
Show HN: Tobab, a poor mans identity aware proxy. “BeyondCorp” for selfhosters - gnur
https://github.com/gnur/tobab/
======
gnur
Over the last year I got frustrated with the complexity projects like traefik
and caddy have gained recently. While I do love Caddy still, it seems like it
wants to do too much, which I understand because they have a commercial
offering, but I wanted something simpler.

So I set out to build a truly simple proxy that can do the following:

* automatic certificates with letsencrypt (using the library created by the awesome caddy team)

* authenticate users (currently only sign in with google is supported, but the underlying library should make it trivial to extend this)

* authorize users based on simple glob matching

* allow creating (and modifying) routes by CLI and API

Building this I truly started to appreciate the meaning of standing on the
shoulders of giants, the Go libraries I've used are extensive and made this
application a lot easier to create.

While tobab is by no means finished, if you are looking for a easy to use
reverse proxy that will handle certificates and auth for you, this could be
the tool you are looking for.

~~~
masonhensley
Thanks for sharing.

Very nice:

\- Secure by default (automatic https with letsencrypt, secure cookies)

\- Sane defaults (No public access unless explicitly added)

Curious (not nit picking). What's the high level possibility of allowing
keycloak (or another self hosted auth provider)?

Looks like you are leveraging goth... fairly simple for someone to extend down
the road via a contribution, correct?
[https://github.com/gnur/tobab/blob/2d1fa1227d1f56ee332d3d83b...](https://github.com/gnur/tobab/blob/2d1fa1227d1f56ee332d3d83b2c135fba382d7cb/cmd/tobab/tobab.go#L87)

Ref -
[https://github.com/markbates/goth/issues/319](https://github.com/markbates/goth/issues/319)

~~~
gnur
If keycloak provides an openID connect endpoint it should be fairly trivial to
extend tobab to use it.

Goth might actually have specific support for keycloak, but I'm not sure about
that to be honest.

------
invokestatic
I recently did an "identity aware proxy" deployment to protect a service with
SAML, but I used good ol' Apache with mod_proxy. SAML authentication was
handled by mod_auth_mellon, and certbot has great integration with Apache. I
didn't have to edit any Apache config files for TLS - certbot did it all for
me. It even automatically set up systemd to automatically renew. I was really
impressed.

------
jitl
Looks great! I have a homelab that already has HTTPS/letsencrypt via an Nginx
reverse-proxy, and I use https simple auth for connections coming from the
Internet. I’m interested in replacing simple-auth with Tobab. Does the
configuration support disabling the letsencrypt parts (since I already have
that)? Is there an API route on the tobab hostname (eg
tonab.example.com/verify/private.example.com) to verify a cookie authorization
that I can configure Nginx to call, instead of needing to proxy all traffic
through Tobab?

------
kernelbugs
How does this compare to Pomerium or other open source IAPs?

~~~
stevekemp
Another contender in this area would be:

[https://github.com/oauth2-proxy/oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy)

I've used that to gate-access to internal things behind gsuite domains, and it
supports authentication against github and other providers too.

~~~
cldellow
Also [https://github.com/Widen/cloudfront-
auth](https://github.com/Widen/cloudfront-auth) if you're OK fronting your
service with CloudFront and Lambda@Edge for auth.

------
anderspitman
Very cool. Just curious, if you're using this for your homelab, what method
are you using to connect to upstream servers? Just forwarding ports?

------
aritmo
Shouldn't there be a hyphen in "identity-aware proxy"?

~~~
jazoom
And the rest

"the poor mans identity aware proxy, easy to use setup for beyondcorp in your
homelab"

->

"the poor man's identity-aware proxy with an easy-to-use setup for beyondcorp
in your homelab"

