diff --git a/.env.example b/.env.example index 688782a..32f5d7f 100644 --- a/.env.example +++ b/.env.example @@ -1,5 +1,5 @@ -AUTH_GATE_PORT -AUTH_GATE_API_TOKEN -DATA_DIR -CLEANUP_INTERVAL -AUTH_GATE_DB_PATH \ No newline at end of file +AUTH_PROXY_PORT=8080 +AUTH_PROXY_API_TOKEN= +DATA_DIR=./data +CLEANUP_INTERVAL=60 +AUTH_PROXY_DB_PATH=./data/auth-proxy.db \ No newline at end of file diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 9511905..bae471f 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -68,7 +68,7 @@ jobs: run: | docker buildx build \ --platform linux/amd64 \ - --tag "git.yejayekhoob.com/db123/auth-gate:${{ github.sha }}" \ - --tag "git.yejayekhoob.com/db123/auth-gate:latest" \ + --tag "git.yejayekhoob.com/db123/auth-proxy:${{ github.sha }}" \ + --tag "git.yejayekhoob.com/db123/auth-proxy:latest" \ --push \ . \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 81a297e..9e6613f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,38 +1,42 @@ -# Production-hardened Dockerfile for auth-gate +# Production-hardened Dockerfile for auth-proxy # # We use a multi-stage build to keep the final image small. # The build stage compiles the binary, and the runtime stage copies # only the binary and the required configuration. -FROM golang:1.21-alpine AS builder +FROM docker.iranserver.com/golang:1.21-alpine AS builder WORKDIR /app + +RUN /usr/local/go/bin/go env -w GOPROXY=https://go.iranserver.com/repository/go/ \ + && /usr/local/go/bin/go env -w GOSUMDB=off + COPY go.mod go.sum ./ RUN go mod download COPY . . -RUN CGO_ENABLED=0 GOOS=linux go build -o auth-gate . +RUN CGO_ENABLED=0 GOOS=linux go build -o auth-proxy . # Runtime stage -FROM alpine:3.19 +FROM docker.iranserver.com/alpine:3.23 WORKDIR /app # Create a non-root user (security best practice). -RUN addgroup -S auth-gate && adduser -S auth-gate -G auth-gate +RUN addgroup -S auth-proxy && adduser -S auth-proxy -G auth-proxy # Copy the binary from the builder stage. -COPY --from=builder /app/auth-gate . +COPY --from=builder /app/auth-proxy . # Create directories for config and data. RUN mkdir -p /config /data # Set ownership so the non-root user can write to /data but not /config. -RUN chown -R auth-gate:auth-gate /data && chown auth-gate:auth-gate /config +RUN chown -R auth-proxy:auth-proxy /data && chown auth-proxy:auth-proxy /config # Switch to the non-root user. -USER auth-gate +USER auth-proxy # Expose the HTTP port. EXPOSE 8080 # Start the service. -ENTRYPOINT ["/app/auth-gate"] +ENTRYPOINT ["/app/auth-proxy"] CMD [] \ No newline at end of file diff --git a/README.md b/README.md index 3b0510d..0c4390b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# auth-gate +# auth-proxy -A lightweight Go auth gateway that sits in front of sensitive services (phpMyAdmin, Gitea, +A lightweight Go auth proxyway that sits in front of sensitive services (phpMyAdmin, Gitea, uptime kuma) and provides: - IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite) @@ -9,22 +9,22 @@ uptime kuma) and provides: ## Architecture ``` -Client ──NGINX auth_request──► auth-gate ──► allow / deny +Client ──NGINX auth_request──► auth-proxy ──► allow / deny ``` -NGINX calls auth-gate as an internal subrequest. On 200 the original request proceeds. +NGINX calls auth-proxy as an internal subrequest. On 200 the original request proceeds. On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth. ## Build ```bash -go build -o auth-gate . +go build -o auth-proxy . ``` ## Docker ```bash -docker build -t yejayekhoob/auth-gate:latest . +docker build -t yejayekhoob/auth-proxy:latest . ``` ## Quick start @@ -35,12 +35,12 @@ cp .env.example .env vim .env # Start -./auth-gate +./auth-proxy ``` ## API -The API requires a bearer token set via `AUTH_GATE_API_TOKEN`. All endpoints return `401 Unauthorized` if the token is missing or invalid. +The API requires a bearer token set via `AUTH_PROXY_API_TOKEN`. All endpoints return `401 Unauthorized` if the token is missing or invalid. | Method | Path | Description | |--------|------|-------------| diff --git a/config.go b/config.go index 6925214..3c9d60f 100644 --- a/config.go +++ b/config.go @@ -15,11 +15,11 @@ type Config struct { func loadConfig() Config { return Config{ - Port: getEnv("AUTH_GATE_PORT", "8080"), - APIToken: getEnv("AUTH_GATE_API_TOKEN", ""), + Port: getEnv("AUTH_PROXY_PORT", "8080"), + APIToken: getEnv("AUTH_PROXY_API_TOKEN", ""), DataDir: getEnv("DATA_DIR", "/data"), CleanupInterval: parseDuration("CLEANUP_INTERVAL", 60*time.Second), - DBPath: getEnv("AUTH_GATE_DB_PATH", "./data/auth-gate.db"), + DBPath: getEnv("AUTH_PROXY_DB_PATH", "./data/auth-proxy.db"), } } diff --git a/docker-compose.yml b/docker-compose.yml index e2f0fed..cb87214 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,21 +1,21 @@ -# Docker Compose example for auth-gate +# Docker Compose example for auth-proxy # # This file is a minimal example. Adjust the environment variables # and volumes to match your setup. services: - auth-gate: + auth-proxy: build: . - image: yejayekhoob/auth-gate:latest - container_name: auth-gate + image: yejayekhoob/auth-proxy:latest + container_name: auth-proxy restart: unless-stopped expose: - "8080" environment: - AUTH_GATE_PORT: "8080" - AUTH_GATE_API_TOKEN: "${AUTH_GATE_API_TOKEN:-CHANGE_ME}" - AUTH_GATE_BASIC_USER: "${AUTH_GATE_BASIC_USER:-admin}" - AUTH_GATE_BASIC_PASSWORD: "${AUTH_GATE_BASIC_PASSWORD:-CHANGE_ME}" + AUTH_PROXY_PORT: "8080" + AUTH_PROXY_API_TOKEN: "${AUTH_PROXY_API_TOKEN:-CHANGE_ME}" + AUTH_PROXY_BASIC_USER: "${AUTH_PROXY_BASIC_USER:-admin}" + AUTH_PROXY_BASIC_PASSWORD: "${AUTH_PROXY_BASIC_PASSWORD:-CHANGE_ME}" PERMANENT_WHITELIST_FILE: "/config/permanent_whitelist.txt" DATA_DIR: "/data" volumes: diff --git a/docs/api.md b/docs/api.md index 4035cc8..6604ab8 100644 --- a/docs/api.md +++ b/docs/api.md @@ -1,4 +1,4 @@ -# Auth-gate API Reference +# Auth-proxy API Reference ## Endpoints diff --git a/docs/deploy.md b/docs/deploy.md index 7e9b136..528c779 100644 --- a/docs/deploy.md +++ b/docs/deploy.md @@ -9,7 +9,7 @@ ## Build ```bash -docker build -t yejayekhoob/auth-gate:latest . +docker build -t yejayekhoob/auth-proxy:latest . ``` ## Run @@ -20,10 +20,10 @@ docker-compose up -d ## NGINX integration -### 1. Create the auth-gate include file +### 1. Create the auth-proxy include file ```nginx -# /etc/nginx/snippets/auth-gate.conf +# /etc/nginx/snippets/auth-proxy.conf # # This is the shared auth_request configuration. Include it in any # server block that needs authentication. @@ -33,10 +33,10 @@ docker-compose up -d # spoofed. If you need a CDN, configure the realip module instead # of trusting the header. -location = /_auth_gate { +location = /_auth_proxy { internal; - proxy_pass http://auth-gate:8080/auth; + proxy_pass http://auth-proxy:8080/auth; proxy_pass_request_body off; proxy_set_header Content-Length ""; @@ -54,7 +54,7 @@ server { listen 443 ssl; server_name