Skip to main content

Security & RBAC

Gatwy is built with enterprise-grade security features suitable for production and compliance environments.

Role-Based Access Control (RBAC)

Gatwy has 25 fine-grained permissions across 6 categories:

  • Connections
  • Sessions
  • Audit
  • Administration
  • Protocols
  • Custom permissions

Built-in roles: Admin, User

Custom roles: Create your own roles and assign any combination of the 25 permissions.

Per-Protocol Access Control

Restrict which protocols each role can use:

  • SSH, RDP, VNC, Telnet, SMB, FTP — individually toggleable per role

Authentication

Local Authentication

  • bcrypt-hashed passwords
  • Brute-force lockout (configurable threshold)
  • Lockout events logged in the audit trail with IP, username, and lockout duration

LDAP / Active Directory

  • Authenticate users against any LDAP directory
  • Map LDAP groups to the Admin role

OpenID Connect (SSO)

  • Sign in via Azure AD, Okta, Google, Keycloak, or any OIDC-compatible provider
  • Auto-provision users on first login
  • Admin UI to enable/disable local, LDAP, and SSO independently
  • Option to enforce SSO-only login (disable local auth)

MFA (TOTP)

  • Per-user authenticator app support (Google Authenticator, Authy, etc.)
  • Trusted device cookies to skip MFA on known devices

Proxy Detection

When Gatwy is running behind a reverse proxy, login requests arrive from the proxy's IP address with the real client IP forwarded via the X-Forwarded-For header. If the proxy IP has not been added to the trusted proxies list, Gatwy detects this and shows a toast notification to the admin.

From the toast, admins can add the proxy IP to the trusted list in one click — no need to navigate to settings manually.

The feature can be toggled on or off under Settings → Security → Proxy Detection.

tip

If you run Gatwy behind Nginx, Caddy, or Traefik, add your proxy's IP to the trusted proxies list after first login. See the Reverse Proxy guide for details.

IP Access Rules

  • Allowlist or denylist by CIDR range
  • Blocks are audit logged with source IP and matched rule

Session Security

  • Idle timeout — real idle detection (heartbeats don't reset the clock); warning dialog with countdown before auto-logout
  • Max session duration — hard JWT expiry regardless of activity
  • Encryption key — all credentials, MFA secrets, and recordings encrypted with AES-256 (see Configuration)
  • Runs as non-root — container drops to unprivileged node user at startup via gosu

Audit Trail

Every action in Gatwy is logged:

  • Logins and logouts
  • Session starts and ends
  • All configuration changes — with before/after field-level diffs
  • Notification rule and channel changes
  • RBAC changes
  • IP rule matches and blocks
  • Brute-force lockouts

TLS

  • Self-signed certificate auto-generated on first launch
  • Bring your own certificate via TLS_CERT_PATH and TLS_KEY_PATH
  • See Reverse Proxy for Let's Encrypt setup