Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] dedicated secrets file #4353

Open
1 of 11 tasks
crabdancing opened this issue Jul 27, 2024 · 2 comments
Open
1 of 11 tasks

[Feature Request] dedicated secrets file #4353

crabdancing opened this issue Jul 27, 2024 · 2 comments
Labels
proposal todo

Comments

@crabdancing
Copy link

crabdancing commented Jul 27, 2024
edited
Loading

Describe the feature request

Rather than only having the option for auth.token = <value> (e.g. auth.token = "thisismysecret") in the config, it would be ideal to have the option to say auth.token_file = <path>. (e.g., auth.token_file = /var/lib/secrets/frp_token.) The token secrets can then be loaded from those files by frp during initialization.

Putting a secrets file in a dedicated location is a useful standard for segregating secrets in their own directory, thus reducing the likelihood of mistakes when configuring file system permissions & file scope. It also reduces the likelihood of leaks if, e.g., someone is committing their configuration into version control / git (such as is de facto necessary in some workflows, such as NixOS).

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
@fatedier
Copy link
Owner

I think it's feasible. Are there any widely used projects that have adopted this approach that we can learn from?

@crabdancing
Copy link
Author

crabdancing commented Jul 29, 2024
edited
Loading

Absolutely!

People recommend configuring secret_file in GitLab.

Gitea/Forgeo also have a similar feature. You might perfer that one since it's written in the same language as frp. They use a URI, with a file being a specific URI protocol. Kinda weird, but it works, and has some interesting implications.

Another example that I have personal familiarity with is Authelia, which uses environment variables for configuring secrets and has *_FILE environment variables to load the secrets from a file instead of the environment variable directly.

I think that lego also uses an approach like that, although I'm not completely clear on the details there. (I maintain it with a Nix expression, so I can't remember ever configuring lego by hand.)

The environment variable approach seems entirely servicable, and it really doesn't make much difference from the perspective of automated configuration tools like NixOS, but I think having a direct configuration option like the former examples requires less thought on the part of the user. As opposed to environment variables, which might require e.g. knowing how to modify an environment variable in a systemd unit using a fragment file, or overriding the entire service shipped by a user's distro, etc.

@fatedier fatedier added the todo label Jul 29, 2024
@xufeiranfree xufeiranfree mentioned this issue Aug 17, 2024
Closed
@crabdancing crabdancing mentioned this issue Aug 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
proposal todo
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add auth.tokenFile support for file-based token authentication xufeiranfree/frp
2 participants
@fatedier @crabdancing