ECN>> beyond>> 返回
项目作者: cogolabs

项目描述 :
BeyondCorp-inspired Access Proxy. Secure internal services outside your VPN/perimeter network during a zero-trust transition.
高级语言: Go
项目地址: git://github.com/cogolabs/beyond.git
创建时间: 2017-08-13T18:29:25Z
项目社区:https://github.com/cogolabs/beyond
开源协议:Other
下载


Build Status
codecov
Docker
Go Report Card
License

beyond

Control access to services beyond your perimeter network. Deploy with split-DNS to alleviate VPN in a zero-trust transition. Inspired by Google BeyondCorp research: https://research.google.com/pubs/pub45728.html

Features

  • Authenticate via:
    • OpenID Connect
    • OAuth2 Tokens
    • SAMLv2
  • Automate Configuration w/ https://your.json
  • Customize Nexthop Learning (via Favorite Ports: 443, 80, …)
  • Supports WebSockets
  • Supports GitHub Enterprise
  • Supports Private Docker Registry APIs (v2)
  • Analytics with ElasticSearch

Install

  1. $ docker pull cogolabs/beyond

or:

  1. $ go get -u -x github.com/cogolabs/beyond

Usage

  1. $ docker run --rm -p 80:80 cogolabs/beyond httpd --help
  2.   -401-code int
  3.         status to respond when a user needs authentication (default 418)
  4.   -404-message string
  5.         message to use when backend apps do not respond (default "Please contact the application administrators to setup access.")
  6.   -allowlist-url string
  7.         URL to site allowlist (eg. https://github.com/myorg/beyond-config/main/raw/allowlist.json)
  8.   -beyond-host string
  9.         hostname of self (default "beyond.myorg.net")
  10.   -cookie-age int
  11.         MaxAge setting in seconds (default 21600)
  12.   -cookie-domain string
  13.         session cookie domain (default ".myorg.net")
  14.   -cookie-key1 string
  15.         key1 of cookie crypto pair (example: "t8yG1gmeEyeb7pQpw544UeCTyDfPkE6u")
  16.   -cookie-key2 string
  17.         key2 of cookie crypto pair (example: "Q599vrruZRhLFC144thCRZpyHM7qGDjt")
  18.   -cookie-name string
  19.         session cookie name (default "beyond")
  20.   -docker-auth-scheme string
  21.         (only for testing) (default "https")
  22.   -docker-url string
  23.         when there is only one (legacy option) (default "https://docker.myorg.net")
  24.   -docker-urls string
  25.         csv of docker server base URLs (default "https://harbor.myorg.net,https://ghcr.myorg.net")
  26.   -error-color string
  27.         css h1 color for errors (default "#69b342")
  28.   -error-email string
  29.         address for help (eg. support@mycompany.com)
  30.   -error-plain
  31.         disable html on error pages
  32.   -federate-access string
  33.         shared secret, 64 chars, enables federation
  34.   -federate-secret string
  35.         internal secret, 64 chars
  36.   -fence-url string
  37.         URL to user fencing config (eg. https://github.com/myorg/beyond-config/main/raw/fence.json)
  38.   -header-prefix string
  39.         prefix extra headers with this string (default "Beyond")
  40.   -health-path string
  41.         URL of the health endpoint (default "/healthz/ping")
  42.   -health-reply string
  43.         response body of the health endpoint (default "ok")
  44.   -home-url string
  45.         redirect users here from root (default "https://google.com")
  46.   -host-masq string
  47.         rewrite nexthop hosts (format: from1=to1,from2=to2)
  48.   -http string
  49.         listen address (default ":80")
  50.   -insecure-skip-verify
  51.         allow TLS backends without valid certificates
  52.   -learn-dial-timeout duration
  53.         skip port after this connection timeout (default 5s)
  54.   -learn-http-ports string
  55.         after HTTPS, try these HTTP ports (csv) (default "80,8080,6000,6060,7000,7070,8000,9000,9200,15672")
  56.   -learn-https-ports string
  57.         try learning these backend HTTPS ports (csv) (default "443,4443,6443,8443,9443,9090")
  58.   -learn-nexthops
  59.         set false to require explicit allowlisting (default true)
  60.   -log-elastic string
  61.         csv of elasticsearch servers
  62.   -log-elastic-interval duration
  63.         how often to commit bulk updates (default 1s)
  64.   -log-elastic-prefix string
  65.         insert this on the front of elastic indexes (default "beyond")
  66.   -log-elastic-workers int
  67.         bulk commit workers (default 3)
  68.   -log-http
  69.         enable HTTP logging to stdout
  70.   -log-json
  71.         use json output (logrus)
  72.   -log-xff
  73.         include X-Forwarded-For in logs (default true)
  74.   -oidc-client-id string
  75.         OIDC client ID (default "f8b8b020-4ec2-0135-6452-027de1ec0c4e43491")
  76.   -oidc-client-secret string
  77.         OIDC client secret (default "cxLF74XOeRRFDJbKuJpZAOtL4pVPK1t2XGVrDbe5R")
  78.   -oidc-issuer string
  79.         OIDC issuer URL provided by IdP (default "https://yourcompany.onelogin.com/oidc")
  80.   -saml-cert-file string
  81.         SAML SP path to cert.pem (default "example/myservice.cert")
  82.   -saml-entity-id string
  83.         SAML SP entity ID (blank defaults to beyond-host)
  84.   -saml-key-file string
  85.         SAML SP path to key.pem (default "example/myservice.key")
  86.   -saml-metadata-url string
  87.         SAML metadata URL from IdP (blank disables SAML)
  88.   -saml-nameid-format string
  89.         SAML SP option: {email, persistent, transient, unspecified} (default "email")
  90.   -saml-session-key string
  91.         SAML attribute to map from session (default "email")
  92.   -saml-sign-requests
  93.         SAML SP signs authentication requests
  94.   -saml-signature-method string
  95.         SAML SP option: {sha1, sha256, sha512}
  96.   -server-idle-timeout duration
  97.         max time to wait for the next request when keep-alives are enabled (default 3m0s)
  98.   -server-read-timeout duration
  99.         max duration for reading the entire request, including the body (default 1m0s)
  100.   -server-write-timeout duration
  101.         max duration before timing out writes of the response (default 2m0s)
  102.   -sites-url string
  103.         URL to allowed sites config (eg. https://github.com/myorg/beyond-config/main/raw/sites.json)
  104.   -token-base string
  105.         token server URL prefix (eg. https://api.github.com/user)
  106.   -token-graphql string
  107.         GraphQL URL for auth (eg. https://api.github.com/graphql)
  108.   -token-graphql-query string
  109.          (default "{\"query\": \"query { viewer { login }}\"}")
  110.   -websocket-compression
  111.         allow websocket transport compression (gorilla/experimental)