feat: added mirrors for go and for golang image and change the name gate to proxy
This commit is contained in:
10
.env.example
10
.env.example
@@ -1,5 +1,5 @@
|
|||||||
AUTH_GATE_PORT
|
AUTH_PROXY_PORT=8080
|
||||||
AUTH_GATE_API_TOKEN
|
AUTH_PROXY_API_TOKEN=
|
||||||
DATA_DIR
|
DATA_DIR=./data
|
||||||
CLEANUP_INTERVAL
|
CLEANUP_INTERVAL=60
|
||||||
AUTH_GATE_DB_PATH
|
AUTH_PROXY_DB_PATH=./data/auth-proxy.db
|
||||||
4
.github/workflows/ci-cd.yml
vendored
4
.github/workflows/ci-cd.yml
vendored
@@ -68,7 +68,7 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
docker buildx build \
|
docker buildx build \
|
||||||
--platform linux/amd64 \
|
--platform linux/amd64 \
|
||||||
--tag "git.yejayekhoob.com/db123/auth-gate:${{ github.sha }}" \
|
--tag "git.yejayekhoob.com/db123/auth-proxy:${{ github.sha }}" \
|
||||||
--tag "git.yejayekhoob.com/db123/auth-gate:latest" \
|
--tag "git.yejayekhoob.com/db123/auth-proxy:latest" \
|
||||||
--push \
|
--push \
|
||||||
.
|
.
|
||||||
22
Dockerfile
22
Dockerfile
@@ -1,38 +1,42 @@
|
|||||||
# Production-hardened Dockerfile for auth-gate
|
# Production-hardened Dockerfile for auth-proxy
|
||||||
#
|
#
|
||||||
# We use a multi-stage build to keep the final image small.
|
# We use a multi-stage build to keep the final image small.
|
||||||
# The build stage compiles the binary, and the runtime stage copies
|
# The build stage compiles the binary, and the runtime stage copies
|
||||||
# only the binary and the required configuration.
|
# only the binary and the required configuration.
|
||||||
|
|
||||||
FROM golang:1.21-alpine AS builder
|
FROM docker.iranserver.com/golang:1.21-alpine AS builder
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
|
RUN /usr/local/go/bin/go env -w GOPROXY=https://go.iranserver.com/repository/go/ \
|
||||||
|
&& /usr/local/go/bin/go env -w GOSUMDB=off
|
||||||
|
|
||||||
COPY go.mod go.sum ./
|
COPY go.mod go.sum ./
|
||||||
RUN go mod download
|
RUN go mod download
|
||||||
COPY . .
|
COPY . .
|
||||||
RUN CGO_ENABLED=0 GOOS=linux go build -o auth-gate .
|
RUN CGO_ENABLED=0 GOOS=linux go build -o auth-proxy .
|
||||||
|
|
||||||
# Runtime stage
|
# Runtime stage
|
||||||
FROM alpine:3.19
|
FROM docker.iranserver.com/alpine:3.23
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Create a non-root user (security best practice).
|
# Create a non-root user (security best practice).
|
||||||
RUN addgroup -S auth-gate && adduser -S auth-gate -G auth-gate
|
RUN addgroup -S auth-proxy && adduser -S auth-proxy -G auth-proxy
|
||||||
|
|
||||||
# Copy the binary from the builder stage.
|
# Copy the binary from the builder stage.
|
||||||
COPY --from=builder /app/auth-gate .
|
COPY --from=builder /app/auth-proxy .
