tobab: the poor mans identity aware proxy, easy to use setup for beyondcorp in your homelab
It allows you to connect one or more identity providers (currently, only google is supported) and grant access to backends based on the identity of the user.
- Easy to use (single binary with single config file)
- Secure by default (automatic https with letsencrypt, secure cookies)
- Sane defaults (No public access unless explicitly added)
- Extreme security
- Reliability (web server restarts whenever a route is added / modified / deleted)
- download an appropriate release from the releases page
- place a
tobab.toml
file somewhere and set the env varTOBAB_CONFIG
var to that location - configure the google key and secret by creating a new oauth application
- make sure port 80 and port 443 are routed to the host you are running it on
- start tobab with appropriate permissions to bind on port 80 and 443
- ???
- profit
hostname = "login.example.com"
cookiescope = "example.com"
secret = "some-secret"
certdir = "path to dir with write access"
email = "[email protected]"
googlekey = "google id"
googlesecret = "google secret"
loglevel = "debug" #or info, warning, error
databasepath = "./tobab.db"
Usage: tobab <command>
Flags:
-h, --help Show context-sensitive help.
--debug
-c, --config=STRING config location
Commands:
run
start tobab server
validate
validate tobab config
host list
list all hosts
host add --hostname=STRING --backend=STRING --type=STRING
add a new proxy host
host delete --hostname=STRING
delete a host
version
print tobab version
token create --email=STRING --ttl=STRING
generate a new token
token validate --token=STRING
Get fields from a token
Run "tobab <command> --help" for more information on a command.
# add a host
tobab host add --hostname=test.example.com --backend=127.0.0.1:8080 --type=http --public
# list hosts
tobab host list
# delete a host
tobab host delete --hostname=test.example.com
# manually create an access token (useful for automation, see automation below)
tobab token create --email=<email> --ttl="800h"
# validate a token (and get information)
tobab token validate --token=<token>
# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
{
"Hostname": "route.example.com",
"Backend": "https://example.com",
"Type": "http",
"Public":false,
"Globs": [ "*@example.com" ]
}
###
# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
{
"Hostname": "route2.example.com",
"Backend": "https://example.com",
"Type": "http",
"Public":false,
"Globs": [ "*" ]
}
###
# @name addHost
POST /v1/api/host
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
{
"Hostname": "route2.example.com",
"Backend": "https://example.com",
"Type": "http",
"Public":true,
}
###
# @name delHost
DELETE /v1/api/host/route2.example.com
User-Agent: curl/7.64.1
Accept: */*
Cookie: X-Tobab-Token=<token>
###
If you have an api running behind tobab, it is possible to manually issue tokens and add them to the headers manually. Combine the info in the readme about the example API calls and the example CLI commands to see how to do just that :).