Jauth

Jauth is a single‑binary reverse proxy that adds SSL/TLS termination and fine‑grained authorization to any self‑hosted web service. Built in Go, it ships with no external dependencies, making it trivial to ship as a Docker image or run directly on bare metal. The core workflow is: inbound HTTP/HTTPS requests are received by Jauth, authenticated via an SSH key or a Telegram user, then proxied to the configured backend (127.0.0.1:<port> or any external host). The proxy also performs domain‑based routing, certificate management (self‑signed or Let’s Encrypt), and optional single‑sign‑on through a custom SSO endpoint.

Architecture

• Language & Runtime: Go (1.22+), compiled to a static binary that contains the HTTP server, TLS stack, SSH daemon, and Telegram bot token validation logic.
• HTTP Layer: Uses the standard net/http library with a custom TLS listener. Certificate handling is abstracted via an interface that supports autocert (Let’s Encrypt) or manual PEM files.
• SSH Layer: Implements a minimal SSH server listening on port 2222. It reads ~/.ssh/authorized_keys to map public keys to usernames, and uses the same key pair as the TLS listener (~/.ssh/id_rsa).
• Telegram Layer: No outbound API calls. The bot token is only used to validate incoming webhook requests; Jauth itself hosts the /webhook/<domain> endpoint that Telegram calls after a user authorizes.
• Configuration: TOML‑based (jauth.toml by default). Supports multiple domain blocks, each with its own target, whitelist, and optional SSO or Telegram settings.
• Reverse Proxy: Uses httputil.ReverseProxy with custom director logic to preserve host headers and inject authentication cookies. It supports both local (127.0.0.1:port) and remote targets.

Core Capabilities

• Multi‑domain routing with per‑domain TLS certificates.
• Whitelist access control: restrict each domain to a list of usernames derived from SSH or Telegram.
• SSO integration: optional SSO field in config points to an external SSO provider; Jauth will redirect unauthenticated users and accept the token via a callback.
• SSH + Telegram auth: Users can authenticate with an SSH key or by clicking a link in Telegram. No passwords, no registration.
• Automatic Let’s Encrypt renewal via autocert – one certificate per domain, stored in the default cache directory.
• Zero‑config defaults: if no jauth.toml is present, Jauth generates a self‑signed cert and listens on 80/443 with minimal routing to 127.0.0.1:8080.

Deployment & Infrastructure

• Self‑hosting: Requires a machine with Go runtime (or Docker). Exposes ports 80, 443, and 2222. No external services except optional Let’s Encrypt (HTTPS) and Telegram for auth.
• Containerization: A minimal Dockerfile can be created (FROM scratch with the compiled binary). Volume mounts are needed for ~/.ssh/authorized_keys, certificates, and optional config file.
• Scalability: Jauth is stateless except for TLS session caches and in‑memory auth state; horizontal scaling can be achieved by running multiple instances behind a load balancer, sharing the same SSH key database or using a shared config store.
• Resource footprint: < 10 MiB binary, ~50 MiB RAM under load. Suitable for Raspberry Pi or cloud VMs.

Integration & Extensibility

• Plugin hooks: Not yet exposed, but the TOML config can be extended with custom fields; developers can fork and add middleware.
• Webhooks: Telegram bot webhook endpoint is the primary extensibility point. Jauth can forward authentication events to other services via HTTP callbacks (not built‑in, but trivial to implement).
• Custom authentication: Replace the SSH or Telegram logic by editing the source; the architecture cleanly separates auth modules from routing.
• API: No REST API, but the configuration file is the single source of truth; changes require a restart.

Developer Experience

• Documentation: The README covers installation, default behavior, and a sample config. TOML syntax is straightforward; comments explain each field.
• Community: Small but active GitHub repo; issues are triaged quickly. No formal support channel, so developers rely on source code and community discussions.
• Extensibility: Go’s static typing makes it easy to add new auth methods or routing rules. The binary can be compiled with build tags for optional features.

Use Cases

1. Protecting legacy web apps: Add TLS and auth to an unprotected PHP or Node.js service without modifying the application code.
2. Developer sandbox: Quickly expose local services (localhost:8000) to the internet with a secure tunnel and SSO.
3. Multi‑tenant dashboards: Route multiple subdomains to different internal services, each with its own whitelist.
4. Telegram‑based login: Provide a passwordless login flow for small teams using Telegram accounts.

Advantages

• Zero‑dependency binary: No runtime libraries, simplifying deployment and reducing attack surface.
• Passwordless auth: SSH keys or Telegram links