Jauth

Jauth is a compact SSL/TLS reverse proxy written in Go that protects self-hosted applications by requiring authorization before proxying traffic. It provides SSH- and Telegram-based login methods, optional single sign-on behavior, and can obtain certificates automatically or use self-signed/manual certificates.

Key Features

• Single static binary with minimal dependencies, designed for simple self-hosting
• TLS support via autogenerated self-signed certificates, manual certificates, or ACME/Let's Encrypt
• Authorization via an integrated SSH server (authorized_keys) and Telegram login widget validation
• Optional lightweight SSO: authenticated username is forwarded to backend via Remote-User header
• Per-domain configuration, domain-specific whitelists and optional per-domain Telegram users
• Whitelist-based access control and a NoAuth mode to act as a plain TLS proxy
• Stores authenticated sessions/tokens on disk for session persistence between restarts
• Defaults that let it run with minimal configuration while supporting custom TOML config

Use Cases

• Protect web interfaces and internal dashboards for self-hosted apps without adding app-level auth
• Provide a simple SSO/pass-through header for multiple services behind the same gateway
• Allow SSH key or Telegram-based access for teams that prefer key-based authentication or tokenless login flows

Limitations and Considerations

• Telegram-based login requires registering a bot and binding it to a domain (one bot per domain); Jauth validates tokens rather than using the Telegram bot API directly
• ACME certificate issuance is per-domain and may be delayed; logs may not always show issuance progress
• SSO is minimal (username is forwarded via header) and is not a full-featured identity provider or OIDC/SAML implementation
• Session tokens are stored in a local file; if running with dropped privileges or restricted filesystem access, token persistence or state saving may be affected

Jauth is focused on minimalism and pragmatic access control for self-hosted services. It is suitable when a lightweight, single-binary TLS proxy with SSH/Telegram authorization and simple SSO semantics is preferred over a full identity platform.