{"id":21436750,"url":"https://github.com/modfin/epoxy","last_synced_at":"2025-07-14T14:33:20.329Z","repository":{"id":81889301,"uuid":"605949437","full_name":"modfin/epoxy","owner":"modfin","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-18T10:11:31.000Z","size":46,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-09-19T13:14:16.224Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/modfin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-24T08:56:31.000Z","updated_at":"2024-09-18T10:11:35.000Z","dependencies_parsed_at":null,"dependency_job_id":"79a6a1d1-05db-47c4-837c-66e2c755ad22","html_url":"https://github.com/modfin/epoxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/modfin%2Fepoxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/modfin%2Fepoxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/modfin%2Fepoxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/modfin%2Fepoxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/modfin","download_url":"https://codeload.github.com/modfin/epoxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225981808,"owners_count":17554923,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-23T00:14:51.737Z","updated_at":"2024-11-23T00:14:52.299Z","avatar_url":"https://github.com/modfin.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# epoxy\nReverse proxy and/or static file server, with the primary goal of serving a self-hosted web \napplication behind a Cloudflare Zero Trust tunnel. Validates Cloudflare `Cf-Access-Jwt-Assertion` JWT token. Can also be used as a generic reverse proxy or static file server.\n\n## Usage\nSettings are defined through environment variables.\n### What to serve\n#### Reverse proxy (optional, enables reverse proxy if defined)\n* `ROUTES` format\n  ```\n  Prefix      /backend-0   http://backend-0:8080\n  PrefixStrip /backend-1   http://backend-1:8080\n  ```\n  Where `PrefixStrip` strips the matching prefix before reverse proxying the request to the backend.\n\n#### Static file server (optional)\n* `PUBLIC_DIR` directory to serve static files from, e.g. `./public`\n* `PUBLIC_PREFIX` path where the web application expects to find static files.\n\n### Server modes\nAll different types of server modes can be combined at the same time, on different ports.\n#### Server without authentication (optional)\nIn this mode epoxy can be used as a regular reverse proxy or static file server.\n* `NO_AUTH_ENABLE` enables no auth server.\n* `NO_AUTH_ADDR` address to serve at, e.g. `\":8080\"` or `\"127.0.0.1:8080\"`\n\n#### Server for requests coming from [cloudflared](https://github.com/cloudflare/cloudflared) tunnel\n* `CF_ADDR` address to serve at, e.g. `\":8080\"` or `\"127.0.0.1:8080\"`\n* `CF_JWKS_URL` Cloudflare JWKS Url to [validate JWT](https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/)\\\ne.g. `https://\u003cyour-team-name\u003e.cloudflareaccess.com/cdn-cgi/access/certs`\n* `CF_APP_AUD` Cloudflare Application Audience (AUD) Tag.\n\n#### Dev mode server\n* `DEV_ADDR` address to serve at, e.g. `\":8080\"` or `\"127.0.0.1:8080\"`\n* `DEV_ALLOWED_USER_SUFFIX` allowed user suffix e.g. `@test.com`, will be used in generated JWT as subject.\n* `DEV_BCRYPT_HASH` dev authentication password bcrypt hash, to generate:\\\n`htpasswd -bnBC 10 \"\" \"[PASSWORD]\" | tr -d ':\\n'`\n* `DEV_SESSION_DURATION` in standard go time.Duration format e.g. 10m, 1h, 24h\n\n### Misc\n#### Fetch external JWT\nAfter validating `Cf-Access-Jwt-Assertion` header, contact external/custom service passing along the `Cf-Access-Jwt-Assertion` header. Can be used for fetching extended info about the user that is logged into zero trust.\n* `EXT_JWKS_URL` JWKS url with public keys for validating the new token received from the external service.\n* `EXT_JWT_URL` URL to fetch from.\n* `EXT_JWT_SUBJECT_PATH` path in external claims to grab subject for epoxy token below.\n\n#### JWT Keys\nAfter fetching external JWT or always in *dev mode*, a new JWT token is generated and sent in the `Epoxy-Token` header.\n* `JWT_EC_256` used for generating JWT and *dev mode* cookie\n* `JWT_EC_256_PUB` used for verifying *dev mode* cookie. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmodfin%2Fepoxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmodfin%2Fepoxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmodfin%2Fepoxy/lists"}