Pomerium VS warpgate

That is not how you do Zero Trust. You want to use an Identity Aware Proxy. There are lots of ways you can implement this with Google as your core auth. For example Pomerium or oauth2-proxy.

I’m really surprised this sub has no love for Pomerium. I feel like it’s as simple as Caddy with all the security benefits of Traefik.

Pomerium sidecar.

Just want to drop https://www.pomerium.com/ here. We use it at our company with ~1500 people with many apps behind the proxy. It also supports JWT for the backend, so you can integrate your apps easily without having to worry about the OAuth flow and also your apps are protected from random internet attacks.

You might just want to integrate a policy rules engine like open policy agent: https://www.openpolicyagent.org/ It can act as a server which you bounce a subrequest against to get an authorization answer from a policy you defined ahead of time with a simple language.

And if you don't have time or want to do that, check out Pomerium it's basically a forward auth proxy with OPA policy engine integrated into it already: https://www.pomerium.com/

Pomerium

If oauth2-proxy doesn't suit your needs, there are some projects that have spun-off from oauth2-proxy like pomerium and BuzzFeed's sso. In addition to the open source library, Pomerium offers a paid service with a GUI to help IT staff more easily manage user permissions. BuzzFeed's sso builds upon oauth2-proxy by separating the domain used for auth from the domain used for the proxy (among several other changes).

Here's a list of open source products that aim at doing that: - Pomerium - Ory - Keycloak*

I'm one of the maintainers of an open source identity aware access proxy called Pomerium. We just released v0.16 which includes a bunch of new features, but there's one in particular that has been in the works for months which I'm really excited about and wanted to share. In short, Pomerium now supports incorporating device identity into your access policies.

As for authentication, I'd recommend splitting the authentication from the dashboard by putting a reverse proxy in front of the dashboard service. You can then use these credentials for the other services that the dashboard links to. Which one to use is highly dependent or your setup, so I'll just throw some self-hostable authentication proxies out here (haven't used any of them): Authelia, Dex, Pomerium

It's rather for access control with like, 50+ clients. Possibly with access control. I'm currently testing with warpgate

GitHub - warp-tech/warpgate: Smart SSH, HTTPS and MySQL bastion that needs no client-side software

Warpgate for SSH access to all my hosts in an efficient and secure way. For clients I use Shelly on iOs, as it supports keys and quick commands, and built-in ssh on mac/windows/whatever.

Doing some reading, it seems either a "bastion" host (jump server) or SSH certificates are what I am after - however everything I come across is either far too bloated (Teleport, Vault by Hashicorp) or just doesn't exist. I tried setting up Warpgate, but it kept dropping connections.