Bastion is a comprehensive Identity and Access Management (IAM) system that provides secure access to SSH hosts and web applications through a unified interface. It acts as a centralized gateway for managing user authentication, authorization, and access control.
- User registration and authentication with JWT tokens
- Role-based access control (RBAC)
- Group management for organizing users
- Session management with automatic cleanup
- Admin interface for user and permission management
- Secure SSH proxy server for accessing remote hosts
- Public key and password authentication
- SSH session recording and auditing
- Interactive host selection menu
- Dynamic host management
- HTTP/HTTPS proxy for web applications
- Automatic URL rewriting for seamless proxying
- CORS handling for cross-origin requests
- JavaScript injection for
fetch()andXMLHttpRequestinterception - Support for complex web applications (e.g., Google, Twitch)
- Cookie and session forwarding
- Handles long URLs and large request bodies
- Web-based admin interface
- User and group management
- Application and host configuration
- Permission management
- Session monitoring
Bastion follows a clean architecture pattern:
βββ cmd/ # Application entry point
βββ domain/ # Domain models and entities
βββ application/ # Business logic and use cases
βββ infrastructure/ # Infrastructure implementations
β βββ config/ # Configuration management
β βββ database/ # Database connection (GORM)
β βββ http/ # HTTP server (Fiber)
β βββ logger/ # Logging (Zerolog)
β βββ migration/ # Database migrations (Goose)
β βββ persistence/ # Data access layer
βββ interfaces/ # External interfaces
βββ cli/ # CLI commands
βββ http/ # HTTP handlers and routes
βββ ssh/ # SSH server implementation
- Go: 1.25.1 or higher
- Database: PostgreSQL or SQLite
- Network: Access to target SSH hosts and web applications
- Clone the repository:
git clone https://github.com/labbs/bastion.git
cd bastion- Build the application:
go build -o bin/bastion ./cmd- Run database migrations:
./bin/bastion migration up- Start the HTTP server:
./bin/bastion server- (Optional) Start the SSH server:
./bin/bastion sshdocker build -t bastion .
docker run -p 8080:8080 -v $(pwd)/database.sqlite:/app/database.sqlite bastionBastion uses YAML configuration files. Create a config.yaml file:
http:
port: 8080
logs: true
logger:
level: info
pretty: false
database:
dialect: postgres # or sqlite
dsn: postgres://user:password@localhost/bastion?sslmode=disable
ssh:
port: 2222
host_key: /path/to/host_key
session:
secret: your-secret-key-here
expiration: 24h
auth:
registration_enabled: true
jwt_secret: your-jwt-secret-here
registration:
enabled: trueConfiguration can also be provided via command-line flags. Run ./bin/bastion server --help for available options.
HTTP Server (Web UI and API):
./bin/bastion server --http.port 8080SSH Server:
./bin/bastion ssh --ssh.port 2222- Access the web interface at
http://localhost:8080 - Register a new account (if registration is enabled)
- Log in with your credentials
- Access your assigned applications and hosts
- Connect to the SSH server:
ssh -p 2222 user@bastion-host- Select a host from the interactive menu
- The session will be proxied to the selected host
- Access
/adminafter logging in as an admin user - Manage users, groups, applications, and hosts
- Configure permissions and access controls
Bastion provides a RESTful API for programmatic access:
- Authentication:
/api/v1/auth/login,/api/v1/auth/register - Applications:
/api/v1/app/apps - User Profile:
/api/v1/user/profile - Admin:
/api/v1/admin/*
API documentation is available via OpenAPI/Swagger when enabled.
- Go 1.25.1+
- Make (optional, for convenience)
cmd/: Application entry pointsdomain/: Core domain modelsapplication/: Business logic layerinfrastructure/: External dependencies (database, HTTP, etc.)interfaces/: Adapters for external interfaces
go test ./...Create a new migration:
./bin/bastion migration create migration_nameRun migrations:
./bin/bastion migration upRollback migrations:
./bin/bastion migration down# Build for current platform
go build -o bin/bastion ./cmd
# Build for Linux
GOOS=linux GOARCH=amd64 go build -o bin/bastion-linux ./cmd
# Build for Windows
GOOS=windows GOARCH=amd64 go build -o bin/bastion.exe ./cmdThe web application proxy is designed to handle complex modern web applications:
- Automatic URL Rewriting: All URLs in HTML, CSS, and JavaScript are automatically rewritten to go through the proxy
- JavaScript Interception:
fetch()andXMLHttpRequestare patched to route requests through the proxy - CORS Handling: Proxied requests handle CORS automatically
- Large URL Support: Handles URLs up to 16KB in length
- Dynamic Content: Intercepts dynamically created
<script>and<link>tags
- All user passwords are hashed before storage
- JWT tokens are used for authentication
- SSH sessions can be recorded for auditing
- Access control is enforced at both application and host levels
- Admin operations require elevated privileges
See LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
For issues, questions, or contributions, please open an issue on GitHub.