|
||||||
|
|
||||||
# Create directories for config and data.
|
# Create directories for config and data.
|
||||||
RUN mkdir -p /config /data
|
RUN mkdir -p /config /data
|
||||||
|
|
||||||
# Set ownership so the non-root user can write to /data but not /config.
|
# Set ownership so the non-root user can write to /data but not /config.
|
||||||
RUN chown -R auth-gate:auth-gate /data && chown auth-gate:auth-gate /config
|
RUN chown -R auth-proxy:auth-proxy /data && chown auth-proxy:auth-proxy /config
|
||||||
|
|
||||||
# Switch to the non-root user.
|
# Switch to the non-root user.
|
||||||
USER auth-gate
|
USER auth-proxy
|
||||||
|
|
||||||
# Expose the HTTP port.
|
# Expose the HTTP port.
|
||||||
EXPOSE 8080
|
EXPOSE 8080
|
||||||
|
|
||||||
# Start the service.
|
# Start the service.
|
||||||
ENTRYPOINT ["/app/auth-gate"]
|
ENTRYPOINT ["/app/auth-proxy"]
|
||||||
CMD []
|
CMD []
|
||||||
16
README.md
16
README.md
@@ -1,6 +1,6 @@
|
|||||||
# auth-gate
|
# auth-proxy
|
||||||
|
|
||||||
A lightweight Go auth gateway that sits in front of sensitive services (phpMyAdmin, Gitea,
|
A lightweight Go auth proxyway that sits in front of sensitive services (phpMyAdmin, Gitea,
|
||||||
uptime kuma) and provides:
|
uptime kuma) and provides:
|
||||||
|
|
||||||
- IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite)
|
- IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite)
|
||||||
@@ -9,22 +9,22 @@ uptime kuma) and provides:
|
|||||||
## Architecture
|
## Architecture
|
||||||
|
|
||||||
```
|
```
|
||||||
Client ──NGINX auth_request──► auth-gate ──► allow / deny
|
Client ──NGINX auth_request──► auth-proxy ──► allow / deny
|
||||||
```
|
```
|
||||||
|
|
||||||
NGINX calls auth-gate as an internal subrequest. On 200 the original request proceeds.
|
NGINX calls auth-proxy as an internal subrequest. On 200 the original request proceeds.
|
||||||
On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth.
|
On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth.
|
||||||
|
|
||||||
## Build
|
## Build
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
go build -o auth-gate .
|
go build -o auth-proxy .
|
||||||
```
|
```
|
||||||
|
|
||||||
## Docker
|
## Docker
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
docker build -t yejayekhoob/auth-gate:latest .
|
docker build -t yejayekhoob/auth-proxy:latest .
|
||||||
```
|
```
|
||||||
|
|
||||||
## Quick start
|
## Quick start
|
||||||
@@ -35,12 +35,12 @@ cp .env.example .env
|
|||||||
vim .env
|
vim .env
|
||||||
|
|
||||||
# Start
|
# Start
|
||||||
./auth-gate
|
./auth-proxy
|
||||||
```
|
```
|
||||||
|
|
||||||
## API
|
## API
|
||||||
|
|
||||||
The API requires a bearer token set via `AUTH_GATE_API_TOKEN`. All endpoints return `401 Unauthorized` if the token is missing or invalid.
|
The API requires a bearer token set via `AUTH_PROXY_API_TOKEN`. All endpoints return `401 Unauthorized` if the token is missing or invalid.
|
||||||
|
|
||||||
| Method | Path | Description |
|
| Method | Path | Description |
|
||||||
|--------|------|-------------|
|
|--------|------|-------------|
|
||||||
|
|||||||
@@ -15,11 +15,11 @@ type Config struct {
|
|||||||
|
|
||||||
func loadConfig() Config {
|
func loadConfig() Config {
|
||||||
return Config{
|
return Config{
|
||||||
Port: getEnv("AUTH_GATE_PORT", "8080"),
|
Port: getEnv("AUTH_PROXY_PORT", "8080"),
|
||||||
APIToken: getEnv("AUTH_GATE_API_TOKEN", ""),
|
APIToken: getEnv("AUTH_PROXY_API_TOKEN", ""),
|
||||||
DataDir: getEnv("DATA_DIR", "/data"),
|
DataDir: getEnv("DATA_DIR", "/data"),
|
||||||
CleanupInterval: parseDuration("CLEANUP_INTERVAL", 60*time.Second),
|
CleanupInterval: parseDuration("CLEANUP_INTERVAL", 60*time.Second),
|
||||||
DBPath: getEnv("AUTH_GATE_DB_PATH", "./data/auth-gate.db"),
|
DBPath: getEnv("AUTH_PROXY_DB_PATH", "./data/auth-proxy.db"),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,21 +1,21 @@
|
|||||||
# Docker Compose example for auth-gate
|
# Docker Compose example for auth-proxy
|
||||||
#
|
#
|
||||||
# This file is a minimal example. Adjust the environment variables
|
# This file is a minimal example. Adjust the environment variables
|
||||||
# and volumes to match your setup.
|
# and volumes to match your setup.
|
||||||
|
|
||||||
services:
|
services:
|
||||||
auth-gate:
|
auth-proxy:
|
||||||
build: .
|
build: .
