db123-test 72be744484 fix(ci-cd): remove 'v' prefix from golangci-lint version
The install.sh script expects plain version numbers without the 'v' prefix, so using 'v1.64.8' causes the version string to be interpreted incorrectly. Updated the version format to match the expected format '1.64.8'.
2026-05-04 09:38:05 +03:30

auth-gate

A lightweight Go auth gateway that sits in front of sensitive services (phpMyAdmin, Gitea, uptime kuma) and provides:

  • IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite)
  • No domain changes — NGINX continues to proxy to the same server_name

Architecture

Client ──NGINX auth_request──► auth-gate ──► allow / deny

NGINX calls auth-gate as an internal subrequest. On 200 the original request proceeds. On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth.

Build

go build -o auth-gate .

Docker

docker build -t yejayekhoob/auth-gate:latest .

Quick start

# Set required env vars (see .env.example)
cp .env.example .env
vim .env

# Start
./auth-gate

API

The API requires a bearer token set via AUTH_GATE_API_TOKEN. All endpoints return 401 Unauthorized if the token is missing or invalid.

Method Path Description
POST /api/whitelist/temp Add a temporary whitelisted IP
GET /api/whitelist/temp/list List active temporary entries
DELETE /api/whitelist/temp/{ip} Remove a temporary entry
POST /api/whitelist/perm Add a permanent whitelisted IP/CIDR
DELETE /api/whitelist/perm/{entry} Remove a permanent entry
GET /api/logs Retrieve audit log entries
GET /status Health check

See docs/api.md for full API reference.

NGINX integration

See docs/deploy.md for the full NGINX auth_request configuration.

Documentation

  • README.md — this file
  • docs/api.md — API reference
  • docs/security.md — security model and notes
  • docs/deploy.md — deployment instructions
  • docs/design.md — design rationale
Description
No description provided
Readme 119 KiB
Languages
Go 95.8%
Dockerfile 4.2%