# auth-gate A lightweight Go auth gateway that sits in front of sensitive services (phpMyAdmin, Gitea, uptime kuma) and provides: - IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite) - No domain changes — NGINX continues to proxy to the same `server_name` ## Architecture ``` Client ──NGINX auth_request──► auth-gate ──► allow / deny ``` NGINX calls auth-gate as an internal subrequest. On 200 the original request proceeds. On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth. ## Build ```bash go build -o auth-gate . ``` ## Docker ```bash docker build -t yejayekhoob/auth-gate:latest . ``` ## Quick start ```bash # Set required env vars (see .env.example) cp .env.example .env vim .env # Start ./auth-gate ``` ## API The API requires a bearer token set via `AUTH_GATE_API_TOKEN`. All endpoints return `401 Unauthorized` if the token is missing or invalid. | Method | Path | Description | |--------|------|-------------| | POST | `/api/whitelist/temp` | Add a temporary whitelisted IP | | GET | `/api/whitelist/temp/list` | List active temporary entries | | DELETE | `/api/whitelist/temp/{ip}` | Remove a temporary entry | | POST | `/api/whitelist/perm` | Add a permanent whitelisted IP/CIDR | | DELETE | `/api/whitelist/perm/{entry}` | Remove a permanent entry | | GET | `/api/logs` | Retrieve audit log entries | | GET | `/status` | Health check | See `docs/api.md` for full API reference. ## NGINX integration See `docs/deploy.md` for the full NGINX `auth_request` configuration. ## Documentation - `README.md` — this file - `docs/api.md` — API reference - `docs/security.md` — security model and notes - `docs/deploy.md` — deployment instructions - `docs/design.md` — design rationale