5d824f0c5f
Bumps the go-deps group with 2 updates in the / directory: [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) and [golang.org/x/crypto](https://github.com/golang/crypto). Updates `github.com/redis/go-redis/v9` from 9.19.0 to 9.20.0 - [Release notes](https://github.com/redis/go-redis/releases) - [Changelog](https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/redis/go-redis/compare/v9.19.0...v9.20.0) Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0 - [Commits](https://github.com/golang/crypto/compare/v0.52.0...v0.53.0) --- updated-dependencies: - dependency-name: github.com/redis/go-redis/v9 dependency-version: 9.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: golang.org/x/crypto dependency-version: 0.53.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com>
go-hauk
Go port of the Hauk location sharing backend.
why
The original PHP implementation works fine but has some overhead. This port provides:
- 345x higher throughput (45k vs 133 req/s)
- 36x smaller image (16MB vs 578MB)
- 3x lower memory footprint (8MB vs 25MB idle)
- single static binary, no runtime dependencies
- redis only (no memcached)
usage
run go-hauk and redis together with docker compose:
# generate a password hash
export HAUK_PASSWORD_HASH=$(htpasswd -nbBC 10 "" 'your-password' | tr -d ':\n')
docker compose up -d
or copy .env.example to .env, fill it in, and docker compose up -d.
persistence
share data (sessions, links, locations) lives in redis with a per-share TTL
(HAUK_MAX_DURATION, default 24h). the bundled redis persists to a named volume
by default, so restarts and redeploys keep active shares alive. set
REDIS_PERSIST=off for in-memory only -- faster, but every share is lost on
restart.
deploy on railway
use the Deploy on Railway button above.
config
all config via environment variables:
| var | default | description |
|---|---|---|
| HAUK_LISTEN_ADDR | :8080 | listen address |
| HAUK_PUBLIC_URL | http://localhost:8080/ | public url for share links |
| HAUK_REDIS_ADDR | localhost:6379 | redis address (host:port or redis:// url) |
| HAUK_AUTH_METHOD | password | auth method (password, htpasswd, ldap) |
| HAUK_PASSWORD_HASH | bcrypt hash for password auth | |
| HAUK_MAX_DURATION | 86400 | max share lifetime in seconds (redis key TTL) |
| HAUK_RATE_LIMIT_AUTH | 10 | max auth requests per minute per ip |
| HAUK_RATE_LIMIT_ADOPT | 10 | max adopt requests per minute per ip |
| HAUK_TRUST_PROXY | true | trust X-Forwarded-For (set false if not behind proxy) |
see config/config.go for full list.
security improvements over upstream
- adopt authorization: only share owner can adopt into groups (fixes CVE-like auth bypass in upstream)
- built-in rate limiting on auth and adopt endpoints (configurable, default 10 req/min/ip)
disclaimer
this is a best-effort port of the upstream reference backend. the security surface has been mitigated where practical, but no third-party audit has been performed, and risks inherent in the upstream protocol (e.g. 6-digit group pins, view links readable by anyone with the url) are carried forward. use at your own discretion.
some proposed hardening lives under https://github.com/parkan/go-hauk/pull/10/changes however validating this not breaking things without conformance tests is nontrivial
compatibility
drop-in replacement for the php backend. works with the existing android app and web frontend.
license
same as upstream (apache 2.0).