Skip to content

fluffyrabbot/fastgate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
challenge-page
challenge-page
 
 
decision-service
decision-service
 
 
deploy
deploy
 
 
docs
docs
 
 
edge-gateway
edge-gateway
 
 
k8s
k8s
 
 
node_modules
node_modules
 
 
tools/tests
tools/tests
 
 
.gitignore
.gitignore
 
 
ARCHITECTURAL_FLOW.md
ARCHITECTURAL_FLOW.md
 
 
AUDIT_IMPROVEMENTS.md
AUDIT_IMPROVEMENTS.md
 
 
CIRCUIT_BREAKER.md
CIRCUIT_BREAKER.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
config.production.yaml
config.production.yaml
 
 
config.yaml
config.yaml
 
 
config.yaml.bak
config.yaml.bak
 
 
config.yaml.bak2
config.yaml.bak2
 
 
config.yaml.bak3
config.yaml.bak3
 
 
config.yaml.bak4
config.yaml.bak4
 
 
config.yaml.bak5
config.yaml.bak5
 
 
fastgate.pid
fastgate.pid
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
test-origin.js
test-origin.js
 
 
test-webauthn.js
test-webauthn.js
 
 

Repository files navigation

FastGate (MVP) — Standalone "Under-Attack Mode"

Lightweight, stack‑agnostic L7 gate that issues a short‑lived clearance cookie, challenges the risky tail, and supports HTTP + WebSocket handshakes.

Quickstart

Option 1: Integrated Proxy Mode (Recommended for simplicity)

Single binary, zero NGINX dependency

  1. Create config.yaml:
version: v1
server:
  listen: ":8080"
  read_timeout_ms: 5000
  write_timeout_ms: 5000

proxy:
  enabled: true
  mode: "integrated"
  origin: "http://localhost:3000"  # Your app

token:
  alg: "HS256"
  keys:
    v1: "your-secret-key-base64"
  current_kid: "v1"

policy:
  challenge_threshold: 60
  block_threshold: 85
  1. Run FastGate:
cd decision-service
go run ./cmd/fastgate
# FastGate listening on :8080, proxying to your app

That's it! FastGate now sits in front of your application at port 8080.

Multi-origin routing example (game + shop):

proxy:
  enabled: true
  routes:
    - host: "game.yourdomain.com"
      origin: "http://localhost:3000"
    - host: "shop.yourdomain.com"
      origin: "http://localhost:4000"

Option 2: NGINX Mode (Traditional)

For advanced deployments requiring NGINX features

cd deploy
docker compose up --build
# NGINX: http://localhost:8088/

First request sets a Clearance cookie and proxies to the origin. Headless clients and high-risk paths (e.g., /login) are challenged.

See docs/config.md and docs/runbook.md for details.

Observability

FastGate includes a lightweight, built-in Admin Dashboard (Integrated Mode only) for real-time monitoring.

  • Dashboard: http://<host>/__uam/dashboard.html
  • JSON Stats: http://<host>/admin/stats
  • Prometheus: http://<host>/metrics

The dashboard visualizes:

  • Real-time allow/block/challenge rates
  • Challenge solver success rates (PoW)
  • WebAuthn statistics
  • System health and proxy errors

Architecture

Integrated Mode (Simple / Sovereign)

Client → FastGate (:8080) → Your App
         ↓
      Stateless JWE Challenge
         &
      Admin Dashboard

Sovereign Mesh

FastGate is designed for sovereignty.

  • Stateless Challenges: Uses JWE (Encrypted JWT) to manage challenge state without a database. Scale to infinity.
  • Cluster Config: Set cluster.secret_key to share state across multiple nodes securely.

NGINX Mode (Advanced)

Client → NGINX (:8088) → Decision Service (:8080) → Origin App
         ↑                      ↓
         └───── clearance ──────┘

Credits

FastGate is primarily authored with the assistance of Claude, an AI model from Anthropic, with guidance and direction from the project maintainer. This attribution reflects the reality that most of the codebase, design scaffolding, and documentation are generated in collaboration with the model.

About

No description, website, or topics provided.

Resources

Readme

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages