Sign in Subscribe

Introducing SPIFFE AuthZ Proxy

James Socol

1 min read
Photo of a blue sign on a white door saying "Restricted Area; Authorized Personnel Only"
Photo by Jarrod Erbe / Unsplash

I made a tool to learn more about the SPIFFE and Spire libraries and APIs. And to make it faster and easier to adopt SPIFFE-based MTLS Authentication (AuthN) and Authorization (AuthZ) into older HTTP server applications, especially those built in languages or frameworks where handling short-lived certificates could be a pain. So here it is:

SPIFFE AuthZ Proxy.

spiffe-authz-proxy is designed to run as a sidecar alongside an HTTP server and handle all aspects of validating SVIDs provided as client TLS, as well as applying a layer of route-based (HTTP paths, with patterns, and methods) authorization for those SVIDs. It can communicate with its upstream HTTP server via a Unix socket, so that it can be the only exposed network port.

It's released under the Apache Software License and published as a container image, so it should be easy to pull into, e.g. a Kubernetes cluster and try it out. I will start tagging actual releases soon, instead of just main. I'd like to merge the branch I have implementing its own health checks, first.

Sign up for more like this.

Enter your email
Subscribe