Show HN: Tobab, a poor mans identity aware proxy. “BeyondCorp” for selfhosters (opens in new tab)

(github.com)

42 pointsgnur5y ago13 comments

13 comments

gnurOP5y ago

Over the last year I got frustrated with the complexity projects like traefik and caddy have gained recently. While I do love Caddy still, it seems like it wants to do too much, which I understand because they have a commercial offering, but I wanted something simpler.

So I set out to build a truly simple proxy that can do the following:

* automatic certificates with letsencrypt (using the library created by the awesome caddy team)

* authenticate users (currently only sign in with google is supported, but the underlying library should make it trivial to extend this)

* authorize users based on simple glob matching

* allow creating (and modifying) routes by CLI and API

Building this I truly started to appreciate the meaning of standing on the shoulders of giants, the Go libraries I've used are extensive and made this application a lot easier to create.

While tobab is by no means finished, if you are looking for a easy to use reverse proxy that will handle certificates and auth for you, this could be the tool you are looking for.

masonhensley5y ago

Thanks for sharing.

Very nice:

- Secure by default (automatic https with letsencrypt, secure cookies)

- Sane defaults (No public access unless explicitly added)

Curious (not nit picking). What's the high level possibility of allowing keycloak (or another self hosted auth provider)?

Looks like you are leveraging goth... fairly simple for someone to extend down the road via a contribution, correct? https://github.com/gnur/tobab/blob/2d1fa1227d1f56ee332d3d83b...

Ref - https://github.com/markbates/goth/issues/319

gnurOP5y ago

If keycloak provides an openID connect endpoint it should be fairly trivial to extend tobab to use it.

Goth might actually have specific support for keycloak, but I'm not sure about that to be honest.

tweetle_beetle5y ago

I'd only ever used Caddy for a hobby project a few years ago. Just recently I needed something quickly for a reverse proxy. I looked at traefik because I'd heard a lot about it and quickly came to the same conclusion as you - too rich. I thought I'd have a look at the docs for the new-ish Caddy v2.

After a bit of reading, I was shocked that I had set up a reverse proxy with just a single 2 line "caddyfile":

  subdomain.mydomain.ltd

  reverse_proxy 127.0.0.1:5000

For my humble use case it couldn't be any simpler.

mholt5y ago

I can make it simpler:

    $ caddy reverse-proxy --from subdomain.mydomain.tld --to 127.0.0.1:5000

Is equivalent, no config file needed :)

invokestatic5y ago

I recently did an "identity aware proxy" deployment to protect a service with SAML, but I used good ol' Apache with mod_proxy. SAML authentication was handled by mod_auth_mellon, and certbot has great integration with Apache. I didn't have to edit any Apache config files for TLS - certbot did it all for me. It even automatically set up systemd to automatically renew. I was really impressed.

jitl5y ago

Looks great! I have a homelab that already has HTTPS/letsencrypt via an Nginx reverse-proxy, and I use https simple auth for connections coming from the Internet. I’m interested in replacing simple-auth with Tobab. Does the configuration support disabling the letsencrypt parts (since I already have that)? Is there an API route on the tobab hostname (eg tonab.example.com/verify/private.example.com) to verify a cookie authorization that I can configure Nginx to call, instead of needing to proxy all traffic through Tobab?

kernelbugs5y ago

How does this compare to Pomerium or other open source IAPs?

stevekemp5y ago

Another contender in this area would be:

https://github.com/oauth2-proxy/oauth2-proxy

I've used that to gate-access to internal things behind gsuite domains, and it supports authentication against github and other providers too.

cldellow5y ago

Also https://github.com/Widen/cloudfront-auth if you're OK fronting your service with CloudFront and Lambda@Edge for auth.

anderspitman5y ago

Very cool. Just curious, if you're using this for your homelab, what method are you using to connect to upstream servers? Just forwarding ports?

aritmo5y ago

Shouldn't there be a hyphen in "identity-aware proxy"?

jazoom5y ago

And the rest

"the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab"

"the poor man's identity-aware proxy with an easy-to-use setup for beyondcorp in your homelab"

j / k navigate · click thread line to collapse

13 comments

gnurOP5y ago

So I set out to build a truly simple proxy that can do the following:

* automatic certificates with letsencrypt (using the library created by the awesome caddy team)

* authenticate users (currently only sign in with google is supported, but the underlying library should make it trivial to extend this)

* authorize users based on simple glob matching

* allow creating (and modifying) routes by CLI and API

Building this I truly started to appreciate the meaning of standing on the shoulders of giants, the Go libraries I've used are extensive and made this application a lot easier to create.

While tobab is by no means finished, if you are looking for a easy to use reverse proxy that will handle certificates and auth for you, this could be the tool you are looking for.

masonhensley5y ago

Thanks for sharing.

Very nice:

- Secure by default (automatic https with letsencrypt, secure cookies)

- Sane defaults (No public access unless explicitly added)

Curious (not nit picking). What's the high level possibility of allowing keycloak (or another self hosted auth provider)?

Looks like you are leveraging goth... fairly simple for someone to extend down the road via a contribution, correct? https://github.com/gnur/tobab/blob/2d1fa1227d1f56ee332d3d83b...

Ref - https://github.com/markbates/goth/issues/319

gnurOP5y ago

If keycloak provides an openID connect endpoint it should be fairly trivial to extend tobab to use it.

Goth might actually have specific support for keycloak, but I'm not sure about that to be honest.

tweetle_beetle5y ago

After a bit of reading, I was shocked that I had set up a reverse proxy with just a single 2 line "caddyfile":

  subdomain.mydomain.ltd

  reverse_proxy 127.0.0.1:5000

For my humble use case it couldn't be any simpler.

mholt5y ago

I can make it simpler:

    $ caddy reverse-proxy --from subdomain.mydomain.tld --to 127.0.0.1:5000

Is equivalent, no config file needed :)

invokestatic5y ago

jitl5y ago

kernelbugs5y ago

How does this compare to Pomerium or other open source IAPs?

stevekemp5y ago

Another contender in this area would be:

https://github.com/oauth2-proxy/oauth2-proxy

I've used that to gate-access to internal things behind gsuite domains, and it supports authentication against github and other providers too.

cldellow5y ago

Also https://github.com/Widen/cloudfront-auth if you're OK fronting your service with CloudFront and Lambda@Edge for auth.

anderspitman5y ago

Very cool. Just curious, if you're using this for your homelab, what method are you using to connect to upstream servers? Just forwarding ports?

aritmo5y ago

Shouldn't there be a hyphen in "identity-aware proxy"?

jazoom5y ago

And the rest

"the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab"

"the poor man's identity-aware proxy with an easy-to-use setup for beyondcorp in your homelab"

j / k navigate · click thread line to collapse