{"id":37177338,"url":"https://github.com/iloahz/traefik-plugin-manual-access-control","last_synced_at":"2026-01-14T20:41:00.758Z","repository":{"id":176319644,"uuid":"655301222","full_name":"iloahz/traefik-plugin-manual-access-control","owner":"iloahz","description":"manage access to your services manually","archived":false,"fork":false,"pushed_at":"2023-08-27T07:41:10.000Z","size":8906,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-07T12:39:37.153Z","etag":null,"topics":["traefik-plugin"],"latest_commit_sha":null,"homepage":"https://plugins.traefik.io/plugins/648fb6ac498e334469bdbd24/manual-access-control","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iloahz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-18T13:48:48.000Z","updated_at":"2025-04-15T19:23:31.000Z","dependencies_parsed_at":null,"dependency_job_id":"d24e559f-e41f-419a-816b-cc699c6c7143","html_url":"https://github.com/iloahz/traefik-plugin-manual-access-control","commit_stats":null,"previous_names":["iloahz/traefik-plugin-manual-access-control"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/iloahz/traefik-plugin-manual-access-control","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iloahz%2Ftraefik-plugin-manual-access-control","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iloahz%2Ftraefik-plugin-manual-access-control/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iloahz%2Ftraefik-plugin-manual-access-control/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iloahz%2Ftraefik-plugin-manual-access-control/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iloahz","download_url":"https://codeload.github.com/iloahz/traefik-plugin-manual-access-control/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iloahz%2Ftraefik-plugin-manual-access-control/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28434488,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["traefik-plugin"],"created_at":"2026-01-14T20:40:59.931Z","updated_at":"2026-01-14T20:41:00.721Z","avatar_url":"https://github.com/iloahz.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# traefik-plugin-manual-access-control\n\ntraefik-plugin-manual-access-control(TPMAC) is a traefik plugin that provides manual access control for services behind traefik.\n\n# Features\n\n- [x] manual access control\n- [x] visualization of access logs\n- [ ] persistent data\n- [ ] rule based auto access control\n\n![](assets/tpmac_demo.gif)\n\n# Setup\n\n## 1. Setup TPMAC service\n\nFirst, run TPMAC service, below is an example with docker compose, and assuming `tpmac.home.your-domain.com` is the domain you want to use.\n\n```\nversion: '3'\n\nservices:\n  traefik-plugin-manual-access-control:\n    image: ghcr.io/iloahz/traefik-plugin-manual-access-control:main\n    restart: always\n    environment:\n      - IP2LOCATION_API_KEY=some_key_1\n      - JWT_SECRET=some_key_2\n    networks:\n      - traefik-network\n    labels:\n      - traefik.enable=true\n      - traefik.http.routers.tpmac.rule=Host(`tpmac.home.your-domain.com`)\n      - traefik.http.routers.tpmac.tls=true\n      - traefik.http.routers.tpmac.tls.certresolver=letsencrypt-cloudflare\n\nnetworks:\n  traefik-network:\n    external: true\n```\n\n### 1.1 How to get IP2LOCATION_API_KEY\n\nYou can get free api key from https://www.ip2location.io/\n\n### 1.2 How to get JWT_SECRET\n\n```\nopenssl rand -base64 32\n```\n\nyou will get something like\n\n```\nz8fXgwQIc/wT2zs4ct5C8RCFJ1lxrSwIxjTLvJP3yuI=\n```\n\n## 2. Enable TPMAC in traefik\n\nAdd the following to `traefik.yml` and restart traefik.\n\n```\nexperimental:\n  plugins:\n    traefik-plugin-manual-access-control:\n      moduleName: github.com/iloahz/traefik-plugin-manual-access-control\n      version: v0.1.7\n```\n\n## 3. Use TPMAC on the services behind traefik\n\nYou can follow the instructions on [traefik plugin](https://plugins.traefik.io/plugins/648fb6ac498e334469bdbd24/manual-access-control) page.\n\nIf you are using traefik with docker compose labels, an example would be:\n\n```\nlabels:\n    - traefik.http.middlewares.my-traefik-plugin-manual-access-control.plugin.traefik-plugin-manual-access-control.Server=https://tpmac.home.your-domain.com\n    - traefik.http.routers.chatgpt-next-web.middlewares=my-traefik-plugin-manual-access-control\n```\n\n## 4. Verify\n\nThis step is optional.\n\nWhen step #2 is successful, you should see TPMAC plugin enabled in traefik http middlewares page.\n\n![](assets/traefik_middleware.png)\n\n# How it works\nTPMAC uses JWT in cookie to control access, jwt is used to identify client only, consent is managed in TPMAC service.\n\n```mermaid\nsequenceDiagram\n  participant A as Service\n  participant B as TPMAC service\n  participant C as TPMAC plugin\n  participant D as Traefik\n  participant E as Client\n  rect rgba(255,165,0,0.2)\n  Note right of C: 1st request\n  E-\u003e\u003eD: request\n  D-\u003e\u003eC: request\n  C-\u003e\u003eB: generate token\n  B-\u003e\u003eC: jwt\n  C-\u003e\u003eD: 403, jwt in cookie\n  D-\u003e\u003eE: 403, jwt in cookie\n  end\n  B-\u003e\u003eB: admin allows access\n  rect rgba(50,205,50,0.2)\n  Note right of C: 2nd request\n  E-\u003e\u003eD: request, jwt in cookie\n  D-\u003e\u003eC: request, jwt in cookie\n  C-\u003e\u003eB: validate token\n  B-\u003e\u003eC: valid\n  C-\u003e\u003eA: request\n  A-\u003e\u003eC: response\n  C-\u003e\u003eD: response\n  D-\u003e\u003eE: response\n  end\n```\n\nAccess control is \"who can access what\", compared to the comprehensive model of [AWS IAM](https://aws.amazon.com/iam/), TPMAC uses a simplified model to make it more convenient for homelab users.\n\n## \"Who\" in TPMAC\n\nIn common sense, \"who\" is one particular friend, but how do we identify this user could be tricky, especially when we want to avoid complicated configs for homelab admin and authentication for friends.\n\nA proxy of \"who\" is the device that the user is using, but unfortunately, it's not easy to identify a device, at least not in http layer, and since we want to build a general solution that works for all services, modifying the service is not an option.\n\nIdentifying \"who\" is the most important part of access control, TPMAC uses JWT to identify \"who\", and the JWT is stored in cookie.\n\n## \"What\" in TPMAC\n\n\"What\" is very simple in TPMAC, it's a service behind traefik, and identified by the `host` only.\n\n## \"Consent\" in TPMAC\n\nTBA\n\n# Credits\n\n* Thanks to [ip2location.io](https://www.ip2location.io/)\n* Thanks to [mapbox](https://www.mapbox.com/)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Filoahz%2Ftraefik-plugin-manual-access-control","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Filoahz%2Ftraefik-plugin-manual-access-control","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Filoahz%2Ftraefik-plugin-manual-access-control/lists"}