cmd: Support binding frontend/backend to unix sockets (#1230)

This allows the use of strings like "unix:/path/to/socket" as PUBLIC_HOST and/or PRIVATE_HOST. Signed-off-by: Janis Meybohm <meybohm@traum-ferienwohnungen.de>
ory · Dec 13, 2018 · aa6ab26 · aa6ab26
1 parent bff47d2
commit aa6ab26
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 13 deletions.
diff --git a/cmd/serve.go b/cmd/serve.go
@@ -61,14 +61,16 @@ var serveControls = `CORE CONTROLS
 - PUBLIC_PORT: The TCP port hydra should listen and handle public API requests on.
 	Defaults to PUBLIC_PORT=4444
 
-- PUBLIC_HOST: The interface hydra should listen and handle public API requests on. Leave empty to listen on all interfaces.
-	Example: PUBLIC_HOST=localhost
+- PUBLIC_HOST: The interface or unix socket hydra should listen and handle public API requests on.
+	Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces.
+	Example: PUBLIC_HOST=localhost or PUBLIC_HOST="unix:/path/to/public_socket"
 
 - ADMIN_PORT: The TCP port hydra should listen and handle administrative API requests on.
 	Defaults to ADMIN_PORT=4445
 
-- ADMIN_HOST: The interface hydra should listen and handle administartive API requests on. Leave empty to listen on all interfaces.
-	Example: ADMIN_HOST=localhost
+- ADMIN_HOST: The interface or unix socket hydra should listen and handle administrative API requests on.
+	Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces.
+	Example: ADMIN_HOST=localhost or ADMIN_HOST="unix:/path/to/admin_socket"
 
 - BCRYPT_COST: Set the bcrypt hashing cost. This is a trade off between
 	security and performance. Range is 4 =< x =< 31.

diff --git a/cmd/server/handler.go b/cmd/server/handler.go
@@ -23,6 +23,7 @@ package server
 import (
 	"crypto/tls"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -223,14 +224,23 @@ func serve(c *config.Config, cmd *cobra.Command, handler http.Handler, address s
 	err := graceful.Graceful(func() error {
 		var err error
 		c.GetLogger().Infof("Setting up http server on %s", address)
-		if c.ForceHTTP {
-			c.GetLogger().Warnln("HTTPS disabled. Never do this in production.")
-			err = srv.ListenAndServe()
-		} else if c.AllowTLSTermination != "" {
-			c.GetLogger().Infoln("TLS termination enabled, disabling https.")
-			err = srv.ListenAndServe()
+		if strings.HasPrefix(address, "unix:") {
+			addr := strings.TrimPrefix(address, "unix:")
+			unixListener, e := net.Listen("unix", addr)
+			if e != nil {
+				return e
+			}
+			err = srv.Serve(unixListener)
 		} else {
-			err = srv.ListenAndServeTLS("", "")
+			if c.ForceHTTP {
+				c.GetLogger().Warnln("HTTPS disabled. Never do this in production.")
+				err = srv.ListenAndServe()
+			} else if c.AllowTLSTermination != "" {
+				c.GetLogger().Infoln("TLS termination enabled, disabling https.")
+				err = srv.ListenAndServe()
+			} else {
+				err = srv.ListenAndServeTLS("", "")
+			}
 		}
 
 		return err

diff --git a/config/config.go b/config/config.go
@@ -425,12 +425,19 @@ func (c *Config) GetSystemSecret() []byte {
 	return pkg.HashByteSecret(secret)
 }
 
+func (c *Config) getAddress(address string, port int) string {
+	if strings.HasPrefix(address, "unix:") {
+		return address
+	}
+	return fmt.Sprintf("%s:%d", address, port)
+}
+
 func (c *Config) GetFrontendAddress() string {
-	return fmt.Sprintf("%s:%d", c.FrontendBindHost, c.FrontendBindPort)
+	return c.getAddress(c.FrontendBindHost, c.FrontendBindPort)
 }
 
 func (c *Config) GetBackendAddress() string {
-	return fmt.Sprintf("%s:%d", c.BackendBindHost, c.BackendBindPort)
+	return c.getAddress(c.BackendBindHost, c.BackendBindPort)
 }
 
 func (c *Config) Persist() error {