fix: move auth middleware to only protect /api endpoints

- Public access for website, health, metrics, and simple provisioning
- API key required only for /api/tunnels management endpoints
- Prevents unauthorized listing of all active tunnels
- Maintains open access for creating tunnels via curl

Author: mr-karan

.gitignore

@@ -3,7 +3,6 @@ CLAUDE.md
 .claude/
 tunnel.conf
 config.toml
-dist/*
 
 # Binaries
 bin/

docker-compose.prod-env.yml

@@ -0,0 +1,31 @@
+services:
+  arbok:
+    image: ghcr.io/mr-karan/arbok:latest
+    container_name: arbok
+    environment:
+      TZ: Asia/Kolkata
+      # Override config via environment variables
+      ARBOK_SERVER_APP__DOMAIN: "tunnel.yourdomain.com"
+      ARBOK_SERVER_AUTH__API_KEYS: '["admin-mrkaran-prod-VB7PGkPB9jmzZCXXzC"]'
+      ARBOK_SERVER_SERVER__PRIVATE_KEY: "uLu0FutcktFMZ1rTMKvE/LRkGBAeoBJcMvoX4a+Sxmw="
+      ARBOK_SERVER_SERVER__CIDR: "10.100.0.0/24"
+      ARBOK_SERVER_SERVER__LISTEN_PORT: "54321"
+      ARBOK_SERVER_HTTP__LISTEN_ADDR: ":8080"
+    ports:
+      - "100.64.13.114:17770:8080"
+      - "100.64.13.114:54321:54321/udp"
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv6.conf.all.forwarding=1
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:8080/health -O - || exit 1"]
+      interval: 60s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    restart: unless-stopped

docker-compose.prod.yml

@@ -0,0 +1,51 @@
+services:
+  arbok:
+    image: ghcr.io/mr-karan/arbok:latest
+    container_name: arbok
+    environment:
+      TZ: Asia/Kolkata
+    configs:
+      - source: arbok_config
+        target: /app/config.toml
+    ports:
+      - "100.64.13.114:17770:8080"
+      - "100.64.13.114:54321:54321/udp"  # WireGuard port
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv6.conf.all.forwarding=1
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:8080/health -O - || exit 1"]
+      interval: 60s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    restart: unless-stopped
+    command: ["./arbok", "--config", "/app/config.toml"]
+
+configs:
+  arbok_config:
+    content: |
+      [app]
+      verbose = false
+      domain = "tunnel.yourdomain.com"  # CHANGE THIS
+
+      [auth]
+      api_keys = []  # Add API keys like ["key1", "key2"] if needed
+
+      [tunnel]
+      default_ttl = "24h"
+      cleanup_interval = "5m"
+
+      [server]
+      cidr = "10.100.0.0/24"
+      listen_port = 54321
+      private_key = "YOUR_WIREGUARD_PRIVATE_KEY"  # CHANGE THIS - generate with: wg genkey
+
+      [http]
+      listen_addr = ":8080"
+      allowed_origins = ["*"]

gen-wg-key.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Generate and validate WireGuard private key for Arbok server
+
+echo "Generating WireGuard private key..."
+PRIVATE_KEY=$(wg genkey)
+PUBLIC_KEY=$(echo "$PRIVATE_KEY" | wg pubkey)
+
+# Validate the key is proper base64
+if echo "$PRIVATE_KEY" | base64 -d >/dev/null 2>&1; then
+    echo "✓ Key validation passed"
+else
+    echo "✗ Key validation failed"
+    exit 1
+fi
+
+# Check key length (should be 32 bytes when decoded)
+KEY_LENGTH=$(echo "$PRIVATE_KEY" | base64 -d | wc -c)
+if [ "$KEY_LENGTH" -eq 32 ]; then
+    echo "✓ Key length correct (32 bytes)"
+else
+    echo "✗ Key length incorrect (got $KEY_LENGTH bytes, expected 32)"
+    exit 1
+fi
+
+echo ""
+echo "=== WireGuard Keys Generated ==="
+echo "Private Key: $PRIVATE_KEY"
+echo "Public Key:  $PUBLIC_KEY"
+echo ""
+echo "Add this exact private key to your docker-compose.yml:"
+echo "private_key = \"$PRIVATE_KEY\""

internal/api/server.go

@@ -54,15 +54,14 @@ func NewAPIServer(cfg Config, logger logf.Logger, tun *tunnel.Tunnel, reg *regis
 }
 
 func (s *Server) setupRoutes() {
-	// Apply global middleware
+	// Global middleware for all routes
 	s.router.Use(
 		middleware.Recovery(s.logger),
 		middleware.Logger(s.logger),
 		middleware.CORS(s.cfg.AllowedOrigins),
-		s.auth.Middleware,
 	)
 
-	// Static website files
+	// Static website
 	webFS, err := fs.Sub(webFiles, "web")
 	if err != nil {
 		s.logger.Error("failed to create web filesystem", "error", err)
@@ -71,21 +70,22 @@ func (s *Server) setupRoutes() {
 		s.router.HandleFunc("/", s.handleWebsite).Methods("GET")
 	}
 
-	// Public endpoints
+	// Health and metrics endpoints
 	s.router.HandleFunc("/health", s.handleHealth).Methods("GET")
 	s.router.HandleFunc("/metrics", metrics.Handler()).Methods("GET")
 
-	// API endpoints
+	// Protected API endpoints
 	api := s.router.PathPrefix("/api").Subrouter()
+	api.Use(s.auth.Middleware)
 	api.HandleFunc("/tunnel/{port:[0-9]+}", s.handleCreateTunnel).Methods("POST")
 	api.HandleFunc("/tunnel/{id}", s.handleGetTunnel).Methods("GET")
 	api.HandleFunc("/tunnel/{id}", s.handleDeleteTunnel).Methods("DELETE")
 	api.HandleFunc("/tunnels", s.handleListTunnels).Methods("GET")
 
-	// Simple provisioning endpoint (curl-friendly)
+	// Simple tunnel provisioning
 	s.router.HandleFunc("/{port:[0-9]+}", s.handleProvisionSimple).Methods("GET")
 
-	// Wildcard routing for tunnel traffic
+	// Tunnel traffic proxy
 	s.router.PathPrefix("/").HandlerFunc(s.handleTunnelProxy)
 }