{"id":26458475,"url":"https://github.com/cogolabs/transcend","last_synced_at":"2025-03-19T00:01:52.390Z","repository":{"id":43834867,"uuid":"100196587","full_name":"cogolabs/beyond","owner":"cogolabs","description":"BeyondCorp-inspired HTTPS/SSO Access Proxy. Secure internal services outside your VPN/perimeter network during a zero-trust transition.","archived":false,"fork":false,"pushed_at":"2022-05-26T15:15:14.000Z","size":2182,"stargazers_count":251,"open_issues_count":4,"forks_count":25,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-03-18T06:03:29.099Z","etag":null,"topics":["beyondcorp","federation","golang","http-proxy","openid-connect","perimeter-network","proxy","proxy-server","relying-party","security","trust-transition","vpn","zero-trust"],"latest_commit_sha":null,"homepage":"https://research.google.com/pubs/pub45728.html","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cogolabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-13T18:29:25.000Z","updated_at":"2025-03-09T13:42:24.000Z","dependencies_parsed_at":"2022-07-13T15:30:59.400Z","dependency_job_id":null,"html_url":"https://github.com/cogolabs/beyond","commit_stats":null,"previous_names":["cogolabs/transcend"],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cogolabs%2Fbeyond","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cogolabs%2Fbeyond/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cogolabs%2Fbeyond/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cogolabs%2Fbeyond/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cogolabs","download_url":"https://codeload.github.com/cogolabs/beyond/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244326199,"owners_count":20435122,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["beyondcorp","federation","golang","http-proxy","openid-connect","perimeter-network","proxy","proxy-server","relying-party","security","trust-transition","vpn","zero-trust"],"created_at":"2025-03-19T00:01:47.502Z","updated_at":"2025-03-19T00:01:52.384Z","avatar_url":"https://github.com/cogolabs.png","language":"Go","funding_links":[],"categories":["\u003ca id=\"d62a971d37c69db9f3b9187318c3921a\"\u003e\u003c/a\u003e工具","Zero-trust Network"],"sub_categories":["\u003ca id=\"8ea8f890cf767c3801b5e7951fca3570\"\u003e\u003c/a\u003e公网访问局域网","Identifiers"],"readme":"[![Build Status](https://travis-ci.org/cogolabs/beyond.svg?branch=master)](https://travis-ci.org/cogolabs/beyond)\n[![codecov](https://codecov.io/gh/cogolabs/beyond/branch/master/graph/badge.svg)](https://codecov.io/gh/cogolabs/beyond)\n[![Docker](https://github.com/cogolabs/beyond/actions/workflows/docker-publish.yml/badge.svg)](https://github.com/cogolabs/beyond/actions/workflows/docker-publish.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/cogolabs/beyond)](https://goreportcard.com/report/github.com/cogolabs/beyond)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n# beyond\nControl access to services beyond your perimeter network. Deploy with split-DNS to alleviate VPN in a zero-trust transition. Inspired by Google BeyondCorp research: https://research.google.com/pubs/pub45728.html\n\n## Features\n- Authenticate via:\n  - OpenID Connect\n  - OAuth2 Tokens\n  - SAMLv2\n- Automate Configuration w/ https://your.json\n- Customize Nexthop Learning (via Favorite Ports: 443, 80, ...)\n- Supports WebSockets\n- Supports GitHub Enterprise\n- Supports Private Docker Registry APIs (v2)\n- Analytics with ElasticSearch\n\n## Install\n```\n$ docker pull cogolabs/beyond\n```\nor:\n```\n$ go get -u -x github.com/cogolabs/beyond\n```\n## Usage\n```\n$ docker run --rm -p 80:80 cogolabs/beyond httpd --help\n  -401-code int\n    \tstatus to respond when a user needs authentication (default 418)\n  -404-message string\n    \tmessage to use when backend apps do not respond (default \"Please contact the application administrators to setup access.\")\n  -allowlist-url string\n    \tURL to site allowlist (eg. https://github.com/myorg/beyond-config/main/raw/allowlist.json)\n  -beyond-host string\n    \thostname of self (default \"beyond.myorg.net\")\n  -cookie-age int\n    \tMaxAge setting in seconds (default 21600)\n  -cookie-domain string\n    \tsession cookie domain (default \".myorg.net\")\n  -cookie-key1 string\n    \tkey1 of cookie crypto pair (example: \"t8yG1gmeEyeb7pQpw544UeCTyDfPkE6u\")\n  -cookie-key2 string\n    \tkey2 of cookie crypto pair (example: \"Q599vrruZRhLFC144thCRZpyHM7qGDjt\")\n  -cookie-name string\n    \tsession cookie name (default \"beyond\")\n  -docker-auth-scheme string\n    \t(only for testing) (default \"https\")\n  -docker-url string\n    \twhen there is only one (legacy option) (default \"https://docker.myorg.net\")\n  -docker-urls string\n    \tcsv of docker server base URLs (default \"https://harbor.myorg.net,https://ghcr.myorg.net\")\n  -error-color string\n    \tcss h1 color for errors (default \"#69b342\")\n  -error-email string\n    \taddress for help (eg. support@mycompany.com)\n  -error-plain\n    \tdisable html on error pages\n  -federate-access string\n    \tshared secret, 64 chars, enables federation\n  -federate-secret string\n    \tinternal secret, 64 chars\n  -fence-url string\n    \tURL to user fencing config (eg. https://github.com/myorg/beyond-config/main/raw/fence.json)\n  -header-prefix string\n    \tprefix extra headers with this string (default \"Beyond\")\n  -health-path string\n    \tURL of the health endpoint (default \"/healthz/ping\")\n  -health-reply string\n    \tresponse body of the health endpoint (default \"ok\")\n  -home-url string\n    \tredirect users here from root (default \"https://google.com\")\n  -host-masq string\n    \trewrite nexthop hosts (format: from1=to1,from2=to2)\n  -http string\n    \tlisten address (default \":80\")\n  -insecure-skip-verify\n    \tallow TLS backends without valid certificates\n  -learn-dial-timeout duration\n    \tskip port after this connection timeout (default 5s)\n  -learn-http-ports string\n    \tafter HTTPS, try these HTTP ports (csv) (default \"80,8080,6000,6060,7000,7070,8000,9000,9200,15672\")\n  -learn-https-ports string\n    \ttry learning these backend HTTPS ports (csv) (default \"443,4443,6443,8443,9443,9090\")\n  -learn-nexthops\n    \tset false to require explicit allowlisting (default true)\n  -log-elastic string\n    \tcsv of elasticsearch servers\n  -log-elastic-interval duration\n    \thow often to commit bulk updates (default 1s)\n  -log-elastic-prefix string\n    \tinsert this on the front of elastic indexes (default \"beyond\")\n  -log-elastic-workers int\n    \tbulk commit workers (default 3)\n  -log-http\n    \tenable HTTP logging to stdout\n  -log-json\n    \tuse json output (logrus)\n  -log-xff\n    \tinclude X-Forwarded-For in logs (default true)\n  -oidc-client-id string\n    \tOIDC client ID (default \"f8b8b020-4ec2-0135-6452-027de1ec0c4e43491\")\n  -oidc-client-secret string\n    \tOIDC client secret (default \"cxLF74XOeRRFDJbKuJpZAOtL4pVPK1t2XGVrDbe5R\")\n  -oidc-issuer string\n    \tOIDC issuer URL provided by IdP (default \"https://yourcompany.onelogin.com/oidc\")\n  -saml-cert-file string\n    \tSAML SP path to cert.pem (default \"example/myservice.cert\")\n  -saml-entity-id string\n    \tSAML SP entity ID (blank defaults to beyond-host)\n  -saml-key-file string\n    \tSAML SP path to key.pem (default \"example/myservice.key\")\n  -saml-metadata-url string\n    \tSAML metadata URL from IdP (blank disables SAML)\n  -saml-nameid-format string\n    \tSAML SP option: {email, persistent, transient, unspecified} (default \"email\")\n  -saml-session-key string\n    \tSAML attribute to map from session (default \"email\")\n  -saml-sign-requests\n    \tSAML SP signs authentication requests\n  -saml-signature-method string\n    \tSAML SP option: {sha1, sha256, sha512}\n  -server-idle-timeout duration\n    \tmax time to wait for the next request when keep-alives are enabled (default 3m0s)\n  -server-read-timeout duration\n    \tmax duration for reading the entire request, including the body (default 1m0s)\n  -server-write-timeout duration\n    \tmax duration before timing out writes of the response (default 2m0s)\n  -sites-url string\n    \tURL to allowed sites config (eg. https://github.com/myorg/beyond-config/main/raw/sites.json)\n  -token-base string\n    \ttoken server URL prefix (eg. https://api.github.com/user)\n  -token-graphql string\n    \tGraphQL URL for auth (eg. https://api.github.com/graphql)\n  -token-graphql-query string\n    \t (default \"{\\\"query\\\": \\\"query { viewer { login }}\\\"}\")\n  -websocket-compression\n    \tallow websocket transport compression (gorilla/experimental)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcogolabs%2Ftranscend","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcogolabs%2Ftranscend","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcogolabs%2Ftranscend/lists"}