{"id":40712841,"url":"https://github.com/tsautier/RoXX","last_synced_at":"2026-01-30T14:00:38.432Z","repository":{"id":333391299,"uuid":"1135731312","full_name":"tsautier/RoXX","owner":"tsautier","description":"RoXX (Radius Open eXtensible eXchange). Modern Python-based RADIUS Authentication Proxy for Linux (Docker/Systemd). Supports TOTP, Azure AD, LDAP \u0026 inWebo.","archived":false,"fork":false,"pushed_at":"2026-01-19T15:55:38.000Z","size":2809,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-01-19T21:33:17.932Z","etag":null,"topics":["authentication","azure-ad","docker","freeradius","linux","mfa","python","radius","security","totp"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tsautier.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-16T14:09:30.000Z","updated_at":"2026-01-19T15:55:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tsautier/RoXX","commit_stats":null,"previous_names":["tsautier/roxx"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/tsautier/RoXX","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsautier%2FRoXX","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsautier%2FRoXX/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsautier%2FRoXX/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsautier%2FRoXX/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tsautier","download_url":"https://codeload.github.com/tsautier/RoXX/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsautier%2FRoXX/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28913903,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T12:13:43.263Z","status":"ssl_error","status_checked_at":"2026-01-30T12:13:22.389Z","response_time":66,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","azure-ad","docker","freeradius","linux","mfa","python","radius","security","totp"],"created_at":"2026-01-21T13:00:21.888Z","updated_at":"2026-01-30T14:00:38.413Z","avatar_url":"https://github.com/tsautier.png","language":"Python","funding_links":[],"categories":["docker"],"sub_categories":[],"readme":"# RoXX - RADIUS Proxy \u0026 Admin Portal\r\n\r\n**Modern RADIUS proxy with integrated admin portal, multi-factor authentication, and enterprise identity provider support.**\r\n\r\n![Version](https://img.shields.io/badge/version-1.0.0--beta6-blue)\r\n![Python](https://img.shields.io/badge/python-3.8%2B-blue)\r\n![License](https://img.shields.io/badge/license-MIT-green)\r\n\r\n---\r\n\r\n## 🚀 Features\r\n\r\n### Core Functionality\r\n- **RADIUS Proxy**: High-performance RADIUS authentication proxy\r\n- **Multi-Backend Support**: LDAP, Active Directory, SAML 2.0 SSO\r\n- **Admin Portal**: Modern web interface for user and system management\r\n- **RESTful API**: Complete API for automation and integration\r\n\r\n### Security \u0026 Authentication\r\n- ✅ **Multi-Factor Authentication (MFA)**\r\n  - TOTP/Authenticator Apps\r\n  - WebAuthn (Security Keys, Biometrics)\r\n  - SMS (via gateway integration)\r\n- ✅ **SAML 2.0 Single Sign-On**\r\n  - SP metadata generation\r\n  - IdP integration\r\n  - Attribute mapping\r\n- ✅ **LDAP/Active Directory Integration**\r\n  - Secure binds\r\n  - User search and authentication\r\n  - Group membership validation\r\n\r\n### Management \u0026 Monitoring\r\n- **User Management**: Create, edit, delete admin users\r\n- **MFA Credential Management**: View and revoke user security keys\r\n- **Audit Logs**: Complete system activity tracking\r\n- **System Monitor**: Real-time metrics and health status\r\n- **API Token Management**: Generate and manage API access tokens\r\n\r\n---\r\n\r\n## 📋 Requirements\r\n\r\n- **Python**: 3.8 or higher\r\n- **Operating System**: Linux (Ubuntu/Debian recommended) or