Show HN: Tobab, a poor mans identity aware proxy. “BeyondCorp” for selfhosters

0

tobab: the heart-broken mans identity aware proxy, straightforward to make exhaust of setup for beyondcorp to your homelab

tobab gopher logo

It lets you glue one or more identity suppliers (for the time being, handiest google is supported) and grant entry to backends in line with the identity of the user.

  • Straightforward to make exhaust of (single binary with single config file)
  • Valid by default (computerized https with letsencrypt, real cookies)
  • Sane defaults (No public entry unless explicitly added)
  • Indecent security
  • Reliability (net server restarts every time a route is added / modified / deleted)
  • gain an acceptable originate from the releases net page
  • space a tobab.toml file somewhere and space the env var TOBAB_CONFIG var to that self-discipline
  • configure the google key and secret by creating a brand novel oauth application
  • make sure port 80 and port 443 are routed to the host you’d very well be running it on
  • delivery tobab with acceptable permissions to bind on port 80 and 443
  • ???
  • earnings
hostname = "login.instance.com"
cookiescope = "instance.com"
secret = "some-secret"
certdir = "direction to dir with write entry"
electronic mail = "user@instance.com"
googlekey = "google identity"
googlesecret = "google secret"
loglevel = "debug" #or files, warning, error
databasepath = "./tobab.db"

cli

Utilization: tobab 

Flags:
  -h, --back             Exhibit context-tender back.
      --debug
  -c, --config=STRING    config self-discipline

Instructions:
  stride
    delivery tobab server

  validate
    validate tobab config

  host checklist
    checklist all hosts

  host add --hostname=STRING --backend=STRING --kind=STRING
    add a brand novel proxy host

  host delete --hostname=STRING
    delete a number

  version
    print tobab version

  token create --electronic mail=STRING --ttl=STRING
    generate a brand novel token

  token validate --token=STRING
    Acquire fields from a token

Bustle "tobab  --back" for more files on a declare.

examples

# add a number
tobab host add --hostname=take a look at.instance.com --backend=127.0.0.1: 8080 --kind=http --public
# checklist hosts
tobab host checklist
# delete a number
tobab host delete --hostname=take a look at.instance.com
# manually create an entry token (good for automation, interrogate automation below)
tobab token create --electronic mail=<email> --ttl="800h"
# validate a token (and discover files)
tobab token validate --token=<token>

api calls

instance api call so as to add a route that handiest enables signed in users with a instance.com electronic mail tackle

# @name addHost
POST /v1/api/host
User-Agent:  curl/7.64.1
Acquire:  */*
Cookie:  X-Tobab-Token=

{
    "Hostname": "route.instance.com",
    "Backend": "https://instance.com",
    "Kind": "http",
    "Public": counterfeit,
    "Globs": [ "*@example.com" ]
}
###

instance api call so as to add a route that permits any signed in user

# @name addHost
POST /v1/api/host
User-Agent:  curl/7.64.1
Acquire:  */*
Cookie:  X-Tobab-Token=

{
    "Hostname": "route2.instance.com",
    "Backend": "https://instance.com",
    "Kind": "http",
    "Public": counterfeit,
    "Globs": [ "*" ]
}
###

instance api call so as to add a route that permits full entry with out signing in

# @name addHost
POST /v1/api/host
User-Agent:  curl/7.64.1
Acquire:  */*
Cookie:  X-Tobab-Token=

{
    "Hostname": "route2.instance.com",
    "Backend": "https://instance.com",
    "Kind": "http",
    "Public": staunch,
}
###

instance api call to delete a route

# @name delHost
DELETE /v1/api/host/route2.instance.com
User-Agent:  curl/7.64.1
Acquire:  */*
Cookie:  X-Tobab-Token=
###

If you happen to might perchance have an api running in the attend of tobab, it is some distance likely to manually pain tokens and add them to the headers manually. Combine the files in the readme about the instance API calls and the instance CLI instructions to interrogate how to raise out true kind that :).

Read More

Leave A Reply

Your email address will not be published.