phlox
=====

a simple, authenticated reverse-proxy server.

this is intended for simple use cases, like if you have a weird little web app that may have some
security concerns that you'd still like to be able to access on the public internet.

what does this do?
------------------

phlox is a normal reverse-proxy server, except it refuses
to let you access anything it's proxying unless you are
signed in. if you try, it just redirects you to the login
page.

you can set custom login and error pages to customize phlox.


usage
-----

phlox supports the following command-line flags:

  * `-c CONFIG_FILE` - set the config file to use
  * `--passwd` - generate a json object with the argon2id hash of the given password
    * this will cause phlox to output json and exit without running the server
  * `--user` - optionally set the username to use with the --passwd option


configuration
-------------

phlox uses a json file for configuration. a config file should contain an object with the following keys:

  * `ListenAddress`: a string containing the address to bind the server on
  * `AssetDirectory`: a path to a directory containing various assets, described in more detail below
  * `LoginTimeout`: the time in seconds that a user can be idle before being logged out
  * `Users`: an array of objects, which should be generated by calling phlox with the `--passwd` flag
  * `Endpoints`: an array of objects defining a reverse-proxy endpoint. they should contain:
    * `Path`: the path to access the proxied resource
    * `Address`: the remote address of the proxied resource

### assets

files under the `AssetDirectory` will be accessible at `/phlox/asset/`. you should be careful: if 
`AssetDirectory` is an empty string, then phlox's current working directory will be served! if you want
*nothing* to be accessible, set it to `/dev/null` or similar.

some files in this directory are treated specially, if they exist:

  * `login.html` will replace the default `/phlox/login` page. it should contain a form that POSTs
    a username and password field to `/phlox/login` or you will probably break things.
  * `logged_in.html` will replace the default `/phlox/login` page for users who are logged in.
  * `404.html` will replace the default 404 error page
  * `500.html` will replace the default 500 error page

if you load any assets on these pages, they should be loaded from `/phlox/asset/` and NOT via relative
paths, because they won't work otherwise (and indeed that's the whole point of `/phlox/asset/`).


organization
------------

```
  |-- README.md        this file
  |-- main.go          the program entry point
  |-- login.go         login & logout http handler logic
  |-- proxy.go         proxy http handler code
  |-- auth/
  |   |-- auth.go      password handling & hashing
  |   |-- session.go   session creation & management (inc. a fake in-memory session db)
  |-- config/
  |   |-- config.go    config structures & loading
  |-- page/
      |-- page.go      page loading from AssetDirectory and container structure
      |-- default.go   definitions for the default pages when AssetDirectory ones are unavailable
```