feat: added mirrors for go and for golang image and change the name gate to proxy

This commit is contained in:
db123-test
2026-05-04 10:49:44 +03:30
parent b094c78318
commit 7a2bd72311
11 changed files with 62 additions and 58 deletions

View File

@@ -1,5 +1,5 @@
AUTH_GATE_PORT AUTH_PROXY_PORT=8080
AUTH_GATE_API_TOKEN AUTH_PROXY_API_TOKEN=
DATA_DIR DATA_DIR=./data
CLEANUP_INTERVAL CLEANUP_INTERVAL=60
AUTH_GATE_DB_PATH AUTH_PROXY_DB_PATH=./data/auth-proxy.db

View File

@@ -68,7 +68,7 @@ jobs:
run: | run: |
docker buildx build \ docker buildx build \
--platform linux/amd64 \ --platform linux/amd64 \
--tag "git.yejayekhoob.com/db123/auth-gate:${{ github.sha }}" \ --tag "git.yejayekhoob.com/db123/auth-proxy:${{ github.sha }}" \
--tag "git.yejayekhoob.com/db123/auth-gate:latest" \ --tag "git.yejayekhoob.com/db123/auth-proxy:latest" \
--push \ --push \
. .

View File

@@ -1,38 +1,42 @@
# Production-hardened Dockerfile for auth-gate # Production-hardened Dockerfile for auth-proxy
# #
# We use a multi-stage build to keep the final image small. # We use a multi-stage build to keep the final image small.
# The build stage compiles the binary, and the runtime stage copies # The build stage compiles the binary, and the runtime stage copies
# only the binary and the required configuration. # only the binary and the required configuration.
FROM golang:1.21-alpine AS builder FROM docker.iranserver.com/golang:1.21-alpine AS builder
WORKDIR /app WORKDIR /app
RUN /usr/local/go/bin/go env -w GOPROXY=https://go.iranserver.com/repository/go/ \
&& /usr/local/go/bin/go env -w GOSUMDB=off
COPY go.mod go.sum ./ COPY go.mod go.sum ./
RUN go mod download RUN go mod download
COPY . . COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o auth-gate . RUN CGO_ENABLED=0 GOOS=linux go build -o auth-proxy .
# Runtime stage # Runtime stage
FROM alpine:3.19 FROM docker.iranserver.com/alpine:3.23
WORKDIR /app WORKDIR /app
# Create a non-root user (security best practice). # Create a non-root user (security best practice).
RUN addgroup -S auth-gate && adduser -S auth-gate -G auth-gate RUN addgroup -S auth-proxy && adduser -S auth-proxy -G auth-proxy
# Copy the binary from the builder stage. # Copy the binary from the builder stage.
COPY --from=builder /app/auth-gate . COPY --from=builder /app/auth-proxy .
# Create directories for config and data. # Create directories for config and data.
RUN mkdir -p /config /data RUN mkdir -p /config /data
# Set ownership so the non-root user can write to /data but not /config. # Set ownership so the non-root user can write to /data but not /config.
RUN chown -R auth-gate:auth-gate /data && chown auth-gate:auth-gate /config RUN chown -R auth-proxy:auth-proxy /data && chown auth-proxy:auth-proxy /config
# Switch to the non-root user. # Switch to the non-root user.
USER auth-gate USER auth-proxy
# Expose the HTTP port. # Expose the HTTP port.
EXPOSE 8080 EXPOSE 8080
# Start the service. # Start the service.
ENTRYPOINT ["/app/auth-gate"] ENTRYPOINT ["/app/auth-proxy"]
CMD [] CMD []

