⚠ This project is on early stage and it's not ready for production yet ⚠

Helios is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. It is the building block towards BeyondCorp, a model designed by Google to secure applications in Zero-Trust networks.

In a nutshell, with Helios you can:

• Identify users using existing identity providers like Google, Auth0, Azure AD, etc.
• Secure and authenticate access to any domain or path
• Configure authorization policies using CEL expressions
• Use Helios as gateway or reverse proxy

My goal is to build an open source alternative to Cloudflare Access and Cloud IAP.

Beyond that, I started this project off for 2 reasons:

1. I wanted to exercise and continue improving my Go skills.
2. I'm interested in BeyondCorp, Google's implementation of Zero Trust. I believe Zero Trust is the future of Enterprise Security.
3. Last but not least, because it's fun!

Install Go.

Next download the project and build the binary file.

$ go get -u github.com/cyakimov/helios

helios -config config.example.yaml

List flags with

helios -help

The supported condition attributes are based on details about the request (e.g., its timestamp, originating IP address , identity, etc.). Examples and a description of attribute types are described below.

• request.host
• request.path
• request.ip
• request.timestamp

For example, by setting Expression to a CEL expression that uses request.ip you can limit access to only members who have a private IP of 10.0.0.1

request.ip == "10.0.0.1"

Alternatively, you can check if a request comes from a particular network:

request.ip.network("192.168.0.0/24")

Example Date/Time Expressions

Allow access temporarily until a specified expiration date/time:

timestamp(request.time) < timestamp("2019-01-01T07:00:00Z")

Allow access only during specified working hours:

timestamp(request.time).getHours("America/Santiago") >= 9 &&
timestamp(request.time).getHours("America/Santiago") <= 17 &&
timestamp(request.time).getDayOfWeek("America/Santiago") >= 1 &&
timestamp(request.time).getDayOfWeek("America/Santiago") <= 5

Allow access only for a specified month and year:

timestamp(request.time).getFullYear("America/Santiago") == 2018
timestamp(request.time).getMonth("America/Santiago") < 6

Example URL Host/Path Expressions

Allow access only for certain subdomains or URL paths in the request:

request.host == "hr.example.com"
request.host.endsWith(".example.com")
request.path == "/admin/payroll.js"
request.path.startsWith("/admin")

• Go 1.13
• mkcert

Deploy local CA

mkcert -install

Create a certificate for local development

mkcert localhost 127.0.0.1

Install dependencies

go mod download

Run the program

go run . -config config.example.yaml