{"name":"docker-tinyauth: Run TinyAuth Rootless, Distroless, and Truly Tiny","description":"docker-tinyauth provides a highly secure and optimized Docker image for TinyAuth, a simple authentication middleware. It enables running TinyAuth rootless, distroless, and truly tiny, enhancing security and efficiency for your containerized applications. This image offers features like automatic updates, health checks, and CVE scanning, making it a robust choice for authentication needs.","github":"https://github.com/11notes/docker-tinyauth","url":"https://osrepos.com/repo/11notes-docker-tinyauth","source":"osrepos.com","sourceDescription":"This repository profile is provided by osrepos.com, an open source repository discovery platform.","repositoryProfile":"https://osrepos.com/repo/11notes-docker-tinyauth","generatedFor":"open source discovery and AI-assisted research","markdown":"https://osrepos.com/repo/11notes-docker-tinyauth.md","json":"https://osrepos.com/repo/11notes-docker-tinyauth.json","topics":["Docker","Authentication","Middleware","Go","Security","Container","Rootless","Distroless"],"keywords":["Docker","Authentication","Middleware","Go","Security","Container","Rootless","Distroless"],"stars":null,"summary":"docker-tinyauth provides a highly secure and optimized Docker image for TinyAuth, a simple authentication middleware. It enables running TinyAuth rootless, distroless, and truly tiny, enhancing security and efficiency for your containerized applications. This image offers features like automatic updates, health checks, and CVE scanning, making it a robust choice for authentication needs.","content":"## Introduction\n**docker-tinyauth** provides a highly optimized and secure Docker image for TinyAuth, a simple yet powerful authentication middleware. TinyAuth is designed to add a login screen or integrate OAuth with providers like Google and GitHub to your Docker applications. It seamlessly supports popular proxies such as Traefik, Nginx, and Caddy, making it a versatile solution for securing access to your services. This repository focuses on delivering TinyAuth in a rootless, distroless, and truly tiny container, prioritizing security and efficiency.\n\n## Installation\nTo get started with docker-tinyauth, you can pull the image from various registries. It's recommended to use a specific version tag for stability, for example, `4.0.0`.\n\nbash\ndocker pull 11notes/tinyauth:4.0.0\n# Or from other registries:\ndocker pull ghcr.io/11notes/tinyauth:4.0.0\ndocker pull quay.io/11notes/tinyauth:4.0.0\n\n\nFor a basic setup using Docker Compose, you can define the `tinyauth` service as follows. Remember to replace placeholder values like `${FQDN_TINYAUTH}`, `${SECRET}`, and the default `USERS` password with your own secure configurations.\n\nyaml\nservices:\n  tinyauth:\n    image: \"11notes/tinyauth:4.0.0\"\n    read_only: true\n    environment:\n      APP_URL: \"https://${FQDN_TINYAUTH}\"\n      # secret must be a 32 Byte long string (32 characters)\n      SECRET: ${SECRET}\n      # admin / admin, please do not use in production!\n      USERS: \"admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6\"\n    labels:\n      - \"traefik.enable=true\"\n      - \"traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)\"\n      - \"traefik.http.routers.tinyauth.entrypoints=https\"\n      - \"traefik.http.routers.tinyauth.tls=true\"\n      - \"traefik.http.routers.tinyauth.service=tinyauth\"\n      - \"traefik.http.services.tinyauth.loadbalancer.server.port=3000\"\n      - \"traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik\"\n    networks:\n      - backend\n\nFor more details on changing the default UID/GID, consult the [how-to.changeUIDGID](https://github.com/11notes/RTFM/blob/main/linux/container/image/11notes/how-to.changeUIDGID.md#change-uidgid-the-correct-way){target=\"_blank\"} section of the [RTFM](https://github.com/11notes/RTFM){target=\"_blank\"}.