHELIA_PORT}${AUTHELIA_PATH}/api/health" || exit 1
+if [ -z "${X_AUTHELIA_HEALTHCHECK_PORT}" ]; then
+ X_AUTHELIA_HEALTHCHECK_PORT=9091
+fi
+
+wget --quiet --no-check-certificate --tries=1 --spider "${X_AUTHELIA_HEALTHCHECK_SCHEME}://${X_AUTHELIA_HEALTHCHECK_HOST}:${X_AUTHELIA_HEALTHCHECK_PORT}${X_AUTHELIA_HEALTHCHECK_PATH}/api/health" || exit 1
diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml
index c552a45a..356e909d 100644
--- a/internal/configuration/config.template.yml
+++ b/internal/configuration/config.template.yml
@@ -53,6 +53,10 @@ server:
## Enables the expvars endpoint.
enable_expvars: false
+ ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
+ ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
+ disable_healthcheck: false
+
## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
tls:
## The path to the DER base64/PEM format private key.
diff --git a/internal/configuration/schema/server.go b/internal/configuration/schema/server.go
index 07169ad8..d07165cb 100644
--- a/internal/configuration/schema/server.go
+++ b/internal/configuration/schema/server.go
@@ -2,13 +2,14 @@ package schema
// ServerConfiguration represents the configuration of the http server.
type ServerConfiguration struct {
- Host string `koanf:"host"`
- Port int `koanf:"port"`
- Path string `koanf:"path"`
- ReadBufferSize int `koanf:"read_buffer_size"`
- WriteBufferSize int `koanf:"write_buffer_size"`
- EnablePprof bool `koanf:"enable_endpoint_pprof"`
- EnableExpvars bool `koanf:"enable_endpoint_expvars"`
+ Host string `koanf:"host"`
+ Port int `koanf:"port"`
+ Path string `koanf:"path"`
+ ReadBufferSize int `koanf:"read_buffer_size"`
+ WriteBufferSize int `koanf:"write_buffer_size"`
+ EnablePprof bool `koanf:"enable_endpoint_pprof"`
+ EnableExpvars bool `koanf:"enable_endpoint_expvars"`
+ DisableHealthcheck bool `koanf:"disable_healthcheck"`
TLS ServerTLSConfiguration `koanf:"tls"`
}
diff --git a/internal/configuration/validator/const.go b/internal/configuration/validator/const.go
index e15420db..590d56c2 100644
--- a/internal/configuration/validator/const.go
+++ b/internal/configuration/validator/const.go
@@ -139,6 +139,7 @@ var ValidKeys = []string{
"server.path",
"server.enable_pprof",
"server.enable_expvars",
+ "server.disable_healthcheck",
"server.tls.key",
"server.tls.certificate",
diff --git a/internal/server/const.go b/internal/server/const.go
index 6950d07f..9251aa95 100644
--- a/internal/server/const.go
+++ b/internal/server/const.go
@@ -6,3 +6,11 @@ const apiFile = "openapi.yml"
const indexFile = "index.html"
const dev = "dev"
+
+const healthCheckEnv = `# Written by Authelia Process
+X_AUTHELIA_HEALTHCHECK=1
+X_AUTHELIA_HEALTHCHECK_SCHEME=%s
+X_AUTHELIA_HEALTHCHECK_HOST=%s
+X_AUTHELIA_HEALTHCHECK_PORT=%d
+X_AUTHELIA_HEALTHCHECK_PATH=%s
+`
diff --git a/internal/server/server.go b/internal/server/server.go
index ef5c2f6c..a12eb850 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -192,9 +192,17 @@ func Start(configuration schema.Configuration, providers middlewares.Providers)
}
if configuration.Server.TLS.Certificate != "" && configuration.Server.TLS.Key != "" {
+ if err = writeHealthCheckEnv(configuration.Server.DisableHealthcheck, "https", configuration.Server.Host, configuration.Server.Path, configuration.Server.Port); err != nil {
+ logger.Fatalf("Could not configure healthcheck: %v", err)
+ }
+
logger.Infof("Listening for TLS connections on %s%s", addrPattern, configuration.Server.Path)
logger.Fatal(server.ServeTLS(listener, configuration.Server.TLS.Certificate, configuration.Server.TLS.Key))
} else {
+ if err = writeHealthCheckEnv(configuration.Server.DisableHealthcheck, "http", configuration.Server.Host, configuration.Server.Path, configuration.Server.Port); err != nil {
+ logger.Fatalf("Could not configure healthcheck: %v", err)
+ }
+
logger.Infof("Listening for non-TLS connections on %s%s", addrPattern, configuration.Server.Path)
logger.Fatal(server.Serve(listener))
}
diff --git a/internal/server/template.go b/internal/server/template.go
index 1c65fb55..70c327fd 100644
--- a/internal/server/template.go
+++ b/internal/server/template.go
@@ -64,3 +64,36 @@ func ServeTemplatedFile(publicDir, file, base, rememberMe, resetPassword, sessio
}
}
}
+
+func writeHealthCheckEnv(disabled bool, scheme, host, path string, port int) (err error) {
+ if disabled {
+ return nil
+ }
+
+ _, err = os.Stat("/app/healthcheck.sh")
+ if err != nil {
+ return nil
+ }
+
+ _, err = os.Stat("/app/.healthcheck.env")
+ if err != nil {
+ return nil
+ }
+
+ file, err := os.OpenFile("/app/.healthcheck.env", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
+ if err != nil {
+ return err
+ }
+
+ defer func() {
+ _ = file.Close()
+ }()
+
+ if host == "0.0.0.0" {
+ host = "localhost"
+ }
+
+ _, err = file.WriteString(fmt.Sprintf(healthCheckEnv, scheme, host, port, path))
+
+ return err
+}