Comments (9)
The main reason why we haven't updated the postgres tag is because the upgrade procedure for postgres is a lot more manual than it is for redis or mysql. There aren't any new postgres features required by authentik either, but we test in CI with 12, 15 and 16. We will probably upgrade in the future, after we have some docs on how to upgrade too
from authentik.
I dont think there's too much to gain there, although I don't have any numbers for performance, but for security especially since postgres isn't exposed to anything there shouldn't be any issues
from authentik.
Thank you for your explanation. A few days ago, I attempted to update the database following several online guides, but it turned out to be a disaster. Fortunately, I had taken a backup. The issues I'm concerned about (perhaps not without good reason) are performance improvements and possibly patched security issues.
from authentik.
According to this article by EntrepriseDB, there is a 10% performance increase between Postgres 12 and 15. I could not find any statistics for V16. But for what it's worth, it is probably best to wait for EOL. Updating from a Docker container is way trickier than on the VM
from authentik.
Gonna write docs for the upgrade and open a pull request as I have made the update myself with basically no issues
from authentik.
I dont think there's too much to gain there, although I don't have any numbers for performance, but for security especially since postgres isn't exposed to anything there shouldn't be any issues
I don't believe this is exactly true when using the default docker-compose file from: https://goauthentik.io/docker-compose.yml
There is no use of separated networks in the compose file where the network for the Postgres container is set to: internal: true
like this:
networks:
external:
name: external
driver: bridge
ipam:
config:
- subnet: 172.30.0.0/24
gateway: 172.30.0.1
internal:
name: internal
driver: bridge
internal: true
ipam:
config:
- subnet: 172.31.0.0/24
gateway: 172.31.0.1
So the Postgres container will have access to the outside internet with the default docker-compose file and can be vulnerable to attacks.
from authentik.
@appiekap653 So basically, the best solution would be 2 networks? authentik-external
on the worker and server with authentik-internal
all? I might be mistaken but since Postgres runs on a network it would not be accessible via the VM IP and it would be basically impossible to access it with the internal ip, how could an attacker do anything?
from authentik.
You only need one other container on that and network where an attacker can take over the container, and he can launch his attacks to the rest of the containers.
I use two networks, with one of them set to internal, just to be sure.
I read somewhere that docker was automatically doing something to iptables for all containers in a bridge network, which made it insecure when not using internal=true.
I don't know the actual in's and outs, but can never be sure enough when it comes to security.
Look at the custom network part: https://spin.atomicobject.com/defined-docker-networks/
from authentik.
Oh that's good to know. Thanks for sharing
from authentik.
Related Issues (20)
- ldap duplicate key value
- Schedule custom actions
- docs: Update Gitea Service index.md
- Proxy Outpost no longer works after changing server URL
- application/o/authorize endpoint missing CORS headers HOT 1
- I would like to request a feature suggestion.
- Manual outpost env var AUTHENTIK_TOKEN not respecting secrets _FILE suffix HOT 1
- Alternative API auth mechanism
- UIDs changed when upgrading from 2023.10.5 to 2024.4.2 HOT 2
- website/docs: integrations: major integration cleanup
- Policy Engine Modes are Mislabeled/Swapped
- Help with Authentik config for External Redis server with TLS
- custom avatar url: fallback not working HOT 1
- 'AuthenticatorValidateStage' object has no attribute 'friendly_name'
- GET https://login.coinbase.com/oauth2/auth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URL&state=SECURE_RANDOM&scope=wallet:accounts:read
- Using LDAPv3 to authenticate against MacOS HOT 3
- [Guacamole] Rejected OpenID Token HOT 1
- Unable to use application via proxy provider HOT 1
- SAML: Failed to verify Metadata Signature results in Python KeyError results in 405 Metthod not allowed
- Select All Checkbox in "Select permissions to assign" seems broken
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.