WSL2\r\n- **Database**: SQLite (included)\r\n- **Optional**: \r\n  - LDAP/AD server for directory integration\r\n  - SAML IdP for SSO\r\n  - SMS gateway for SMS MFA\r\n\r\n---\r\n\r\n## 🔧 Installation\r\n\r\n### 1. Clone and Setup\r\n\r\n```bash\r\ngit clone https://github.com/tsautier/RoXX.git\r\ncd RoXX\r\n\r\n# Create virtual environment\r\npython3 -m venv venv\r\nsource venv/bin/activate  # On Windows: venv\\Scripts\\activate\r\n\r\n# Install dependencies\r\npip install -r requirements.txt\r\n```\r\n\r\n### 2. Initialize Database\r\n\r\n```bash\r\npython3 -m roxx.web.app\r\n```\r\n\r\nThe admin portal will start on `http://localhost:8000`\r\n\r\n**Default credentials:**\r\n- Username: `admin`\r\n- Password: `admin` (change immediately!)\r\n\r\n### 3. Configuration\r\n\r\nConfiguration files are located in:\r\n- **Linux**: `/etc/roxx/`\r\n- **Development**: `~/.roxx/`\r\n\r\nKey files:\r\n- `roxx.db` - Main SQLite database\r\n- `webauthn.db` - WebAuthn credentials\r\n- `mfa.db` - MFA configuration\r\n\r\n---\r\n\r\n## 🎯 Quick Start\r\n\r\n### Access the Admin Portal\r\n\r\n1. Navigate to `http://localhost:8000`\r\n2. Login with default credentials\r\n3. **Change your password** under User Settings\r\n\r\n### Configure MFA\r\n\r\n1. Go to **Settings → MFA Settings**\r\n2. Choose your method:\r\n   - **TOTP**: Scan QR code with authenticator app\r\n   - **WebAuthn**: Register security key or biometric device\r\n3. Complete setup and test login\r\n\r\n### Add an Identity Provider\r\n\r\n#### SAML 2.0\r\n\r\n1. Go to **Config → Authentication Providers**\r\n2. Click **+ Add Provider**\r\n3. Select **SAML 2.0**\r\n4. Fill in:\r\n   - **Name**: e.g., \"Corporate SSO\"\r\n   - **IdP Entity ID**: Your IdP's entity ID\r\n   - **IdP SSO URL**: Your IdP's SSO endpoint\r\n   - **IdP Certificate**: x509 certificate from IdP metadata\r\n5. Configure your IdP with:\r\n   - **Metadata URL**: `https://your-domain.com/auth/saml/metadata/{provider_id}`\r\n   - **ACS URL**: `https://your-domain.com/auth/saml/acs/{provider_id}`\r\n\r\n#### LDAP / Active Directory\r\n\r\n1. Go to **Config → Authentication Providers**\r\n2. Click **+ Add Provider**\r\n3. Select **LDAP / Active Directory**\r\n4. Configure:\r\n   - **Server URL**: `ldap://dc.example.com:389`\r\n   - **Base DN**: `dc=example,dc=com`\r\n   - **Bind DN**: Service account DN\r\n   - **Bind Password**: Service account password\r\n\r\n---\r\n\r\n## 📚 API Documentation\r\n\r\n### Authentication\r\n\r\nAll API requests require authentication via session cookie or API token.\r\n\r\n### Endpoints\r\n\r\n#### User Management\r\n```\r\nGET    /api/admins              - List all admin users\r\nPOST   /api/admins              - Create new admin user\r\nGET    /api/admins/{username}   - Get user details\r\nDELETE /api/admins/{username}   - Delete user\r\n```\r\n\r\n#### MFA Management\r\n```\r\nGET    /api/admins/{username}/mfa/status       - Get MFA status\r\nGET    /api/admins/{username}/mfa/credentials  - List WebAuthn credentials\r\nDELETE /api/admins/{username}/mfa/webauthn/{id} - Delete security key\r\nPOST   /api/admins/{username}/mfa/totp/reset   - Reset TOTP\r\n```\r\n\r\n#### Authentication Providers\r\n```\r\nGET    /api/auth-providers     - List providers\r\nPOST   /api/auth-providers     - Create provider\r\nDELETE /api/auth-providers/{id} - Delete provider\r\n```\r\n\r\n### Example: Create Admin User\r\n\r\n```bash\r\ncurl -X POST http://localhost:8000/api/admins \\\r\n  -H \"Content-Type: application/json\" \\\r\n  -d '{\r\n    \"username\": \"john\",\r\n    \"password\": \"SecurePass123!\",\r\n    \"email\": \"john@example.com\"\r\n  }'\r\n```\r\n\r\n---\r\n\r\n## 🔐 Security Best Practices\r\n\r\n1. **Change Default Password**: Immediately change the default admin password\r\n2. **Enable MFA**: Require MFA for all admin users\r\n3. **Use HTTPS**: Deploy with proper SSL/TLS certificates\r\n4. **Regular Updates**: Keep dependencies up to date\r\n5. **Audit Logs**: Regularly review system audit logs\r\n6. **API Tokens**: Use API tokens instead of passwords for automation\r\n7. **Network Security**: Restrict admin portal access to trusted networks\r\n\r\n---\r\n\r\n## 🛠️ Configuration\r\n\r\n### Environment Variables\r\n\r\n```bash\r\n# Application\r\nROXX_HOST=0.0.0.0\r\nROXX_PORT=8000\r\nROXX_DEBUG=false\r\n\r\n# Database\r\nROXX_DB_PATH=/etc/roxx/roxx.db\r\n\r\n# Security\r\nROXX_SECRET_KEY=your-secret-key-here\r\nROXX_SESSION_TIMEOUT=3600\r\n\r\n# SAML\r\nROXX_SAML_SP_ENTITY_ID=https://your-domain.com\r\n```\r\n\r\n### SSL/TLS Configuration\r\n\r\nPlace certificates in `/etc/roxx/ssl/`:\r\n- `cert.pem` - SSL certificate\r\n- `key.pem` - Private key\r\n\r\nThe application will automatically use HTTPS if certificates are present.\r\n\r\n---\r\n\r\n## 📊 Monitoring\r\n\r\n### System Health\r\n\r\nAccess the dashboard at `/dashboard` for:\r\n- CPU utilization\r\n- Memory usage\r\n- Disk space\r\n- Active sessions\r\n- Recent authentication events\r\n\r\n### Audit Logs\r\n\r\nView comprehensive logs at `/logs`:\r\n- User logins\r\n- MFA events\r\n- Configuration changes\r\n- API requests\r\n- SAML/LDAP authentication attempts\r\n\r\n---\r\n\r\n## 🐛 Troubleshooting\r\n\r\n### Common Issues\r\n\r\n**WebAuthn Not Working**\r\n- Ensure using HTTPS or `localhost`\r\n- Check browser compatibility (Chrome/Edge/Firefox/Safari recommended)\r\n- Verify WebAuthn credentials in browser dev tools\r\n\r\n**SAML Login Fails**\r\n- Verify IdP certificate is correct\r\n- Check SP Entity ID matches IdP configuration\r\n- Review logs at `/config/auth-providers/logs`\r\n- Ensure SP metadata uploaded to IdP\r\n\r\n**LDAP Connection Issues**\r\n- Verify network connectivity to LDAP server\r\n- Check bind DN and password\r\n- Test with `ldapsearch` command\r\n- Review firewall rules\r\n\r\n### Debug Mode\r\n\r\nEnable debug logging:\r\n\r\n```bash\r\nexport ROXX_DEBUG=true\r\npython3 -m roxx.web.app\r\n```\r\n\r\n---\r\n\r\n## 📖 Documentation\r\n\r\n- **User Guide**: See `/docs/user-guide.md`\r\n- **API Reference**: See `/docs/api-reference.md`\r\n- **SAML Setup**: See `/docs/saml-setup.md`\r\n- **LDAP/AD Setup**: See `/docs/ldap-setup.md`\r\n\r\n---\r\n\r\n## 🤝 Contributing\r\n\r\nContributions are welcome! Please:\r\n\r\n1. Fork the repository\r\n2. Create a feature branch (`git checkout -b feature/amazing-feature`)\r\n3. Commit your changes (`git commit -m 'Add amazing feature'`)\r\n4. Push to the branch (`git push origin feature/amazing-feature`)\r\n5. Open a Pull Request\r\n\r\n**Author**: Thomas Sautier (tsautier@users.noreply.github.com)\r\n\r\n---\r\n\r\n## 📝 License\r\n\r\nThis project is licensed under the MIT License - see the LICENSE file for details.\r\n\r\n---\r\n\r\n## 🙏 Acknowledgments\r\n\r\n- **FastAPI** - Modern web framework\r\n- **python3-saml** - SAML implementation\r\n- **python-ldap** - LDAP integration\r\n- **webauthn** - WebAuthn/FIDO2 support\r\n\r\n---\r\n\r\n## 📞 Support\r\n\r\nFor issues and questions:\r\n- **GitHub Issues**: https://github.com/tsautier/RoXX/issues\r\n- **Email**: tsautier@users.noreply.github.com\r\n\r\n---\r\n\r\n**Built with ❤️ for secure, scalable authentication**\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftsautier%2FRoXX","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftsautier%2FRoXX","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftsautier%2FRoXX/lists"}