{"id":19299941,"url":"https://github.com/cloudogu/carp","last_synced_at":"2026-02-18T11:18:57.554Z","repository":{"id":47239160,"uuid":"126364156","full_name":"cloudogu/carp","owner":"cloudogu","description":"CARP - CAS Authentication Reverse Proxy","archived":false,"fork":false,"pushed_at":"2025-08-22T12:48:21.000Z","size":159,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":11,"default_branch":"develop","last_synced_at":"2026-02-13T04:35:29.906Z","etag":null,"topics":["authentication","cas","reverse-proxy","sso"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudogu.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-03-22T16:27:59.000Z","updated_at":"2024-09-18T08:12:17.000Z","dependencies_parsed_at":"2024-08-02T14:58:29.933Z","dependency_job_id":"69279ac6-d9c4-4dee-90db-ce10848769a1","html_url":"https://github.com/cloudogu/carp","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/cloudogu/carp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fcarp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fcarp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fcarp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fcarp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudogu","download_url":"https://codeload.github.com/cloudogu/carp/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fcarp/sbom","scorecard":{"id":293137,"data":{"date":"2025-08-11","repo":{"name":"github.com/cloudogu/carp","commit":"2f935def450f85092623f169d600f11374ad247f"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Code-Review","score":2,"reason":"Found 5/17 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU Affero General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'develop'","Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3372 / GHSA-6wxm-mpqj-6jpf","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T18:48:27.924Z","repository_id":47239160,"created_at":"2025-08-17T18:48:27.925Z","updated_at":"2025-08-17T18:48:27.925Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29577162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T08:38:15.585Z","status":"ssl_error","status_checked_at":"2026-02-18T08:38:14.917Z","response_time":162,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","cas","reverse-proxy","sso"],"created_at":"2024-11-09T23:13:13.875Z","updated_at":"2026-02-18T11:18:52.545Z","avatar_url":"https://github.com/cloudogu.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CARP\n\nCARP is a \"CAS Authentication Reverse Proxy\" framework.\n\n## Usage\n\nConfigure your environment:\n\n```yaml\nbase-url: https://192.168.56.2\ncas-url: https://192.168.56.2/cas\nservice-url: http://192.168.56.1:9090\ntarget-url: http://localhost:8070\nskip-ssl-verification: true\nport: 9090\nprincipal-header: X-CARP-Authentication\n```\n\nIf you want to redirect logout request, this can be configured with the keys `logout-method`,\nspecifying a http method (`GET`, `POST`, `DELETE`, ...) and/or `logout-path` specifying the\nsuffix of the logout path. Example:\n\n```yaml\nlogout-method: DELETE\nlogout-path: /rapture/session\n```\n\nIf you want resources to be available anonymously (=without authentication) in your application,\nyou can configure the way your resource paths look like with the `resource-path` option:\n\n```yaml\nresource-path: /nexus/repository\n```\n\n### Bypassing CAS-Authentication\nSometimes it is useful to bypass the cas-authentication, for instance requests with service-account-users, which only exist in the dogu, but not in CAS/LDAP.\nThis prevents request-throttling in CAS for requests that only have dogu-internal authentication.