gnur/tobab gnur/tobab

  • Stars
    star
    151
  • Rank 246,057 (Top 5 %)
  • Language
    Go
  • License
    MIT License
  • Created about 4 years ago
  • Updated 10 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
gnur/tobab
github

gnur

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

tobab: the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab

tobab

tobab: an opinionated poor mans identity-aware proxy, easy to use setup for beyondcorp in your homelab

tobab gopher logo

It allows you to connect one or more identity providers (currently, only google is supported) and grant access to backends based on the identity of the user.

goals

  • Easy to use (single binary with single config file)
  • Secure by default (automatic https with letsencrypt, secure cookies)
  • Sane defaults (No public access unless explicitly added)

non-goals

  • Extreme security
  • Reliability (web server restarts whenever a route is added / modified / deleted)
  • Customization
  • Pretty

wishlist (not implemented yet)

  • openID connect integration
  • docker integration (use the docker API to determine containers to route traffic into)
  • docker builds
  • full integration test suite that can run every night
  • admin UI that shows all seen users, shows routes and allows you to edit routes
  • metrics

getting started

  • download an appropriate release from the releases page
  • place a tobab.toml file somewhere and set the env var TOBAB_CONFIG var to that location
  • configure the google key and secret by creating a new oauth application
  • make sure port 80 and port 443 are routed to the host you are running it on
  • start tobab with appropriate permissions to bind on port 80 and 443
  • add routes using the CLI or the API
  • ???
  • profit

example config file

hostname = "login.example.com" #hostname where the login occurs
cookiescope = "example.com"
secret = "some-secret"
salt = ""
certdir = "path to dir with write access"
email = "[email protected]"
googlekey = "google id"
googlesecret = "google secret"
loglevel = "debug" #or info, warning, error
databasepath = "./tobab.db"
adminglobs = [ "*@example.com" ] #globs of email addresses that are allowed to use the admin API

cli

Usage: tobab <command>

Flags:
  -h, --help             Show context-sensitive help.
      --debug
  -c, --config=STRING    config location

Commands:
  run
    start tobab server

  validate
    validate tobab config

  host list
    list all hosts

  host add --hostname=STRING --backend=STRING --type=STRING
    add a new proxy host

  host delete --hostname=STRING
    delete a host

  version
    print tobab version

  token create --email=STRING --ttl=STRING
    generate a new token

  token validate --token=STRING
    Get fields from a token

Run "tobab <command> --help" for more information on a command.

examples

# add a host to listen on test.example.com that proxies all requests to 127.0.0.1:8080
# please be aware, if you add a host that isn't public it should have the same suffix as the cookie scope!
tobab host add --hostname=test.example.com --backend=http://127.0.0.1:8080 --type=http --public
# list hosts
tobab host list
# delete a host
tobab host delete --hostname=test.example.com
# manually create an access token (useful for automation, see automation below)
tobab token create --email=<email> --ttl="800h"
# validate a token (and get information)
tobab token validate --token=<token>

api calls

example api call to add a route that only allows signed in users with an example.com email address

# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>

{
    "Hostname": "route.example.com",
    "Backend": "https://example.com",
    "Type": "http",
    "Public":false,
    "Globs": [ "*@example.com" ]
}
###

example api call to add a route that allows any signed in user

# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>

{
    "Hostname": "route2.example.com",
    "Backend": "https://example.com",
    "Type": "http",
    "Public":false,
    "Globs": [ "*" ]
}
###

example api call to add a route that allows full access without signing in

# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>

{
    "Hostname": "route2.example.com",
    "Backend": "https://example.com",
    "Type": "http",
    "Public":true,
}
###

example api call to delete a route

# @name delHost
DELETE /v1/api/host/route2.example.com
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
###

automation (stuff like APIs)

If you have an api running behind tobab, it is possible to manually issue tokens and add them to the headers manually. Combine the info in the readme about the example API calls and the example CLI commands to see how to do just that :).

acknowledgements

This project could hot have been what it is today without these great libraries:

  • github.com/gorilla/mux excellent light weight request router
  • github.com/markbates/goth library that handles all third party authentication stuffs
  • github.com/caddyserver/certmagic letsencrypt made very, very easy
  • github.com/sirupsen/logrus logging library that is perfect
  • github.com/asdine/storm embedded database built upon bolt which makes persistence very easy

alternatives

  • Combine github.com/traefik/traefik with a forward auth provider like github.com/gnur/beyondauth or github.com/thomseddon/traefik-forward-auth
  • Combine github.com/oauth2-proxy/oauth2-proxy with some kind of certificate maintenance service like github.com/certbot/certbot

More Repositories

1

demeter

Demeter is a tool for scraping the calibre web ui
Go
182
star
2

beyondauth

a traefik / nginx companion to create an identity aware proxy like beyondcorp
Go
29
star
3

prometheus-p1-exporter

A go lang project that exposes data from a smart meter (p1) to be scraped by prometheus.
Go
10
star
4

go-piratebay

A Go Lang api for searching the Pirate Bay
HTML
6
star
5

go-api-backend

Highly specific design, allows http-gets to relay events to a single websocket.
Go
6
star
6

coldplay

Go
3
star
7

quice

a web based video player that plays videos from S3 buckets described by playlists
Go
2
star
8

dhcpresence

1
star
9

golpje

Go
1
star
10

dotfiles

erwins dotfiles
Shell
1
star
11

s3local

a library to abstract s3 and local storage, limited functionality but very easy to use
Go
1
star
12

elevator-music

Project that will play music if an elevator is moving
Rust
1
star
13

walrus

A websocket server that allows for near realtime communication between web clients.
Go
1
star