lyleunderwood / github-pages-basic-auth-proxy Goto Github PK

A simple python based proxy to secure github pages with basic auth via a small cloud-proxy-instance. Basic Auth checks against GitHub API.

• Create a directory with a random name (e.g. a sha256 hash) inside your gh-pages branch.
   

• Move files into the obfuscator directory and create an index.html with some dummy content if not already present.
• You should now be able to call the URL:
  • https://<owner>.github.io/<repositoryName>/<obfuscator>/index.html

• You can automatically setup the heroku instance of the proxy by clicking the deploy button.

• During the install you need to specify Repository-Owner, Repository-Name and Obfuscator.
   
• You will also need to specify the authType which can be:
  • onlyGitHubOrgUsers which will allow every GitHub user belonging to your GitHub Organization
    • Note: repository must be an org repo
  • allGitHubUsers which will allow every GitHub user to authenticate
     

• After you clicked on the view-button you should see the Installation Success page.
   

• When you configured the parameters correctly you should see a page like this
   

• Now you can use the proxy with any url.
• In this example:
  • https://nameless-cove-14005.herokuapp.com/*

You will need to perform step (1) and step (2) from the heroku instructions and then click below to see the full instructions on how to manually setup the proxy on AWS.

• Provide oAuth instead of Basic Auth
• Enable CORS
• Enable on-the-fly GZIP compression
• Enable caching (maybe replace internal proxy mechanism with WSGIproxy)
• Real logging
• Provide Ubuntu init Scripts
• ✅ Provide Heroku easy install

• Licensed under MIT License
• This little piece of software is brought to you by comSysto.
• comSysto is not a representative of GitHub. GitHub and the GitHub logos are Trademarks of GitHub inc.

• If you have a GitHub organization account with organization members.
• If you have a private organization github repository.
• If you have a gh-pages branch in that repository.
• And if you want to secure the gh-pages page via basic auth, then this proxy is for you.
  • Only members of the GitHub organization OR normal GitHub users will have access

• Proxy between GitHub Pages and User (Only GET requests)
• Ask for Authentication (github credentials)
  • either GitHub username and password
  • Or GitHub username and access_token
• Only proxy through if user is member of GitHub Organization or normal GitHub user (depends on how you run proxy)
• To not have to call github api on every request we authenticate once and a JWT Token is generated and stored in a cookie
  • the JWT Token is valid for 4 hours.
  • After the Token has expired or the cookie is removed you will have to perform Authentication again.

• Basically gh-pages URLs are public. But if you use a private repository you can only guess the actual URLs.
• If you create a directory in your gh-pages branch which is called e.g. 086e41eb6ff7a50ad33ad742dbaa2e70b75740c4950fd5bbbdc71981e6fe88e3 and proxy to this dir, it will be secure as long as no one knows this obfuscator directory (you should keep it a secret).
• You proxy to https (TLS) so no man in the middle attack could get a hold of the obfuscator.

• The short answer is: meeeeh
• Currently there is no real good proxy implementation in place that would cache files.
• So for every GET request you have internal GET calls to github pages whose responses are directly returned to the user.
• At least the Authentication is fast and optimized via JWT Auth Cookie. That reduces the auth calls on the github API.

türkis   #1e9dcc
         #d2ebf5 
green    #99d100  
         #ebf6cc 
orange   #e67800 
blue     #1c61b3