Skip to content
/ tobab Public

tobab: the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab

License

Notifications You must be signed in to change notification settings

gnur/tobab

Repository files navigation

tobab

tobab: an opinionated poor mans identity-aware proxy enabler. Use it as a forward auth target with caddy, nginx or traefik.

tobab gopher logo

It uses passkeys for simple and robust authentication.

goals

  • Passkey enabled user management
  • Admin with Web UI for access management
  • Easy to use (single docker container with simple config)

non-goals

  • any authn that isn't passkeys

wishlist (not implemented yet)

  • metrics
  • API key support for non-browser session based validation
  • access denied message
  • better error handling with feedback to user
  • better splitting of templates and javascript (not a single script for login and register)
  • testing with Traefik
  • testing with nginx
  • additional storage interface implementations to allow it to be more cloud native

getting started

  • See the k8s-example dir for a kustomize setup for tobab and deploy to k8s
  • make sure dns is setup correctly
  • Setup caddy to use this new endpoint for forward auth:
login.example.com {
  reverse_proxy tobab.tabab.svc

}
secure.example.com {
        forward_auth tobab.tobab.svc {
                uri /verify
        }
        reverse_proxy some_other_host:8080
}
  • create a new user at login.example.com/register (first user created becomes the admin user)
  • visit secure.example.com and be authenticated through your passkey
  • login with the new user

example config file

hostname = "login.example.com" #hostname where the login occurs
displayname = "example displayname" #used for passkey creation
cookiescope = "example.com" #this will allow all subdomains of example.com to have sso with tobab
loglevel = "debug" #or info, warning, error
databasepath = "./tobab.db"

acknowledgements

This project could hot have been what it is today without these great libraries:

  • github.com/gin-gonic/gin excellent request router
  • github.com/asdine/storm embedded database built upon bolt which makes persistence very easy