{"id":38187699,"url":"https://github.com/j0sh3rs/cfaccess-proxy","last_synced_at":"2026-01-17T00:04:07.181Z","repository":{"id":45359112,"uuid":"508788347","full_name":"j0sh3rs/cfaccess-proxy","owner":"j0sh3rs","description":"Tiny reverse proxy that validates access against Cloudflare Access and sets headers for downstream -- Forked from https://github.com/jorgelbg/cloudflare-access-grafana","archived":false,"fork":false,"pushed_at":"2025-04-04T01:32:43.000Z","size":191,"stargazers_count":2,"open_issues_count":8,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-04T02:28:40.293Z","etag":null,"topics":["cloudflare","cloudflare-access","go","golang","jwt-token","reverse-proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/j0sh3rs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-29T17:35:41.000Z","updated_at":"2025-01-24T15:03:22.000Z","dependencies_parsed_at":"2024-04-14T10:31:43.349Z","dependency_job_id":"9d89f110-99fc-48ed-9229-e82d2d877191","html_url":"https://github.com/j0sh3rs/cfaccess-proxy","commit_stats":{"total_commits":122,"total_committers":6,"mean_commits":"20.333333333333332","dds":"0.48360655737704916","last_synced_commit":"cb5d44a3ff5cc4a041405f04710f104f6b2fce45"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/j0sh3rs/cfaccess-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/j0sh3rs%2Fcfaccess-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/j0sh3rs%2Fcfaccess-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/j0sh3rs%2Fcfaccess-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/j0sh3rs%2Fcfaccess-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/j0sh3rs","download_url":"https://codeload.github.com/j0sh3rs/cfaccess-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/j0sh3rs%2Fcfaccess-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28489798,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T23:55:29.509Z","status":"ssl_error","status_checked_at":"2026-01-16T23:55:29.108Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare","cloudflare-access","go","golang","jwt-token","reverse-proxy"],"created_at":"2026-01-17T00:04:07.082Z","updated_at":"2026-01-17T00:04:07.158Z","avatar_url":"https://github.com/j0sh3rs.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cfaccess-proxy\n\n[![GitHub Super-Linter](https://github.com/j0sh3rs/cfaccess-proxy/workflows/Lint%20Code%20Base/badge.svg)](https://github.com/marketplace/actions/super-linter)\n\ncfaccess-proxy is an HTTP proxy implemented to run transparently behind [Cloudflare\nAccess](https://teams.cloudflare.com/access/) and forward the email and username of the signed-in user to any downstream service.\n\nForked from [jorgelbg/cloudflare-access-grafana](https://github.com/jorgelbg/cloudflare-access-grafana), which sadly appeared abandoned, this proxy takes a more generic approach than the specific-to-grafana usecase of its predecessor.\n\nSpecifically, I have done the following:\n\n1. Updated go and all modules (2+ years worth of fixes/changes)\n1. Added the ability to extract a username from the Cloudflare Access email provided in the JWT, and send this as a separate header\n1. Applied all super-lint suggestions and fixes\n\n## 📥 Installation / Getting started\n\nThere are several ways this proxy can be used/configured, including supporting the usecase [jorgelbg created it for](https://github.com/jorgelbg/cloudflare-access-grafana#-installation--getting-started).\n\nAt a high level, you can define the properties outlined below in the Configuration section, configure your service to accept proxy auth, and there you have it.\n\n\nYou can copy the template from [.env.template](.env.template) into your environment file and adjust\nthe required values. Now you can run the cfaccess-proxy container with the following command:\n\n```\ncp .env.template .env\ndocker run --rm -d --env-file $(pwd)/.env --name cfaccess-proxy -p 3001:3001 ghcr.io/j0sh3rs/cfaccess-proxy\n```\n\nThis will start the proxy on the specified address and it will start to listen for incoming requests.\nWhen a new HTTP request is received it will validate the JWT token, extract the `email` claim from\nthe token and forward to the specified host the header with the email address. Additionally, it will parse the `email` claim to make a basic attempt to produce a `userName` equivalent not currently provided by Cloudflare.\n\n\u003e Additional configuration on the Cloudflare Access is required to route your subdomain/DNS entry\n\u003e into the cfaccess-proxy instance. Your service doesn't need to be accessible externally since\n\u003e all requests will go through the proxy.\n\n## 👾 Known Issues\n\nSince the authentication is no longer on your service side (and is the responsibility of the proxy), any logout actions within a service will not work as\nexpected. This happens\nbecause the current user has not been logged out of Cloudflare Access, nor will the proxy try to do that.\n\n## 🛠 Configuration\n\nAll the configuration options are passed to cfaccess-proxy as environment variables:\n\n* `AUTHDOMAIN`: This is your cloudflare authentication domain. Normally in the form of `https://\u003cyour-own-domain\u003e.cloudflareaccess.com`.\n* `POLICYAUD`: Application Audience (AUD) Tag.\n* `FORWARDUSERHEADER`: The header to be forwarded upstream to indicate which user is currently logged in.\n* `FORWARDEMAILHEADER`: The header to be forwarded upstream to indicate the email of the user currently logged in.\n* `FORWARDHOST`: Downstream URL where your service listens\n* `ADDR`: Address where the cfaccess-proxy will listen for incoming connections.\n\n## 👨🏻‍💻 Developing\n\n### Roadmap\n\nSecurity concerns will always be the highest priority. See [SECURITY.md](SECURITY.md) for details on how to open security issues.\n\nBeyond security fixes, here is a general roadmap (not ranked):\n\n- [ ] Prometheus Metrics integration\n- [ ] OTEL Integration, for use with [SigNoz](https://signoz.io) APM\n- [ ] Rename config vars to be easier to read (and make user header optional)\n- [ ] Enable loading from config json\n- [ ] Enable config reloads for zero downtime\n- [ ] Improve documentation and examples for Docker/Kubernetes usage, w/ sidecar examples\n\n## 🤚🏻 Contributing\n\nIf you'd like to contribute, please fork the repository and use a feature\nbranch. Pull requests are happily embrased.\n\n## 🚀 Links\n\n* The project logo is based on [Cloudflare icon](https://icons8.com/icons/set/cloudflare) by [Icons8](https://icons8.com).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fj0sh3rs%2Fcfaccess-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fj0sh3rs%2Fcfaccess-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fj0sh3rs%2Fcfaccess-proxy/lists"}