phpmyadmin.yejayekhoob.com; - include /etc/nginx/snippets/auth-gate.conf; + include /etc/nginx/snippets/auth-proxy.conf; location / { proxy_pass http://phpmyadmin:80/; @@ -74,9 +74,9 @@ nginx -s reload | Variable | Description | Default | |----------|-------------|---------| -| AUTH_GATE_PORT | HTTP listen port | 8080 | -| AUTH_GATE_API_TOKEN | API bearer token | (none) | -| AUTH_GATE_DB_PATH | SQLite database path | ./data/auth-gate.db | +| AUTH_proxy_PORT | HTTP listen port | 8080 | +| AUTH_proxy_API_TOKEN | API bearer token | (none) | +| AUTH_proxy_DB_PATH | SQLite database path | ./data/auth-proxy.db | | DATA_DIR | Data directory | /data | | CLEANUP_INTERVAL | Cleanup interval | 60s | diff --git a/docs/design.md b/docs/design.md index f5766b9..3823c44 100644 --- a/docs/design.md +++ b/docs/design.md @@ -15,7 +15,7 @@ NGINX's auth_basic is simpler but doesn't support: - Temporary whitelisting (requires config reload). - API-based management. -Our auth-gate service fills these gaps while keeping the architecture simple. +Our auth-proxy service fills these gaps while keeping the architecture simple. ## Why not Authelia? diff --git a/docs/security.md b/docs/security.md index 17264b9..7cdfc2b 100644 --- a/docs/security.md +++ b/docs/security.md @@ -1,15 +1,15 @@ -# Auth-gate Security Model +# Auth-proxy Security Model ## Authentication flow 1. Client request arrives at NGINX. -2. NGINX sends an internal auth_request subrequest to auth-gate. -3. Auth-gate checks: +2. NGINX sends an internal auth_request subrequest to auth-proxy. +3. Auth-proxy checks: - Is the IP in the permanent whitelist? → Allow. - Is the IP in the temporary whitelist and not expired? → Allow. - Otherwise → 401 Unauthorized. -4. NGINX passes the request to the upstream service if auth-gate returned 200. -5. NGINX returns 401 to the client if auth-gate returned 401/403. +4. NGINX passes the request to the upstream service if auth-proxy returned 200. +5. NGINX returns 401 to the client if auth-proxy returned 401/403. ## IP handling @@ -70,7 +70,7 @@ This ensures Docker deployments can shut down cleanly. - We don't support metrics. If you need metrics, add them later. - We don't support health checks with Prometheus. The /status endpoint is a simple text response. - We don't support configuration via a config file. Use environment variables. -- We don't support multiple domains. The auth-gate service doesn't care about domains. -- We don't support HTTP/2. The auth-gate service uses HTTP/1.1 only. -- We don't support WebSocket. The auth-gate service doesn't need WebSocket. -- We don't support gRPC. The auth-gate service is a simple REST API. +- We don't support multiple domains. The auth-proxy service doesn't care about domains. +- We don't support HTTP/2. The auth-proxy service uses HTTP/1.1 only. +- We don't support WebSocket. The auth-proxy service doesn't need WebSocket. +- We don't support gRPC. The auth-proxy service is a simple REST API. diff --git a/openapi.yaml b/openapi.yaml index e98447b..4b0f5f2 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -1,11 +1,11 @@ openapi: "3.0.3" info: - title: Auth-gate API + title: Auth-proxy API description: Lightweight Go auth gateway for IP-based whitelisting with temporary entries and audit logging. version: "1.0.0" contact: - name: Auth-gate Project - url: https://github.com/your-org/auth-gate + name: Auth-proxy Project + url: https://github.com/db123/auth-proxy servers: - url: http://127.0.0.1:8080