Introduction
Pasolo is an authentication server for single users with passkeys. Pasolo runs alongside with other reverse proxy system such as Caddy, Traefik, Nginx, using forward_auth or external_auth functionality.
Why?
Inspired by a post in r/selfhosted and other similar project like Vouch Proxy, oauth2-proxy and Ory oathkeeper, Pasolo developed for self-hosted / home lab use cases, where the user is very limited -- in this case 1 person -- but want some degree of authentication on their setup.
How It Works
Pasolo runs alongside with your load balancer, works the best when it runs as one of your subdomain.
- Client tries to access
app.your.domain, the request received by Load Balancer. - Instead of forwarded directly to
app.your.domain, the request forwarded topasolo.your.domain. - Pasolo validate the request via request cookies. When pasolo find the request doesn't contains cookies or contains invalid cookies, it return 401 (Not Authorized)
- The Load Balancer receive the 401 and act accordingly. It is recommended to configure the Load Balancer to forward the user to pasolo login page -- in this example
pasolo.your.domain/login - Client login using passkeys that has been registered on the setup process, then redirected to
app.your.domain. - Same as step 2, load balancer forward it to pasolo
- Pasolo validate the request and return success 200
- Then Load Balancer forward the request to
app.your.domain app.your.domainnow reply the request as usual.
Please note that the redirection to Pasolo /login page only happen when no session found on the request, or the existing session is invalid.
Getting Started
To get started, choose your desired reverse proxy to use, then configure it to use pasolo for authentication