db123-test 73748a9d09 chore(ci-cd): remove redundant Go setup step
Remove the explicit Go installation step in the CI pipeline since Go is already available in the container. The Go proxy mirror configuration remains in place to maintain dependency resolution behavior.
2026-05-04 09:57:21 +03:30

auth-gate

A lightweight Go auth gateway that sits in front of sensitive services (phpMyAdmin, Gitea, uptime kuma) and provides:

  • IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite)
  • No domain changes — NGINX continues to proxy to the same server_name

Architecture

Client ──NGINX auth_request──► auth-gate ──► allow / deny

NGINX calls auth-gate as an internal subrequest. On 200 the original request proceeds. On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth.

Build

go build -o auth-gate .

Docker

docker build -t yejayekhoob/auth-gate:latest .

Quick start

# Set required env vars (see .env.example)
cp .env.example .env
vim .env

# Start
./auth-gate

API

The API requires a bearer token set via AUTH_GATE_API_TOKEN. All endpoints return 401 Unauthorized if the token is missing or invalid.

Method Path Description
POST /api/whitelist/temp Add a temporary whitelisted IP
GET /api/whitelist/temp/list List active temporary entries
DELETE /api/whitelist/temp/{ip} Remove a temporary entry
POST /api/whitelist/perm Add a permanent whitelisted IP/CIDR
DELETE /api/whitelist/perm/{entry} Remove a permanent entry
GET /api/logs Retrieve audit log entries
GET /status Health check

See docs/api.md for full API reference.

NGINX integration

See docs/deploy.md for the full NGINX auth_request configuration.

Documentation

  • README.md — this file
  • docs/api.md — API reference
  • docs/security.md — security model and notes
  • docs/deploy.md — deployment instructions
  • docs/design.md — design rationale
Description
No description provided
Readme 119 KiB
Languages
Go 95.8%
Dockerfile 4.2%