|
||||||
image: yejayekhoob/auth-gate:latest
|
image: yejayekhoob/auth-proxy:latest
|
||||||
container_name: auth-gate
|
container_name: auth-proxy
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
expose:
|
expose:
|
||||||
- "8080"
|
- "8080"
|
||||||
environment:
|
environment:
|
||||||
AUTH_GATE_PORT: "8080"
|
AUTH_PROXY_PORT: "8080"
|
||||||
AUTH_GATE_API_TOKEN: "${AUTH_GATE_API_TOKEN:-CHANGE_ME}"
|
AUTH_PROXY_API_TOKEN: "${AUTH_PROXY_API_TOKEN:-CHANGE_ME}"
|
||||||
AUTH_GATE_BASIC_USER: "${AUTH_GATE_BASIC_USER:-admin}"
|
AUTH_PROXY_BASIC_USER: "${AUTH_PROXY_BASIC_USER:-admin}"
|
||||||
AUTH_GATE_BASIC_PASSWORD: "${AUTH_GATE_BASIC_PASSWORD:-CHANGE_ME}"
|
AUTH_PROXY_BASIC_PASSWORD: "${AUTH_PROXY_BASIC_PASSWORD:-CHANGE_ME}"
|
||||||
PERMANENT_WHITELIST_FILE: "/config/permanent_whitelist.txt"
|
PERMANENT_WHITELIST_FILE: "/config/permanent_whitelist.txt"
|
||||||
DATA_DIR: "/data"
|
DATA_DIR: "/data"
|
||||||
volumes:
|
volumes:
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
# Auth-gate API Reference
|
# Auth-proxy API Reference
|
||||||
|
|
||||||
## Endpoints
|
## Endpoints
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
## Build
|
## Build
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
docker build -t yejayekhoob/auth-gate:latest .
|
docker build -t yejayekhoob/auth-proxy:latest .
|
||||||
```
|
```
|
||||||
|
|
||||||
## Run
|
## Run
|
||||||
@@ -20,10 +20,10 @@ docker-compose up -d
|
|||||||
|
|
||||||
## NGINX integration
|
## NGINX integration
|
||||||
|
|
||||||
### 1. Create the auth-gate include file
|
### 1. Create the auth-proxy include file
|
||||||
|
|
||||||
```nginx
|
```nginx
|
||||||
# /etc/nginx/snippets/auth-gate.conf
|
# /etc/nginx/snippets/auth-proxy.conf
|
||||||
#
|
#
|
||||||
# This is the shared auth_request configuration. Include it in any
|
# This is the shared auth_request configuration. Include it in any
|
||||||
# server block that needs authentication.
|
# server block that needs authentication.
|
||||||
@@ -33,10 +33,10 @@ docker-compose up -d
|
|||||||
# spoofed. If you need a CDN, configure the realip module instead
|
# spoofed. If you need a CDN, configure the realip module instead
|
||||||
# of trusting the header.
|
# of trusting the header.
|
||||||
|
|
||||||
location = /_auth_gate {
|
location = /_auth_proxy {
|
||||||
internal;
|
internal;
|
||||||
|
|
||||||
proxy_pass http://auth-gate:8080/auth;
|
proxy_pass http://auth-proxy:8080/auth;
|
||||||
|
|
||||||
proxy_pass_request_body off;
|
proxy_pass_request_body off;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
@@ -54,7 +54,7 @@ server {
|
|||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name phpmyadmin.yejayekhoob.com;
|
server_name phpmyadmin.yejayekhoob.com;
|
||||||
|
|
||||||
include /etc/nginx/snippets/auth-gate.conf;
|
include /etc/nginx/snippets/auth-proxy.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://phpmyadmin:80/;
|
proxy_pass http://phpmyadmin:80/;
|
||||||
@@ -74,9 +74,9 @@ nginx -s reload
|
|||||||
|
|
||||||
| Variable | Description | Default |
|
| Variable | Description | Default |
|
||||||
|----------|-------------|---------|
|
|----------|-------------|---------|
|
||||||
| AUTH_GATE_PORT | HTTP listen port | 8080 |
|
| AUTH_proxy_PORT | HTTP listen port | 8080 |
|
||||||
| AUTH_GATE_API_TOKEN | API bearer token | (none) |
|
| AUTH_proxy_API_TOKEN | API bearer token | (none) |
|
||||||
| AUTH_GATE_DB_PATH | SQLite database path | ./data/auth-gate.db |
|
| AUTH_proxy_DB_PATH | SQLite database path | ./data/auth-proxy.db |
|
||||||
| DATA_DIR | Data directory | /data |
|
| DATA_DIR | Data directory | /data |
|
||||||
| CLEANUP_INTERVAL | Cleanup interval | 60s |
|
| CLEANUP_INTERVAL | Cleanup interval | 60s |
|
||||||
|
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ NGINX's auth_basic is simpler but doesn't support:
|
|||||||
- Temporary whitelisting (requires config reload).
