/helios

Identity-Aware Proxy

Primary LanguageGoApache License 2.0Apache-2.0

Helios - Identity-aware Proxy

Build Status Go Report Card LICENSE

⚠ This project is on early stage and it's not ready for production yet ⚠

Helios is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. It is the building block towards BeyondCorp, a model designed by Google to secure applications in Zero-Trust networks.

In a nutshell, with Helios you can:

  • Identify users using existing identity providers like Google, Auth0, Azure AD, etc.
  • Secure and authenticate access to any domain or path
  • Configure authorization policies using CEL expressions
  • Use Helios as gateway or reverse proxy

Motivation

My goal is to build an open source alternative to Cloudflare Access and Cloud IAP.

Beyond that, I started this project off for 2 reasons:

  1. I wanted to exercise and continue improving my Go skills.
  2. I'm interested in BeyondCorp, Google's implementation of Zero Trust. I believe Zero Trust is the future of Enterprise Security.
  3. Last but not least, because it's fun!

Install

Install Go.

Next download the project and build the binary file.

$ go get -u github.com/cyakimov/helios

Usage

helios -config config.example.yaml

List flags with

helios -help

Configuring authorization rules

The supported condition attributes are based on details about the request (e.g., its timestamp, originating IP address , identity, etc.). Examples and a description of attribute types are described below.

Available Attributes

  • request.host
  • request.path
  • request.ip
  • request.timestamp

For example, by setting Expression to a CEL expression that uses request.ip you can limit access to only members who have a private IP of 10.0.0.1

request.ip == "10.0.0.1"

Alternatively, you can check if a request comes from a particular network:

request.ip.network("192.168.0.0/24")

Example Date/Time Expressions

Allow access temporarily until a specified expiration date/time:

timestamp(request.time) < timestamp("2019-01-01T07:00:00Z")

Allow access only during specified working hours:

timestamp(request.time).getHours("America/Santiago") >= 9 &&
timestamp(request.time).getHours("America/Santiago") <= 17 &&
timestamp(request.time).getDayOfWeek("America/Santiago") >= 1 &&
timestamp(request.time).getDayOfWeek("America/Santiago") <= 5

Allow access only for a specified month and year:

timestamp(request.time).getFullYear("America/Santiago") == 2018
timestamp(request.time).getMonth("America/Santiago") < 6

Example URL Host/Path Expressions

Allow access only for certain subdomains or URL paths in the request:

request.host == "hr.example.com"
request.host.endsWith(".example.com")
request.path == "/admin/payroll.js"
request.path.startsWith("/admin")

Development

Prerequisites

Environment Setup

Deploy local CA

mkcert -install

Create a certificate for local development

mkcert localhost 127.0.0.1

Install dependencies

go mod download

Run the program

go run . -config config.example.yaml

Roadmap 🗺

Status Milestone
🚀 Expression engine
Support popular identity providers
Use templates for error pages
Export prometheus metrics
Create a Github page
Dynamic policies