Show HN: Tobab, a poor mans identity aware proxy. “BeyondCorp” for selfhosters
github.comOver the last year I got frustrated with the complexity projects like traefik and caddy have gained recently. While I do love Caddy still, it seems like it wants to do too much, which I understand because they have a commercial offering, but I wanted something simpler.
So I set out to build a truly simple proxy that can do the following:
* automatic certificates with letsencrypt (using the library created by the awesome caddy team)
* authenticate users (currently only sign in with google is supported, but the underlying library should make it trivial to extend this)
* authorize users based on simple glob matching
* allow creating (and modifying) routes by CLI and API
Building this I truly started to appreciate the meaning of standing on the shoulders of giants, the Go libraries I've used are extensive and made this application a lot easier to create.
While tobab is by no means finished, if you are looking for a easy to use reverse proxy that will handle certificates and auth for you, this could be the tool you are looking for.
Thanks for sharing.
Very nice:
- Secure by default (automatic https with letsencrypt, secure cookies)
- Sane defaults (No public access unless explicitly added)
Curious (not nit picking). What's the high level possibility of allowing keycloak (or another self hosted auth provider)?
Looks like you are leveraging goth... fairly simple for someone to extend down the road via a contribution, correct? https://github.com/gnur/tobab/blob/2d1fa1227d1f56ee332d3d83b...
If keycloak provides an openID connect endpoint it should be fairly trivial to extend tobab to use it.
Goth might actually have specific support for keycloak, but I'm not sure about that to be honest.
I'd only ever used Caddy for a hobby project a few years ago. Just recently I needed something quickly for a reverse proxy. I looked at traefik because I'd heard a lot about it and quickly came to the same conclusion as you - too rich. I thought I'd have a look at the docs for the new-ish Caddy v2.
After a bit of reading, I was shocked that I had set up a reverse proxy with just a single 2 line "caddyfile":
For my humble use case it couldn't be any simpler.subdomain.mydomain.ltd reverse_proxy 127.0.0.1:5000I can make it simpler:
Is equivalent, no config file needed :)$ caddy reverse-proxy --from subdomain.mydomain.tld --to 127.0.0.1:5000
I recently did an "identity aware proxy" deployment to protect a service with SAML, but I used good ol' Apache with mod_proxy. SAML authentication was handled by mod_auth_mellon, and certbot has great integration with Apache. I didn't have to edit any Apache config files for TLS - certbot did it all for me. It even automatically set up systemd to automatically renew. I was really impressed.
Looks great! I have a homelab that already has HTTPS/letsencrypt via an Nginx reverse-proxy, and I use https simple auth for connections coming from the Internet. I’m interested in replacing simple-auth with Tobab. Does the configuration support disabling the letsencrypt parts (since I already have that)? Is there an API route on the tobab hostname (eg tonab.example.com/verify/private.example.com) to verify a cookie authorization that I can configure Nginx to call, instead of needing to proxy all traffic through Tobab?
How does this compare to Pomerium or other open source IAPs?
Another contender in this area would be:
https://github.com/oauth2-proxy/oauth2-proxy
I've used that to gate-access to internal things behind gsuite domains, and it supports authentication against github and other providers too.
Also https://github.com/Widen/cloudfront-auth if you're OK fronting your service with CloudFront and Lambda@Edge for auth.
Very cool. Just curious, if you're using this for your homelab, what method are you using to connect to upstream servers? Just forwarding ports?
Shouldn't there be a hyphen in "identity-aware proxy"?
And the rest
"the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab"
->
"the poor man's identity-aware proxy with an easy-to-use setup for beyondcorp in your homelab"