View File

@@ -1,6 +1,6 @@
# auth-gate # auth-proxy
A lightweight Go auth gateway that sits in front of sensitive services (phpMyAdmin, Gitea, A lightweight Go auth proxyway that sits in front of sensitive services (phpMyAdmin, Gitea,
uptime kuma) and provides: uptime kuma) and provides:
- IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite) - IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite)
@@ -9,22 +9,22 @@ uptime kuma) and provides:
## Architecture ## Architecture
``` ```
Client ──NGINX auth_request──► auth-gate ──► allow / deny Client ──NGINX auth_request──► auth-proxy ──► allow / deny
``` ```
NGINX calls auth-gate as an internal subrequest. On 200 the original request proceeds. NGINX calls auth-proxy as an internal subrequest. On 200 the original request proceeds.
On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth. On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth.
## Build ## Build
```bash ```bash
go build -o auth-gate . go build -o auth-proxy .
``` ```
## Docker ## Docker
```bash ```bash
docker build -t yejayekhoob/auth-gate:latest . docker build -t yejayekhoob/auth-proxy:latest .
``` ```
## Quick start ## Quick start
@@ -35,12 +35,12 @@ cp .env.example .env
vim .env vim .env
# Start # Start
./auth-gate ./auth-proxy
``` ```
## API ## API
The API requires a bearer token set via `AUTH_GATE_API_TOKEN`. All endpoints return `401 Unauthorized` if the token is missing or invalid. The API requires a bearer token set via `AUTH_PROXY_API_TOKEN`. All endpoints return `401 Unauthorized` if the token is missing or invalid.
| Method | Path | Description | | Method | Path | Description |
|--------|------|-------------| |--------|------|-------------|

View File

@@ -15,11 +15,11 @@ type Config struct {
func loadConfig() Config { func loadConfig() Config {
return Config{ return Config{
Port: getEnv("AUTH_GATE_PORT", "8080"), Port: getEnv("AUTH_PROXY_PORT", "8080"),
APIToken: getEnv("AUTH_GATE_API_TOKEN", ""), APIToken: getEnv("AUTH_PROXY_API_TOKEN", ""),
DataDir: getEnv("DATA_DIR", "/data"), DataDir: getEnv("DATA_DIR", "/data"),
CleanupInterval: parseDuration("CLEANUP_INTERVAL", 60*time.Second), CleanupInterval: parseDuration("CLEANUP_INTERVAL", 60*time.Second),
DBPath: getEnv("AUTH_GATE_DB_PATH", "./data/auth-gate.db"), DBPath: getEnv("AUTH_PROXY_DB_PATH", "./data/auth-proxy.db"),
} }
} }

View File

@@ -1,21 +1,21 @@
# Docker Compose example for auth-gate # Docker Compose example for auth-proxy
# #
# This file is a minimal example. Adjust the environment variables # This file is a minimal example. Adjust the environment variables
# and volumes to match your setup. # and volumes to match your setup.
services: services:
auth-gate: auth-proxy:
build: . build: .
image: yejayekhoob/auth-gate:latest image: yejayekhoob/auth-proxy:latest
container_name: auth-gate container_name: auth-proxy
restart: unless-stopped restart: unless-stopped
expose: expose:
- "8080" - "8080"
environment: environment:
AUTH_GATE_PORT: "8080" AUTH_PROXY_PORT: "8080"
AUTH_GATE_API_TOKEN: "${AUTH_GATE_API_TOKEN:-CHANGE_ME}" AUTH_PROXY_API_TOKEN: "${AUTH_PROXY_API_TOKEN:-CHANGE_ME}"
AUTH_GATE_BASIC_USER: "${AUTH_GATE_BASIC_USER:-admin}" AUTH_PROXY_BASIC_USER: "${AUTH_PROXY_BASIC_USER:-admin}"
AUTH_GATE_BASIC_PASSWORD: "${AUTH_GATE_BASIC_PASSWORD:-CHANGE_ME}" AUTH_PROXY_BASIC_PASSWORD: "${AUTH_PROXY_BASIC_PASSWORD:-CHANGE_ME}"
PERMANENT_WHITELIST_FILE: "/config/permanent_whitelist.txt" PERMANENT_WHITELIST_FILE: "/config/permanent_whitelist.txt"
DATA_DIR: "/data" DATA_DIR: "/data"
volumes: volumes:

View File

@@ -1,4 +1,4 @@
# Auth-gate API Reference # Auth-proxy API Reference
## Endpoints ## Endpoints

View File

@@ -9,7 +9,7 @@
## Build ## Build
```bash ```bash
docker build -t yejayekhoob/auth-gate:latest . docker build -t yejayekhoob/auth-proxy:latest .
``` ```
## Run ## Run
@@ -20,10 +20,10 @@ docker-compose up -d
## NGINX integration ## NGINX integration
### 1. Create the auth-gate include file ### 1. Create the auth-proxy include file
```nginx ```nginx
# /etc/nginx/snippets/auth-gate.conf # /etc/nginx/snippets/auth-proxy.conf
# #
# This is the shared auth_request configuration. Include it in any # This is the shared auth_request configuration. Include it in any
# server block that needs authentication. # server block that needs authentication.
@@ -33,10 +33,10 @@ docker-compose up -d
# spoofed. If you need a CDN, configure the realip module instead # spoofed. If you need a CDN, configure the realip module instead
# of trusting the header. # of trusting the header.
location = /_auth_gate { location = /_auth_proxy {
internal; internal;
proxy_pass http://auth-gate:8080/auth; proxy_pass http://auth-proxy:8080/auth;
proxy_pass_request_body off; proxy_pass_request_body off;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
@@ -54,7 +54,7 @@ server {
listen 443 ssl; listen 443 ssl;
server_name phpmyadmin.yejayekhoob.com; server_name phpmyadmin.yejayekhoob.com;
include /etc/nginx/snippets/auth-gate.conf; include /etc/nginx/snippets/auth-proxy.conf;
location / { location / {
proxy_pass http://phpmyadmin:80/; proxy_pass http://phpmyadmin:80/;
@@ -74,9 +74,9 @@ nginx -s reload
| Variable | Description | Default | | Variable | Description | Default |
|----------|-------------|---------| |----------|-------------|---------|
| AUTH_GATE_PORT | HTTP listen port | 8080 | | AUTH_proxy_PORT | HTTP listen port | 8080 |
| AUTH_GATE_API_TOKEN | API bearer token | (none) | | AUTH_proxy_API_TOKEN | API bearer token | (none) |
| AUTH_GATE_DB_PATH | SQLite database path | ./data/auth-gate.db | | AUTH_proxy_DB_PATH | SQLite database path | ./data/auth-proxy.db |
| DATA_DIR | Data directory | /data | | DATA_DIR | Data directory | /data |
| CLEANUP_INTERVAL | Cleanup interval | 60s | | CLEANUP_INTERVAL | Cleanup interval | 60s |

