- Migrate IP-based temporary whitelisting from file to SQLite storage - Add REST API endpoints for managing temporary and permanent whitelists - Create `.env.example` with required environment variables - Document API endpoints in README.md and docs/api.md - Add new dependency `modernc.org/sqlite` for SQLite support - Update deployment and security documentation
100 lines
2.1 KiB
Markdown
100 lines
2.1 KiB
Markdown
# Deployment Instructions
|
|
|
|
## Prerequisites
|
|
|
|
- Docker (v19+)
|
|
- Docker Compose (v2+)
|
|
- NGINX (with auth_request module)
|
|
|
|
## Build
|
|
|
|
```bash
|
|
docker build -t yejayekhoob/auth-gate:latest .
|
|
```
|
|
|
|
## Run
|
|
|
|
```bash
|
|
docker-compose up -d
|
|
```
|
|
|
|
## NGINX integration
|
|
|
|
### 1. Create the auth-gate include file
|
|
|
|
```nginx
|
|
# /etc/nginx/snippets/auth-gate.conf
|
|
#
|
|
# This is the shared auth_request configuration. Include it in any
|
|
# server block that needs authentication.
|
|
#
|
|
# Important: we use X-Real-IP (set by NGINX) rather than
|
|
# X-Forwarded-For. X-Forwarded-For is client-controlled and can be
|
|
# spoofed. If you need a CDN, configure the realip module instead
|
|
# of trusting the header.
|
|
|
|
location = /_auth_gate {
|
|
internal;
|
|
|
|
proxy_pass http://auth-gate:8080/auth;
|
|
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Original-Host $host;
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
proxy_set_header Authorization $http_authorization;
|
|
}
|
|
```
|
|
|
|
### 2. Apply the include to sensitive server blocks
|
|
|
|
```nginx
|
|
server {
|
|
listen 443 ssl;
|
|
server_name phpmyadmin.yejayekhoob.com;
|
|
|
|
include /etc/nginx/snippets/auth-gate.conf;
|
|
|
|
location / {
|
|
proxy_pass http://phpmyadmin:80/;
|
|
# ... other proxy settings ...
|
|
}
|
|
}
|
|
```
|
|
|
|
### 3. Test and reload
|
|
|
|
```bash
|
|
nginx -t
|
|
nginx -s reload
|
|
```
|
|
|
|
## Environment variables
|
|
|
|
| Variable | Description | Default |
|
|
|----------|-------------|---------|
|
|
| AUTH_GATE_PORT | HTTP listen port | 8080 |
|
|
| AUTH_GATE_API_TOKEN | API bearer token | (none) |
|
|
| AUTH_GATE_DB_PATH | SQLite database path | ./data/auth-gate.db |
|
|
| DATA_DIR | Data directory | /data |
|
|
| CLEANUP_INTERVAL | Cleanup interval | 60s |
|
|
|
|
## Graceful shutdown
|
|
|
|
```bash
|
|
docker-compose down
|
|
```
|
|
|
|
The service waits up to 30 seconds for in-flight requests to complete.
|
|
|
|
## Hardened deployment
|
|
|
|
For production, use the Dockerfile from this repository. It:
|
|
|
|
- Builds the binary in a separate stage (smaller image).
|
|
- Runs the service as a non-root user.
|
|
- Drops all Linux capabilities.
|
|
- Sets the no-new-privileges flag.
|
|
- Mounts /tmp as tmpfs (no persistence).
|