runegate 0.2.0

Lightweight Rust-based identity proxy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

# Runegate Environment Configuration Example
# Copy this file to .env and customize as needed

# =============================================================================
# Core Configuration
# =============================================================================

# Environment mode: 'production' for production, unset/any other value for development
# When set to 'production', JWT and session secrets become required
# RUNEGATE_ENV=production

# JWT secret for token signing (recommended for production)
# RUNEGATE_JWT_SECRET=your_secure_jwt_secret

# Session key for cookies (recommended for production)
# RUNEGATE_SESSION_KEY=your_secure_session_key

# Target service URL (defaults to http://127.0.0.1:7860)
# RUNEGATE_TARGET_SERVICE=http://your-service-url

# Base URL for magic links (defaults to http://localhost:7870)
# RUNEGATE_BASE_URL=https://your-public-url

# Optional: Cookie Domain attribute. If unset, a host-only cookie is used (recommended).
# RUNEGATE_COOKIE_DOMAIN=your.domain.tld

# Magic link expiry time in minutes (defaults to 15)
# RUNEGATE_MAGIC_LINK_EXPIRY=60

# =============================================================================
# Logging Configuration
# =============================================================================

# Set logging level (debug, info, warn, error)
RUST_LOG=info

# Logging format: 'console' (default) or 'json'
# RUNEGATE_LOG_FORMAT=json

# =============================================================================
# Session Cookie
# =============================================================================

# Optional: Customize the session cookie name (default: runegate_id)
# RUNEGATE_SESSION_COOKIE_NAME=runegate_id

# Optional: Enable debug endpoints (/debug/session, /debug/cookies, /debug/protected)
# Defaults: disabled in production, enabled in development unless explicitly set.
# RUNEGATE_DEBUG_ENDPOINTS=false

# Optional: Inject identity headers to the target service
# When enabled, Runegate injects X-Runegate-Authenticated, X-Runegate-User,
# X-Forwarded-User, and X-Forwarded-Email for authenticated requests.
# It also strips any client-supplied versions of these headers before forwarding.
# Default: true
# RUNEGATE_IDENTITY_HEADERS=true

# =============================================================================
# Identity to Target (Future - JWT mode)
# =============================================================================
# If you choose to enable JWT identity propagation in the future, the following
# variables will be used (subject to change):

# RUNEGATE_IDENTITY_MODE=jwt                   # headers | jwt | none
# RUNEGATE_DOWNSTREAM_JWT_ALG=RS256            # RS256 | EdDSA | HS256
# RUNEGATE_DOWNSTREAM_JWT_TTL=600              # Token TTL in seconds
# RUNEGATE_DOWNSTREAM_JWT_ISS=runegate         # Issuer claim
# RUNEGATE_DOWNSTREAM_JWT_AUD=your-target      # Audience claim
# RUNEGATE_DOWNSTREAM_JWT_HEADER=Authorization # Header to carry token
# RUNEGATE_DOWNSTREAM_JWT_BEARER=true          # Prefix with "Bearer "

# Key material (choose one approach based on algorithm)
# RUNEGATE_DOWNSTREAM_JWT_PRIVATE_KEY_PATH=/etc/runegate/keys/downstream_private.pem
# RUNEGATE_DOWNSTREAM_JWT_PRIVATE_KEY_BASE64=...   # Optional inline alternative
# RUNEGATE_DOWNSTREAM_JWT_SECRET=...               # For HS256 only

# Optional JWKS publishing (if targets fetch public keys)
# RUNEGATE_DOWNSTREAM_JWKS_ENABLED=false
# RUNEGATE_DOWNSTREAM_JWKS_PATH=/jwks.json

# =============================================================================
# Rate Limiting Configuration
# =============================================================================

# Enable or disable rate limiting (true/false, default: true)
# RUNEGATE_RATE_LIMIT_ENABLED=true

# Number of login attempts allowed per minute per IP (default: 5)
# RUNEGATE_LOGIN_RATE_LIMIT=5

# Cooldown period in seconds between magic link requests for the same email (default: 300)
# RUNEGATE_EMAIL_COOLDOWN=300

# Number of token verification attempts allowed per minute per IP (default: 10)
# RUNEGATE_TOKEN_RATE_LIMIT=10

# =============================================================================
# Example Debug Configuration
# =============================================================================

# Uncomment for detailed logging during development
# RUST_LOG=debug,runegate=debug,actix_web=info
# RUNEGATE_LOG_FORMAT=console

# Uncomment for production JSON logging
# RUST_LOG=info
# RUNEGATE_LOG_FORMAT=json