README
¶
brink
brink is an Identity-Aware Proxy (IAP) for TCP forwarding. It allows you to establish a secure websocket connection over which you can forward SSH, RDP, and other traffic to your private services. It is the building block towards BeyondCorp, a model designed by Google to secure applications in Zero-Trust networks.
Highlights:
- access your private services from anywhere
- identity-based access for zero-trust security
- authenticate with GitHub or with any trusted OIDC provider
- a single binary or Docker image
- easy configuration
Quickstart
Create an OIDC client application on your favorite provider, e.g. Auth0, Okta, Keycloak, ... or create a new GitHub OAuth application. In both cases, take note of your client id and client secret (and the issuer url when using OIDC).
Create a new brink configuration file:
tls:
disable: true
auth:
url_prefix: "http://localhost:7000"
provider:
type: "oidc" # or github
issuer: "<your oidc issuer>" # remove this line when using github
client_id: "<your client id>"
client_secret: "<your client secret>"
proxy:
policies:
local:
filters: [ "*" ]
targets: [ "localhost:*" ]
Download the latest version of brink from the releases page
Start a brink server instanc:
$ brink server --config config.yaml
INFO[0000] Starting brink. Version dev - 544a95ddf97eb8950fcce3562deb5919ce9ba092
INFO[0000] registering oidc routes
INFO[0000] registering proxy routes
INFO[0000] server listening on :7000
Next, use the brink ssh command to SSH into the localhost. Depending on your system, a browser will first open
allowing you to authenticate with your identity provider.
$ brink ssh -r http://localhost:7000 -t localhost:22
Documentation
(coming soon; in the meanwhile, have a look at the examples below)
Examples
Live demo
Download the latest version of brink from the releases page, connect to the demo environment and enjoy a dancing parrot over SSH.
$ brink ssh -r brink.j5s.io -t parttysh:2222
Directories