View File

@@ -15,7 +15,7 @@ NGINX's auth_basic is simpler but doesn't support:
- Temporary whitelisting (requires config reload). - Temporary whitelisting (requires config reload).
- API-based management. - API-based management.
Our auth-gate service fills these gaps while keeping the architecture simple. Our auth-proxy service fills these gaps while keeping the architecture simple.
## Why not Authelia? ## Why not Authelia?

View File

@@ -1,15 +1,15 @@
# Auth-gate Security Model # Auth-proxy Security Model
## Authentication flow ## Authentication flow
1. Client request arrives at NGINX. 1. Client request arrives at NGINX.
2. NGINX sends an internal auth_request subrequest to auth-gate. 2. NGINX sends an internal auth_request subrequest to auth-proxy.
3. Auth-gate checks: 3. Auth-proxy checks:
- Is the IP in the permanent whitelist? → Allow. - Is the IP in the permanent whitelist? → Allow.
- Is the IP in the temporary whitelist and not expired? → Allow. - Is the IP in the temporary whitelist and not expired? → Allow.
- Otherwise → 401 Unauthorized. - Otherwise → 401 Unauthorized.
4. NGINX passes the request to the upstream service if auth-gate returned 200. 4. NGINX passes the request to the upstream service if auth-proxy returned 200.
5. NGINX returns 401 to the client if auth-gate returned 401/403. 5. NGINX returns 401 to the client if auth-proxy returned 401/403.
## IP handling ## IP handling
@@ -70,7 +70,7 @@ This ensures Docker deployments can shut down cleanly.
- We don't support metrics. If you need metrics, add them later. - We don't support metrics. If you need metrics, add them later.
- We don't support health checks with Prometheus. The /status endpoint is a simple text response. - We don't support health checks with Prometheus. The /status endpoint is a simple text response.
- We don't support configuration via a config file. Use environment variables. - We don't support configuration via a config file. Use environment variables.
- We don't support multiple domains. The auth-gate service doesn't care about domains. - We don't support multiple domains. The auth-proxy service doesn't care about domains.
- We don't support HTTP/2. The auth-gate service uses HTTP/1.1 only. - We don't support HTTP/2. The auth-proxy service uses HTTP/1.1 only.
- We don't support WebSocket. The auth-gate service doesn't need WebSocket. - We don't support WebSocket. The auth-proxy service doesn't need WebSocket.
- We don't support gRPC. The auth-gate service is a simple REST API. - We don't support gRPC. The auth-proxy service is a simple REST API.

View File

@@ -1,11 +1,11 @@
openapi: "3.0.3" openapi: "3.0.3"
info: info:
title: Auth-gate API title: Auth-proxy API
description: Lightweight Go auth gateway for IP-based whitelisting with temporary entries and audit logging. description: Lightweight Go auth gateway for IP-based whitelisting with temporary entries and audit logging.
version: "1.0.0" version: "1.0.0"
contact: contact:
name: Auth-gate Project name: Auth-proxy Project
url: https://github.com/your-org/auth-gate url: https://github.com/db123/auth-proxy
servers: servers:
- url: http://127.0.0.1:8080 - url: http://127.0.0.1:8080