\nSince CAS also has throttling for unsuccessful requests, a limiter can be used in the CARP as well. \n\nThe following config can be used for this:\n\n```yaml\n# a regex that matches the username of the basic-auth user from the request that should bypass cas-authentication\nservice-account-name-regex: \"^service_account_([A-Za-z0-9]+)_([A-Za-z0-9]+)$\"\n# limiter limits unsuccessful requests using the token-bucket-algorithm (see https://en.wikipedia.org/wiki/Token_bucket)\n# is the rate how many tokens will be refreshed, here: 10/s\nlimiter-token-rate: 10\n# is the initial and maximum size of the bucket containing the tokens\nlimiter-burst-size: 150\n# the interval in which staled or expired clients will be removed from the throttling list\nlimiter-clean-interval: 300\n```\n\n\n## Start the server:\n\n```go\npackage main\n\nfunc main() {\n  flag.Parse()\n\n  configuration, err := InitializeAndReadConfiguration()\n  if err != nil {\n     panic(err)\n  }\n\n  log.Infof(\"start carp %s\", Version)\n\n  server, err := NewServer(configuration)\n  if err != nil {\n\tpanic(err)\n  }\n\n  server.ListenAndServe()\n}\n```\n\n## Structure\n\nThe CARP is structured by four HTTP-Handlers which are wrapped around each other.\nThey are called in the following order:\n\n### 1. Dogu-Rest-Handler\nThe Dogu-Rest-Handler is the first / outermost handler to call.\nIt checks if the incoming request is a non-browser-request and if this request has basic-authentication with a username which matches a configured regular-expression.\nWhen the expression matches the request is marked as \"Service-Account-Authentication\", which then can used by other handlers to e.g. bypass cas-authentication.\nThe Dogu-Rest-Handler wraps the Throttling-Handler and calls it afterwards.\n\n### 2. Throttling-Handler\nThe Throttling-Handler checks if the incoming request is marked as \"Service-Account-Authentication\" and if so throttling is performed if needed.\nThe throttling is performed based on the remote IP address and the username by using the [token-bucket-algorithm](https://pkg.go.dev/golang.org/x/time/rate#Limiter) for unsuccessful \nrequests (HTTP status code 4xx). When too many unsuccessful requests are performed, the throttling handler will stop forwarding request by returning a http error (http status code 429).\nThe Throttling-Handler wraps the CAS-Handler and calls it afterwards.\n\n### 3. CAS-Handler\nThe CAS-Handler checks if the incoming request is marked as \"Service-Account-Authentication\" and if bypasses the CAS-authentication by immediately calling the next handler.\nIf the request ist __not__ marked as \"Service-Account-Authentication\" the CAS-authentication is performed and the resulting authentication-data is added to the request-context \nThe CAS-Handler wraps the Proxy-Handler and calls it afterwards.\n\n#### 4. Proxy-Handler\nThe Proxy-Handler checks the authentication-data from the incoming-request.\nAuthenticated requests are forwarded and if needed the `UserReplicator` is called.\nUnauthenticated browser-requests are redirected to CAS-Login-Page.\nUnauthenticated REST-Requests are also forwarded to configured target. \n\n## What is the Cloudogu EcoSystem?\nThe Cloudogu EcoSystem is an open platform, which lets you choose how and where your team creates great software. Each service or tool is delivered as a Dogu, a Docker container. Each Dogu can easily be integrated in your environment just by pulling it from our registry.\n\nWe have a growing number of ready-to-use Dogus, e.g. SCM-Manager, Jenkins, Nexus Repository, SonarQube, Redmine and many more. Every Dogu can be tailored to your specific needs. Take advantage of a central authentication service, a dynamic navigation, that lets you easily switch between the web UIs and a smart configuration magic, which automatically detects and responds to dependencies between Dogus.\n\nThe Cloudogu EcoSystem is open source and it runs either on-premises or in the cloud. The Cloudogu EcoSystem is developed by Cloudogu GmbH under [AGPL-3.0-only](https://spdx.org/licenses/AGPL-3.0-only.html).\n\n## License\nCopyright © 2020 - present Cloudogu GmbH\nThis program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3.\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.\nYou should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.\nSee [LICENSE](LICENSE) for details.\n\n\n---\nMADE WITH :heart:\u0026nbsp;FOR DEV ADDICTS. [Legal notice / Imprint](https://cloudogu.com/en/imprint/?mtm_campaign=ecosystem\u0026mtm_kwd=imprint\u0026mtm_source=github\u0026mtm_medium=link)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudogu%2Fcarp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudogu%2Fcarp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudogu%2Fcarp/lists"}