|
- Temporary whitelisting (requires config reload).
|
||||||
- API-based management.
|
- API-based management.
|
||||||
|
|
||||||
Our auth-gate service fills these gaps while keeping the architecture simple.
|
Our auth-proxy service fills these gaps while keeping the architecture simple.
|
||||||
|
|
||||||
## Why not Authelia?
|
## Why not Authelia?
|
||||||
|
|
||||||
|
|||||||
@@ -1,15 +1,15 @@
|
|||||||
# Auth-gate Security Model
|
# Auth-proxy Security Model
|
||||||
|
|
||||||
## Authentication flow
|
## Authentication flow
|
||||||
|
|
||||||
1. Client request arrives at NGINX.
|
1. Client request arrives at NGINX.
|
||||||
2. NGINX sends an internal auth_request subrequest to auth-gate.
|
2. NGINX sends an internal auth_request subrequest to auth-proxy.
|
||||||
3. Auth-gate checks:
|
3. Auth-proxy checks:
|
||||||
- Is the IP in the permanent whitelist? → Allow.
|
- Is the IP in the permanent whitelist? → Allow.
|
||||||
- Is the IP in the temporary whitelist and not expired? → Allow.
|
- Is the IP in the temporary whitelist and not expired? → Allow.
|
||||||
- Otherwise → 401 Unauthorized.
|
- Otherwise → 401 Unauthorized.
|
||||||
4. NGINX passes the request to the upstream service if auth-gate returned 200.
|
4. NGINX passes the request to the upstream service if auth-proxy returned 200.
|
||||||
5. NGINX returns 401 to the client if auth-gate returned 401/403.
|
5. NGINX returns 401 to the client if auth-proxy returned 401/403.
|
||||||
|
|
||||||
## IP handling
|
## IP handling
|
||||||
|
|
||||||
@@ -70,7 +70,7 @@ This ensures Docker deployments can shut down cleanly.
|
|||||||
- We don't support metrics. If you need metrics, add them later.
|
- We don't support metrics. If you need metrics, add them later.
|
||||||
- We don't support health checks with Prometheus. The /status endpoint is a simple text response.
|
- We don't support health checks with Prometheus. The /status endpoint is a simple text response.
|
||||||
- We don't support configuration via a config file. Use environment variables.
|
- We don't support configuration via a config file. Use environment variables.
|
||||||
- We don't support multiple domains. The auth-gate service doesn't care about domains.
|
- We don't support multiple domains. The auth-proxy service doesn't care about domains.
|
||||||
- We don't support HTTP/2. The auth-gate service uses HTTP/1.1 only.
|
- We don't support HTTP/2. The auth-proxy service uses HTTP/1.1 only.
|
||||||
- We don't support WebSocket. The auth-gate service doesn't need WebSocket.
|
- We don't support WebSocket. The auth-proxy service doesn't need WebSocket.
|
||||||
- We don't support gRPC. The auth-gate service is a simple REST API.
|
- We don't support gRPC. The auth-proxy service is a simple REST API.
|
||||||
|
|||||||
@@ -1,11 +1,11 @@
|
|||||||
openapi: "3.0.3"
|
openapi: "3.0.3"
|
||||||
info:
|
info:
|
||||||
title: Auth-gate API
|
title: Auth-proxy API
|
||||||
description: Lightweight Go auth gateway for IP-based whitelisting with temporary entries and audit logging.
|
description: Lightweight Go auth gateway for IP-based whitelisting with temporary entries and audit logging.
|
||||||
version: "1.0.0"
|
version: "1.0.0"
|
||||||
contact:
|
contact:
|
||||||
name: Auth-gate Project
|
name: Auth-proxy Project
|
||||||
url: https://github.com/your-org/auth-gate
|
url: https://github.com/db123/auth-proxy
|
||||||
|
|
||||||
servers:
|
servers:
|
||||||
- url: http://127.0.0.1:8080
|
- url: http://127.0.0.1:8080
|
||||||
|
|||||||
Reference in New Issue
Block a user