aproxy

aproxy is a reverse proxy that includes authentication. It is designed to protect the resources that you want to expose, but only allow some one has you permission to access.

Screenshot

Backend config:

Role List:

Authority config:

Install

Install from source

cd $GOPATH/src
git clone https://github.com/shunfei/aproxy.git
cd aproxy
sh ./install.sh

Install from tarball

Go to releases page download the tar file.

tar xzvf aproxy-v0.1-xxxx-xxx-xx.tar.gz
cd aproxy-v0.1-xxxx-xxx-xx
cp conf/aproxy.toml.example conf/aproxy.toml

Run

Before running, your need set up MongoDB and Redis (MongoDB for config storage, Redis for session storage), and change the config in conf/aproxy.toml.

./bin/aproxy -c conf/aproxy.toml

By now there is no users in the database, so let me add a user:

./bin/adduser -c conf/aproxy.toml -action adduser -email [email protected] -pwd passwordxxx

And the user added above do not have admin permission, so let me set it to admin.

./bin/adduser -c conf/aproxy.toml -action setadmin -email [email protected] -adminlevel 99

And now you can visit http://127.0.0.1:8098/-_-aproxy-_-/ and config your aproxy.

Config

conf/aproxy.toml

Nginx Config Example

Assuming that the resources required authorized all are the domain of pri.domain.com's subdomain, Aproxy nginx server configuration should look like:

server {
  listen 80;
  server_name pri.domain.com *.pri.domain.com;

  location / {
    proxy_redirect      off;
    proxy_set_header    Host 			$host;
    proxy_set_header    X-Real-IP 		$remote_addr;
    proxy_set_header    X-Forwarded-For	$proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto $scheme;
    # pass to aproxy
    proxy_pass http://127.0.0.1:8098;
  }

}

And then set the WildCard DNS Record *.pri.domain.com to this nginx server.

Assume that we have the following domain:

pri.domain.com
hadoop.pri.domain.com
druid.pri.domain.com
aerospike.pri.domain.com

Then we can set the login domain to pri.domain.com, to ensure that the sub-domain of pri.domain.com ( for example hadoop.pri.domain.com) can get the session cookies after login.
So we change conf/aproxy.toml to set the domain:

loginHost = "http://pri.domain.com"
[session]
domain = "pri.domain.com"

Integration with your company's account system

Aproxy's authority is base on email, so if your company's account system has email field, can be integration.
To integration with aproxy, just need implement the interface of aproxy/module/auth/UserStorager.

type UserStorager interface {
    Login(email, pwd string) (*User, error)
    GetByEmail(email string) (*User, error)
    GetAll() ([]User, error)
    // add new user.
    // user.Pwd field has encrypted.
    Insert(user User) error
    Update(id string, user User) error
}

If you don't need manage the user in aproxy, you can just implement the Login(email, pwd string) (*User, error) func.

After implement the aproxy/module/auth/UserStorager interface, we need change the code in aproxy/bin/main.go:

//file: aproxy/bin/main.go

delete this line:
//auth.SetUserStorageToMongo()

add this code, to register your own UserStorager to aproxy
auth.SetUserStorage(&yourUserStorage{})

shunfei/aproxy

shunfei

Reviews

Repository Details