db123-test e29fd6d420 refactor: rename GITEA secrets and variables to G_ prefix
Rename GITEA_CLONE_URL to G_CLONE_URL in all checkout steps
and update GITEA_TOKEN and GITEA_USERNAME to G_TOKEN and
G_USERNAME for Docker registry authentication. This standardizes
secret naming across the CI/CD pipeline.
2026-05-04 09:24:53 +03:30

auth-gate

A lightweight Go auth gateway that sits in front of sensitive services (phpMyAdmin, Gitea, uptime kuma) and provides:

  • IP-based whitelisting (permanent and temporary via REST API with TTL, stored in SQLite)
  • No domain changes — NGINX continues to proxy to the same server_name

Architecture

Client ──NGINX auth_request──► auth-gate ──► allow / deny

NGINX calls auth-gate as an internal subrequest. On 200 the original request proceeds. On 401/403 NGINX returns the response to the client. Whitelisted IPs never see auth.

Build

go build -o auth-gate .

Docker

docker build -t yejayekhoob/auth-gate:latest .

Quick start

# Set required env vars (see .env.example)
cp .env.example .env
vim .env

# Start
./auth-gate

API

The API requires a bearer token set via AUTH_GATE_API_TOKEN. All endpoints return 401 Unauthorized if the token is missing or invalid.

Method Path Description
POST /api/whitelist/temp Add a temporary whitelisted IP
GET /api/whitelist/temp/list List active temporary entries
DELETE /api/whitelist/temp/{ip} Remove a temporary entry
POST /api/whitelist/perm Add a permanent whitelisted IP/CIDR
DELETE /api/whitelist/perm/{entry} Remove a permanent entry
GET /api/logs Retrieve audit log entries
GET /status Health check

See docs/api.md for full API reference.

NGINX integration

See docs/deploy.md for the full NGINX auth_request configuration.

Documentation

  • README.md — this file
  • docs/api.md — API reference
  • docs/security.md — security model and notes
  • docs/deploy.md — deployment instructions
  • docs/design.md — design rationale
Description
No description provided
Readme 119 KiB
Languages
Go 95.8%
Dockerfile 4.2%