\n\n## Examples\nThe provided `docker-compose.yml` in the repository demonstrates a comprehensive setup integrating `tinyauth` with Traefik, `socket-proxy`, and a `whoami` service to showcase its functionality. The `tinyauth` service is configured with Traefik labels to enable forward authentication, securing access to other services like `whoami`.\n\nyaml\nservices:\n  tinyauth:\n    image: \"11notes/tinyauth:4.0.0\"\n    read_only: true\n    environment:\n      APP_URL: \"https://${FQDN_TINYAUTH}\"\n      SECRET: ${SECRET}\n      USERS: \"admin:$2y$12$zzekhr74SUez9vo8TK2Be.mJ4EMX44k7whOogQo4F/2i84a6Rl6U6\"\n    labels:\n      - \"traefik.enable=true\"\n      - \"traefik.http.routers.tinyauth.rule=Host(`${FQDN_TINYAUTH}`)\"\n      - \"traefik.http.routers.tinyauth.entrypoints=https\"\n      - \"traefik.http.routers.tinyauth.tls=true\"\n      - \"traefik.http.routers.tinyauth.service=tinyauth\"\n      - \"traefik.http.services.tinyauth.loadbalancer.server.port=3000\"\n      - \"traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik\"\n    networks:\n      backend:\n\n  whoami:\n    image: \"traefik/whoami:latest\"\n    labels:\n      - \"traefik.enable=true\"\n      - \"traefik.http.routers.whoami.rule=Host(`${FQDN_WHOAMI}`)\"\n      - \"traefik.http.routers.whoami.entrypoints=https\"\n      - \"traefik.http.routers.whoami.tls=true\"\n      - \"traefik.http.routers.whoami.middlewares=tinyauth\" # This line applies tinyauth middleware\n      - \"traefik.http.routers.whoami.service=whoami\"\n      - \"traefik.http.services.whoami.loadbalancer.server.port=80\"\n    networks:\n      backend:\n\nIn this example, the `whoami` service is protected by the `tinyauth` middleware, meaning users must authenticate via TinyAuth before accessing `whoami`.\n\n## Why use docker-tinyauth?\nThis Docker image stands out due to its extreme focus on security, simplicity, and optimization. Here are the key reasons to choose `11notes/tinyauth`:\n*   **Rootless Execution**: Runs as user `1000:1000`, significantly reducing potential attack surfaces.\n*   **Distroless**: The image has no shell and is built on a minimal `scratch` base with only essential components, further enhancing security by removing unnecessary binaries.\n*   **Truly Tiny**: At just 12MB, it's remarkably small, leading to faster downloads and reduced resource consumption compared to other images (e.g., `steveiliop56/tinyauth` at 35MB).\n*   **Automated Updates**: Continuously updated to the latest version via CI/CD, ensuring you always have the most recent features and security patches.\n*   **Health Checks**: Includes a built-in health check for reliable service monitoring.\n*   **Read-Only Operation**: Designed to run in read-only mode for enhanced security.\n*   **CVE Scanning**: Automatically scanned for Common Vulnerabilities and Exposures (CVEs) both before and after publishing.\n*   **Secure CI/CD**: Created via a secure and pinned CI/CD process, guaranteeing integrity from build to deployment.\n\nIf you prioritize robust security, minimal footprint, and streamlined operations for your authentication middleware, `docker-tinyauth` is an excellent choice.\n\n## Links\n*   **GitHub Repository**: [https://github.com/11notes/docker-tinyauth](https://github.com/11notes/docker-tinyauth){target=\"_blank\"}\n*   **Docker Hub**: [https://hub.docker.com/r/11notes/tinyauth/tags?name=4.0.0](https://hub.docker.com/r/11notes/tinyauth/tags?name=4.0.0){target=\"_blank\"}\n*   **GitHub Container Registry (GHCR)**: `ghcr.io/11notes/tinyauth:4.0.0`\n*   **Quay.io**: `quay.io/11notes/tinyauth:4.0.0`\n*   **Original TinyAuth Project**: [https://github.com/steveiliop56/tinyauth](https://github.com/steveiliop56/tinyauth){target=\"_blank\"}\n*   **Parent Image (distroless)**: [https://github.com/11notes/docker-distroless](https://github.com/11notes/docker-distroless){target=\"_blank\"}","metrics":{"detailViews":8,"githubClicks":5},"dates":{"published":null,"modified":"2025-10-12T15:01:10.000Z"}}