vouch-proxy
vouch-proxy copied to clipboard
vouch
Who is using Vouch Proxy? What are you using it for?
As we work to improve Vouch Proxy and work on the Vouch project overall we'd like to hear from you about your usage of VP.
Please take a moment to chime in here about how you're using VP and anything else you'd like to share about your setup and your organization.
If you have a particularly interesting setup we may add it to the list of advanced configurartions in the README.
I run two instances of Vouch Proxy in very different configurations:
Home
I have Vouch on my home nginx server and it sits in front of a few different applications and other internal servers which either don't have their own authentication or I don't trust their authentication.
Vouch is configured to use my Gitea instance for authentication, and I am the only allowed user.
IndieWeb
I run Vouch on indieweb.org to authenticate to a few apps behind the proxy.
- MediaWiki - The main site indieweb.org is a MediaWiki instance with a plugin to use a plugin to auto-create MW users based on the header Vouch sets
- Meetable - Our events site events.indieweb.org which supports Vouch natively
In this case Vouch is configured to use https://indielogin.com to authenticate users. Anyone is allowed to log in, and the sites are visible publicly without authentication, but editing is only allowed after a user logs in.
Currently running 3 instances of Vouch personally, while also pushing towards usage at work for various cloud webapps.
Personal
Three different servers (one at home) with Vouch and Nginx running within docker. All set to auth against AzureAD.
Used so I can make any service accessible across the internet without worrying about security. I would much rather have nginx as the web facing service instead of the services behind it.
Work
We run lots of services while in development, and developers often setup temporary authentication systems within an app. I would like to move this towards Vouch proxy for two reasons:
- Don't need to pay for AWS/AZURE/GCP versions.
- Same vouch base setup can be used across all clouds for all services. This is much easier for us to manage from a security point of view
Home Vouch and Nginx will allow a single sign on to all services on my homeserver.
- First thing using vouch will be Home Assistant (a pull request already exists).
- Then I need to figure out if Node-RED, and the other services I use support external authentication
I'm using a couple of instances with nginx to protect access to directories of files on webservers. Using google as the oauth provider.
Right now it's used to provide authentication to a family tree app that doesn't have a robust auth layer of its own; I don't want to manage new user accounts for family, and have more passwords for them to remember/forget, so it authenticates from google and I handle authorization in vouch by whitelisting email addresses.
I want to be able to use this with Discord as both authn and authz, so I can have a website automatically visible to users who have the appropriate roles within a discord server. This may be a bit of a bigger stretch. I'd put the discord server ID and role name into the vouch config and expect magic to happen. I haven't read #312 yet :-)
Ultimately Vouch simplifies the development of lightweight web applications, by allowing them to ignore authn and perhaps also authz, but the end-user experience is much better than .htpasswd :-)
I run a Mastodon social media server and I want to be able to provide secondary services to my users. Prior to discovering Vouch, I was writing custom code into every new application to make the Mastodon OAuth dance happen but now I can just shove the simpler ones behind vouch-proxy and call it a day. Makes my life so much easier.
Using it as a zero-trust edge for my home server with nginx. Google OAuth with a restricted allow-list of users.
(trying to) Use it in combo with Microfocus AccesManager (previously NetIQ) for my small company and testing lab.
I use it with Okta to front openhab for my Tesla, whose browser does not support BasicAuth.
As an alternative to bitly/oauth2_proxy to provide SSO for in-house applications. We deploy to k8s and needed a way to authenticate services. We already use okta and this provides the easiest integration. One big benefit is one can deploy a single instance of vouch instead of a proxy per service. Requiring auth becomes as simple as adding the right annotations to a service's ingress.
I have a complete cloud stack template (app + ci + deploy in cloud providers with oauth). There are other oauth systems, but for a flexible simple single oauth service vouch is reliable and simple. I use node.js instead of nginx as the router of requests (maybe that config could be useful to others, idk it feels a pretty rare case). In a sense it replaces using Auth0, Okta, etc, or an integrated OAuth library like http://www.passportjs.org/. There's just so much complexity, possible vendor lock-in, expense, etc, that sometimes a tool solving a single task is preferable, at least in the beginning.
@dionjwa thanks for offering your setup and the kind words for VP.
I'm very curious about your usage of node.js in front of VP. I'm sure it would be of value to other users if you cared to share more about how you're interacting with VP from node. On occasion I've thought to myself that we should host language specific libraries to support interaction with VP. If you were at all interested in working towards a javascript or typescript library for VP interaction I'd be happy to be a resource to you.
@bnfinet See the issue linked above (I don't want to pollute this issue). I hope it's useful, happy to answer any questions about it, hopefully it makes sense. There may be some parts of the API I'm not doing properly, that I don't understand, like the vouch error handling possibly.
I've just transitioned from oauth2proxy o vouch proxy to secure an octoprint server. Working great right now! It was easy to set up thanks to the nginx examples :). One question tho, Can I create a separate file for the email whitelist instead of listing allowed emails in the config?
I'm an intranet web developer for an NGO. We're migrating from apache2 to nginx and vouch-proxy seems like an appropriate solution for keeping our internal Drupal sites behind single sign on.
Right now I'm testing it on a few we applications that don't have native SSO functionality. A big draw of Vouch-Proxy was the addition of ADFS since that's the oAuth provider of choice in certain situations.
Im working at a boarding school that have 5 web apps from different providers. Because of the pandemic many teachers asking to accesing those webapp from home. VP really help to securing all those web app in public access.
I use vouch-proxy to give specific users on Discord access to the web application I am building. Currently I have whitelisted only names but would like to whitelist id:discriminator from Discord since the names can be changed arbitrarily.
Using at my org to provide simple SSO solution for various backend apps which support header authentication/authorization, like Jenkins , Grafana, etc. Did some research with other solutions but I feel this is probably the best solution if you can do some lua coding and if the actual backend supports header auth (looks like many apps do provide as this is probably the most st forward way vs trying to work with 20 diff SSO providers).
Great idea and output in a tiny package! , thank you to all the contributors.
I want to use vouch-proxy as a language agnostic authentication layer since I'm trying to bootstrap a web stack for Scala Native which doesn't have any library for JWT or any OAuth web framework yet. Delegating this work to a sidecar running vouch-proxy seems like a great idea.
I used it to roll out a small python-based internal tool at my org. VP + NGINX allowed us to get this going without having to do any fiddly auth in the app itself, and plugged right in to our existing Google stuff.
Thank you!
I currently use vouch with keycloak which was a bit bumpy at first, but ended up working in the end :) I'm also trying to use it with zitadel, but still working on getting that working together.
