brink
brink is a lightweight Identity-Aware Proxy (IAP) for TCP forwarding.
It allows you to establish a secure websocket connection over which you can forward SSH, RDP,
and other traffic to your private services, and allows you to control who can access those services based on identity.
Highlights:
- access your private services from anywhere
- identity-based access for zero-trust security
- authenticate with GitHub or with any trusted OIDC provider
- access policies based on identity
- a single binary or Docker image
- easy configuration
Quickstart
Create an OIDC client application on your favorite provider, e.g. Auth0, Okta, Keycloak, ... or create a
new GitHub OAuth application. In both cases, take note of your client id and
client secret (and the issuer url when using OIDC).
Create a new brink configuration file:
tls:
disable: true
auth:
url_prefix: "http://localhost:7000"
provider:
type: "oidc" # or github
issuer: "<your oidc issuer>" # remove this line when using github
client_id: "<your client id>"
client_secret: "<your client secret>"
proxy:
policies:
local:
filters: [ "*" ]
targets: [ "localhost:*" ]
Download the latest version of brink from the releases page
Start a brink server instanc:
$ brink server proxy --config config.yaml
INFO[0000] Starting brink proxy server. Version 0.6.0 - 83c874a
INFO[0000] registering oidc routes
INFO[0000] registering proxy routes
INFO[0000] server listening on :7000
Next, use the brink ssh
command to SSH into the localhost. Depending on your system, a browser will first open
allowing you to authenticate with your identity provider.
$ brink ssh -r http://localhost:7000 -t localhost:22
Documentation
(coming soon; in the meanwhile, have a look at the examples below)
Examples