https://github.com/gnur/tobab
tobab: the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab
https://github.com/gnur/tobab
beyondcorp hacktoberfest homelab identity identity-aware-proxy letsencrypt proxy
Last synced: 6 months ago
JSON representation
tobab: the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab
- Host: GitHub
- URL: https://github.com/gnur/tobab
- Owner: gnur
- License: mit
- Created: 2020-09-04T12:43:38.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2024-02-01T13:50:16.000Z (over 1 year ago)
- Last Synced: 2024-08-01T10:15:52.617Z (about 1 year ago)
- Topics: beyondcorp, hacktoberfest, homelab, identity, identity-aware-proxy, letsencrypt, proxy
- Language: Go
- Homepage:
- Size: 5.58 MB
- Stars: 151
- Watchers: 6
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# tobab
tobab: an opinionated poor mans identity-aware proxy enabler. Use it as a forward auth target with caddy, nginx or traefik.
It uses passkeys for simple and robust authentication.
## goals
- Passkey enabled user management
- Admin with Web UI for access management
- Easy to use (single docker container with simple config)
## non-goals
- any authn that isn't passkeys
## wishlist (not implemented yet)
- metrics
- API key support for non-browser session based validation
- access denied message
- better error handling with feedback to user
- better splitting of templates and javascript (not a single script for login and register)
- testing with Traefik
- testing with nginx
- additional storage interface implementations to allow it to be more cloud native
## getting started
- See the `k8s-example` dir for a kustomize setup for tobab and deploy to k8s
- make sure dns is setup correctly
- Setup caddy to use this new endpoint for forward auth:
```
login.example.com {
reverse_proxy tobab.tabab.svc
}
secure.example.com {
forward_auth tobab.tobab.svc {
uri /verify
}
reverse_proxy some_other_host:8080
}
```
- create a new user at `login.example.com/register` (first user created becomes the admin user)
- visit `secure.example.com` and be authenticated through your passkey
- login with the new user
# example config file
```toml
hostname = "login.example.com" #hostname where the login occurs
displayname = "example displayname" #used for passkey creation
cookiescope = "example.com" #this will allow all subdomains of example.com to have sso with tobab
loglevel = "debug" #or info, warning, error
databasepath = "./tobab.db"
```
# acknowledgements
This project could hot have been what it is today without these great libraries:
- github.com/gin-gonic/gin excellent request router
- github.com/asdine/storm embedded database built upon bolt which makes persistence very easy