docs: enhance supported proxies documentation (#2210)

This enhances the supported proxies documentation to be more comprehensive.
pull/2238/head
James Elliott 2021-08-04 11:21:49 +10:00 committed by GitHub
parent e693302c75
commit 171b323274
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 103 additions and 12 deletions

View File

@ -1,2 +1,4 @@
<link rel="stylesheet" <link rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/github-fork-ribbon-css/0.2.3/gh-fork-ribbon.min.css" /> href="https://cdnjs.cloudflare.com/ajax/libs/github-fork-ribbon-css/0.2.3/gh-fork-ribbon.min.css" />
<link rel="stylesheet"
href="https://fonts.googleapis.com/icon?family=Material+Icons" />

View File

@ -8,3 +8,12 @@
.tbl-beta-stage { .tbl-beta-stage {
border-bottom-width: 3px !important; border-bottom-width: 3px !important;
} }
.material-icons.green {
color: #56D364;
}
.material-icons.red {
color: #F85149;
}
.material-icons.orange {
color: #E3B341;
}

View File

@ -1,14 +1,14 @@
--- ---
layout: default layout: default
title: Nginx title: NGINX
parent: Proxy Integration parent: Proxy Integration
grand_parent: Deployment grand_parent: Deployment
nav_order: 2 nav_order: 2
--- ---
# Nginx # NGINX
[nginx] is a reverse proxy supported by **Authelia**. [NGINX] is a reverse proxy supported by **Authelia**.
## Configuration ## Configuration
@ -352,4 +352,4 @@ error_page 401 /authelia-redirect?rd=$target_url;
This tells nginx to use the virtual endpoint we defined above in case the auth_request failed. This tells nginx to use the virtual endpoint we defined above in case the auth_request failed.
[nginx]: https://www.nginx.com/ [NGINX]: https://www.nginx.com/

View File

@ -5,13 +5,93 @@ parent: Home
nav_order: 2 nav_order: 2
--- ---
The following reverse proxies are currently supported: The following table is a support matrix for Authelia features and specific reverse proxies.
* NGINX |Proxy |[Standard Support](#standard) |[Kubernetes Support](#kubernetes) |[XHR Redirect](#xhr-redirect) |[Request Method](#request-method) |
* Traefik |:-----------:|:-----------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------------------------:|:----------------------------------------------------:|:----------------------------------------------------:|
* HAProxy |[NGINX] |[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/nginx.md) |[<span class="material-icons green">check_circle</span>](../deployment/deployment-kubernetes.md)|<span class="material-icons red">cancel</span> |<span class="material-icons green">check_circle</span>|
|[Traefik] 1.x|[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/traefik1.x.md)|<span class="material-icons orange">error</span> |<span class="material-icons green">check_circle</span>|<span class="material-icons green">check_circle</span>|
|[Traefik] 2.x|[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/traefik2.x.md)|[<span class="material-icons green">check_circle</span>](../deployment/deployment-kubernetes.md)|<span class="material-icons green">check_circle</span>|<span class="material-icons green">check_circle</span>|
|[HAProxy] |[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/haproxy.md) |<span class="material-icons red">cancel</span> |<span class="material-icons orange">error</span> |<span class="material-icons green">check_circle</span>|
|[Envoy] |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |
|[Caddy] 2.x |<span class="material-icons orange">error</span> |<span class="material-icons red">cancel</span> |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |
|[Apache] |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |
|[IIS] |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |
Those proxies are also supported on Kubernetes using their related ingress controller. <span class="material-icons green">check_circle</span> *Support confirmed, additionally these icons are links to documentation for both the Standard and Kubernetes support columns*
For more details on the deployment on Kubernetes, please refer <span class="material-icons orange">error</span> *Support is likely and being investigated*
to [this documentation](../deployment/deployment-kubernetes.md).
<span class="material-icons red">cancel</span> *Either not supported or unlikely to be supported*
## Support
### Standard
Standard support includes the essential features in securing an application with Authelia such as:
- Redirecting users to the Authelia portal if they are not authenticated.
- Redirecting users to the target application after authentication has occurred successfully.
It does not include actually running Authelia as a service behind the proxy, any proxy should be compatible with serving
the Authelia portal itself. Standard support is only important for protected applications.
### Kubernetes
While proxies that generally support Authelia outside a [Kubernetes] cluster, there are a few situations where that does
not translate to being possible when used as an [Ingress Controller]. There are various reasons for this such as the
reverse proxy in question does not even support running as a [Kubernetes] [Ingress Controller], or the required modules
to perform authentication transparently to the user are not typically available inside a cluster.
More information about [Kubernetes] deployments of Authelia can be read in the
[documentation](../deployment/deployment-kubernetes.md).
### XHR Redirect
XML HTTP Requests do not typically redirect browsers when returned 30x status codes. Instead, the standard method is to
return a 401 status code with a Location header. While this may seem trivial; currently there isn't wide support for it.
For example nginx's ngx_http_auth_request_module does not seem to support this in any way.
### Request Method
Authelia detects the upstream request method using the X-Forwarded-Method header. Some proxies set this out of the box,
some require you to configure this manually. At the present time all proxies that have
[Standard Support](#standard-support) do support this.
## Specific proxy notes
### HAProxy
[HAProxy] is only supported via a lua [module](https://github.com/haproxytech/haproxy-lua-http). Lua is typically not
available in [Kubernetes]. You would likely have to build your own [HAProxy] image.
### Envoy
[Envoy] is currently not documented however we believe it is likely to be technically supported. This should be possible
via [Envoy]'s [external authorization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto.html#extensions-filters-http-ext-authz-v3-extauthz).
### Caddy
[Work](https://github.com/authelia/caddy-forwardauth) is being done to support Caddy 2.x, however this is a low
priority. You can see the progress and try it for yourself if you're interested. Regular feedback would accelerate this
work.
### Apache
[Apache] has no module that supports this kind of authentication method. It's not certain this would even be possible,
however if anyone did something like this in the past we'd be interested in a contribution.
### IIS
Microsoft [IIS] not currently supported since no auth module exists for this purpose out-of-the-box or from any known
third party. It's likely possible but unlikely to be highly used so there is little to be gained by supporting this proxy.
[NGINX]: https://www.nginx.com/
[Traefik]: https://traefik.io/
[HAProxy]: https://www.haproxy.com/
[Envoy]: https://www.envoyproxy.io/
[Caddy]: https://caddyserver.com/
[Apache]: https://httpd.apache.org/
[IIS]: https://www.iis.net/
[Kubernetes]: https://kubernetes.io/
[Ingress Controller]: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/