Skip to content
/ depproxy Public

Go module proxy that only allows authorized modules

License

View license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AGWA/depproxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
.github/workflows
.github/workflows
 
 
doc
doc
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

depproxy - Go module proxy that only allows authorized modules

depproxy is a Go module proxy that protects you from supply chain attacks by only proxying modules and versions that you have explicitly authorized.

Installing

go install src.agwa.name/depproxy@latest

Or, you can download a binary from the GitHub Releases Page.

depproxy is a single statically-linked binary so using Docker or a similar technology is superfluous.

Module Allowlist

Your module allowlist is a text file which specifies your authorized modules.

Each line of the file contains a module path and version, separated by whitespace. Blank lines and lines starting with # are ignored.

The version may be * to allow all versions of the given module.

The module path may be a path.Match pattern to allow all matching modules. In this case, the version must be *.

To allow multiple versions of a module, just specify the module on multiple lines.

Example Allowlist

# This is a comment
filippo.io/age				*
github.com/aws/*			*
github.com/boltdb/bolt			v1.3.1
github.com/miekg/dns			v1.1.51
github.com/miekg/dns			v1.1.52
golang.org/x/*				*
software.sslmate.com/src/*		*
src.agwa.name/*				*

Command Line Arguments

-allowlist FILEPATH (Mandatory)

Read your authorized modules and versions from the given file, documented above.

You must restart depproxy after modifying this file.

-listen LISTENER (Mandatory)

Listen on the given address, provided in go-listener syntax. You can specify the -listen flag multiple times to listen on multiple addresses.

Examples:

  • -listen tcp:8080 to listen on TCP port 8080, all interfaces.
  • -listen tls:depproxy.example.com:tcp:443 to listen on TCP port 443, all interfaces, with an automatically-obtained TLS certificate for depproxy.example.com (requires depproxy.example.com to be publicly-accessible).
  • -listen tls:/path/to/certificate.pem:tcp:443 to listen on TCP port 443, all interfaces, using a certificate chain and private key in a PEM file.

-upstream URL (Optional)

Specifies the URL of the upstream Go proxy. Default: https://proxy.golang.org

Usage

Set the GOPROXY environment variable to the URL of your depproxy instance, followed by /proxy. For example:

  • GOPROXY=https://depproxy.example.com/proxy
  • GOPROXY=http://192.0.2.1:8080/proxy

After you set GOPROXY, the go command will only be able to download modules and versions that are allowed by your allowlist.

Web Interface

Visit your depproxy instance in a web browser to see if any of your authorized modules have newer versions. If a newer version is available, the module will be highlighted in red and the following functions will be available to help you vet the new version:

  • Raw - view a raw diff between the authorized version and the latest version
  • HTML - view an HTML diff between the authorized version and the latest version
  • VCS - view a changelog between the authorized version and the latest version in the module's version control system (only available if the module is hosted on GitHub; not available with older module versions)

After vetting the new version, edit your allowlist to specify the new version and restart depproxy.

Screenshot

Screenshot of web interface showing the status of your authorized modules

About

Go module proxy that only allows authorized modules

Resources

Readme

License

View license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v0.0.1 Latest
Mar 30, 2024

Packages

No packages published

Languages