5 releases
| new 0.5.3 | Apr 28, 2025 |
|---|---|
| 0.5.2 |
|
| 0.4.2 | Apr 24, 2025 |
#1382 in Authentication
450 downloads per month
120KB
938 lines
ProxyAuth (Community Edition)
ProxyAuth secures backend APIs through a fast authentication gateway. It encrypts tokens using ChaCha20 + HMAC-SHA256, with config-defined secrets. It features built-in rate limiting (on proxy and auth routes) and uses Argon2 with auto-generated salts for secure password hashing. The service is extremely fast, handling 100,000+ requests per second under load.
**Project based on a other personal project (evolution): rust_actixweb_token
Documentation
Auto Salt config.json password for argon2
Please enter your password in config.json. The application will automatically generate the Argon2 salt on first startup and rewrite the file with the hashed password.
Rate Limiting
- Implements rate limiting per user rather than per token. This means that if someone generates 150 tokens and uses them simultaneously, the rate limit will still apply to the user, not to each token separately, unlike traditional systems. This mechanism applies to all routes managed by ProxyAuth.
- Adds rate limiting to the /auth route to help protect against brute-force attacks and excessive request traffic. The rate limiting behavior—such as request limits, configurable via the config.json file. This allows for dynamic adjustments without needing to modify the application code. The implementation uses a middleware layer that evaluates each incoming request to /auth and applies the configured limits accordingly.
ProxyAuth Usage
Configuration file
routes.yml configuration file:
routes:
- prefix: "/redoc"
target: "http://127.0.0.1:8000/redoc"
secure: false
- prefix: "/api_test/openapi.json"
target: "http://localhost:8000/api_test/openapi.json"
secure: false
- prefix: "/api_test"
target: "http://localhost:8000/api_test"
username: ["admin", "alice1", "alice15", "alice30"]
proxy: true/false # --> configure proxy
proxy_config: "http://myproxyurl:8888" # --> pass via proxy for call the target.
cert: {"file": "certificat.pk12", "password": "1234"} # /!\ this fonctionnality is experimental untested version 0.5.0 /!\
config.yml configuration file:
{
"token_expiry_seconds": 3600,
"secret": "supersecretvalue",
"host": "127.0.0.1",
"port": 8080,
log: {"type": "local"}, --> use for loki {"type": "loki", "host": "http://host_loki:port"}
"ratelimit":{
"requests_per_second": 5, --> Number requests per seconds for proxy call
"burst": 10, --> burst allow requests
"block_delay": 100, --> number block requests in milliseconds
"auth": 5 --> number blocked authentifications user per seconds
},
"worker": 4,
"users": [
{ "username": "admin", "password": "admin123" },
{ "username": "bob", "password": "bobpass" },
{ "username": "alice1", "password": "alicepass" }
]
}
To compile the server
cargo build --release
To run the binary
./target/release/proxyauth
Post-compilation structure:
--- app (parent directory)
| --- proxyauth (binary)
| --- config/
|--- config.json (user/server configurations)
|--- routes.yml (route configurations)
You can then copy the binary anywhere; it will work on any Linux architecture compatible with your current OS.
**You must create config.json and routes.yml at the root of the binary. See examples here: config.json and routes.yml
Use on docker
docker compose build
docker compose up -d
Use this services easy on docker
Change configuration on docker-compose.yml overwrite configuration
volumes:
- ./config/config.json:/app/config/config.json
- ./config/routes.yml:/app/config/routes.yml
restart container
docker compose restart
TODO
- Log to stdout using
tracing(Rust log lib) [still being deployed] Protect passwords config.json using Argon2.[Done v0.4.0]Add Loki integration with tracing [needs further exploration][Done >=0.5.2]- Add revoke token method.
ProxyAuth Advantages
- Centralized access point
- Secure tokens using CHACHA20 (HMAC SHA-256 + ROTATE) just define the same secret across all instances to have the same token calculations (if use the same images).
Semi-static tokens (refresh_token is only recalculated at intervals defined in the config)- Tokens can be recalculated using a random exponential factor, allowing for further complexity.
- Possible send logs via loki [>=0.5.2]
Potential Disadvantages
- If someone can reverse-engineer the hash, they could potentially access services. This is why you must define a secure secret (over 64 characters!) in the config. This method is used in Django for password hashing via PBKDF2: https://docs.djangoproject.com/en/5.1/ref/settings/#std-setting-SECRET_KEY
ProxyAuth Structure
The server behaves like an authentication proxy.
Refresh token route:
sequenceDiagram
autonumber
participant C as Client
participant P as ProxyAuth
C->>+P: POST http://127.0.0.1:8080/auth<br>-H "Content-Type: application/json"<br>-d {"username": "user", "password": "pass"}
P->>+P: Check credential
P->>+C: return json format <br>{"expires_at":"2025-04-12 16:15:20","token":"4GJeCUwOzILd..."}
Scenario 1: Valid Token
sequenceDiagram
autonumber
participant C as Client
participant P as ProxyAuth
participant A as API/Service
C->>+P: Send token Header <br> -X POST http://127.0.0.1:8080/api -H "Content-Type: application/json" <br>-H "Authorization: Bearer UmbC0ZgATdXE..." -d {"data": "test"}
P->>+P: Check token send by client
P->>+A: Forward original request <br> POST http://192.168.1.80/api_test <br>-H "Content-Type: application/json" <br>-d {"data": "test"}
A-->>-P: Response
P-->>-C: Response
Scenario 2: Invalid Token
sequenceDiagram
autonumber
participant C as Client
participant P as ProxyAuth
participant E as API/Service
C->>+P: Send token Header<br> -H "Authorization: Bearer UmbC0ZgATdXE..."
P->>+P: Check token send by client
P-->>-C: Invalid Token
Note over E: No external request made
This application allows applying global authentication tokens to any application, removing the need for them to implement token validation themselves, which simplifies future development.
Dependencies
~23–37MB
~628K SLoC