The primary goal of speakeasy
is to reduce the exposed attack surface for self hosted software. Replacing the full surface of
the backing server with the smaller surface of a reverse proxy and authentication server.
- It should be fairly easy to put this auth server in front of any other self-hosted server.
- The services protected by
speakeasy
aren’t being intentionally, directly targeted. They may be scanned and attacked by bots or other automated tools. - The expected volume of requests is pretty low. A few to a few dozen users are expected.
- There is less reason to identify each user since the server
speakeasy
is in front of will still want to identify the user. - Short lived JWTs (for some value of “short lived”) reduce the need for revocations.
- There is no admin. Anyone who can access the registration endpoints can register another key.
- A long lived request can stay open after the token is invalid because auth is checked once per request.
- Authenticator attestation is invasive. Any capable authenticator is probably fine.
- Start the servers with
docker compose up -d
- Visit http://localhost:3000/speakeasy to register a key
- Trying to register from http://localhost/speakeasy should result in error/failure
- Visit http://localhost/ and see the backend (example.com)
- Delete the cookie
speakeasy-token
- Visit http://localhost/ and see the speakeasy page
- Authenticate
- Visit http://localhost/ and see the backend
Allow traffic in on ports 80 & 443 from any address. Allow traffic in to your ssh port from only an internal subnet if possible. Optionally block all outbound traffic that isn’t going to the expected backend ip(s).
nginx/nginx.conf
andnginx/speakeasy.conf
in this repo- https://www.nginx.com/resources/wiki/start/topics/examples/full/
Include the speakeasy.conf
at the top of each server
block. Then add auth_request /speakeasy/check;
and auth_request_set $auth_status $upstream_status
in each location that should require authentication.
If you’re using SELinux you may need setsebool -P httpd_can_network_connect 1
. Check sudo cat /var/log/audit/audit.log | grep nginx | grep denied
for errors.
Install redis on the same host as speakeasy
, use protected-mode
and only bind to localhost.
- Install java and clojure
build.sh
to prepare an uberjar- Copy
systemd/speakeasy.service
to/etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable speakeasy
sudo systemctl start speakeasy
- Remove the
auth_*
lines from the location block that has/speakeasy/register
innginx.conf
and reload nginx - Register a key by visiting
/speakeasy
- Revert the
nginx.conf
change and reload nginx
Subsequent keys can be registered by any authenticated user visiting /speakeasy
and using the registration button.
The auth page should automatically show up for anyone who isn’t authenticated. After authenticating reloading the page should take them to the application.