docs: enhance supported proxies documentation (#2210)
This enhances the supported proxies documentation to be more comprehensive.pull/2238/head
parent
e693302c75
commit
171b323274
|
@ -1,2 +1,4 @@
|
||||||
<link rel="stylesheet"
|
<link rel="stylesheet"
|
||||||
href="https://cdnjs.cloudflare.com/ajax/libs/github-fork-ribbon-css/0.2.3/gh-fork-ribbon.min.css" />
|
href="https://cdnjs.cloudflare.com/ajax/libs/github-fork-ribbon-css/0.2.3/gh-fork-ribbon.min.css" />
|
||||||
|
<link rel="stylesheet"
|
||||||
|
href="https://fonts.googleapis.com/icon?family=Material+Icons" />
|
||||||
|
|
|
@ -8,3 +8,12 @@
|
||||||
.tbl-beta-stage {
|
.tbl-beta-stage {
|
||||||
border-bottom-width: 3px !important;
|
border-bottom-width: 3px !important;
|
||||||
}
|
}
|
||||||
|
.material-icons.green {
|
||||||
|
color: #56D364;
|
||||||
|
}
|
||||||
|
.material-icons.red {
|
||||||
|
color: #F85149;
|
||||||
|
}
|
||||||
|
.material-icons.orange {
|
||||||
|
color: #E3B341;
|
||||||
|
}
|
|
@ -1,14 +1,14 @@
|
||||||
---
|
---
|
||||||
layout: default
|
layout: default
|
||||||
title: Nginx
|
title: NGINX
|
||||||
parent: Proxy Integration
|
parent: Proxy Integration
|
||||||
grand_parent: Deployment
|
grand_parent: Deployment
|
||||||
nav_order: 2
|
nav_order: 2
|
||||||
---
|
---
|
||||||
|
|
||||||
# Nginx
|
# NGINX
|
||||||
|
|
||||||
[nginx] is a reverse proxy supported by **Authelia**.
|
[NGINX] is a reverse proxy supported by **Authelia**.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
|
@ -352,4 +352,4 @@ error_page 401 /authelia-redirect?rd=$target_url;
|
||||||
|
|
||||||
This tells nginx to use the virtual endpoint we defined above in case the auth_request failed.
|
This tells nginx to use the virtual endpoint we defined above in case the auth_request failed.
|
||||||
|
|
||||||
[nginx]: https://www.nginx.com/
|
[NGINX]: https://www.nginx.com/
|
||||||
|
|
|
@ -5,13 +5,93 @@ parent: Home
|
||||||
nav_order: 2
|
nav_order: 2
|
||||||
---
|
---
|
||||||
|
|
||||||
The following reverse proxies are currently supported:
|
The following table is a support matrix for Authelia features and specific reverse proxies.
|
||||||
|
|
||||||
* NGINX
|
|Proxy |[Standard Support](#standard) |[Kubernetes Support](#kubernetes) |[XHR Redirect](#xhr-redirect) |[Request Method](#request-method) |
|
||||||
* Traefik
|
|:-----------:|:-----------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------------------------:|:----------------------------------------------------:|:----------------------------------------------------:|
|
||||||
* HAProxy
|
|[NGINX] |[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/nginx.md) |[<span class="material-icons green">check_circle</span>](../deployment/deployment-kubernetes.md)|<span class="material-icons red">cancel</span> |<span class="material-icons green">check_circle</span>|
|
||||||
|
|[Traefik] 1.x|[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/traefik1.x.md)|<span class="material-icons orange">error</span> |<span class="material-icons green">check_circle</span>|<span class="material-icons green">check_circle</span>|
|
||||||
|
|[Traefik] 2.x|[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/traefik2.x.md)|[<span class="material-icons green">check_circle</span>](../deployment/deployment-kubernetes.md)|<span class="material-icons green">check_circle</span>|<span class="material-icons green">check_circle</span>|
|
||||||
|
|[HAProxy] |[<span class="material-icons green">check_circle</span>](../deployment/supported-proxies/haproxy.md) |<span class="material-icons red">cancel</span> |<span class="material-icons orange">error</span> |<span class="material-icons green">check_circle</span>|
|
||||||
|
|[Envoy] |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |
|
||||||
|
|[Caddy] 2.x |<span class="material-icons orange">error</span> |<span class="material-icons red">cancel</span> |<span class="material-icons orange">error</span> |<span class="material-icons orange">error</span> |
|
||||||
|
|[Apache] |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |
|
||||||
|
|[IIS] |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |<span class="material-icons red">cancel</span> |
|
||||||
|
|
||||||
Those proxies are also supported on Kubernetes using their related ingress controller.
|
<span class="material-icons green">check_circle</span> *Support confirmed, additionally these icons are links to documentation for both the Standard and Kubernetes support columns*
|
||||||
|
|
||||||
For more details on the deployment on Kubernetes, please refer
|
<span class="material-icons orange">error</span> *Support is likely and being investigated*
|
||||||
to [this documentation](../deployment/deployment-kubernetes.md).
|
|
||||||
|
<span class="material-icons red">cancel</span> *Either not supported or unlikely to be supported*
|
||||||
|
|
||||||
|
## Support
|
||||||
|
|
||||||
|
### Standard
|
||||||
|
|
||||||
|
Standard support includes the essential features in securing an application with Authelia such as:
|
||||||
|
|
||||||
|
- Redirecting users to the Authelia portal if they are not authenticated.
|
||||||
|
- Redirecting users to the target application after authentication has occurred successfully.
|
||||||
|
|
||||||
|
It does not include actually running Authelia as a service behind the proxy, any proxy should be compatible with serving
|
||||||
|
the Authelia portal itself. Standard support is only important for protected applications.
|
||||||
|
|
||||||
|
### Kubernetes
|
||||||
|
|
||||||
|
While proxies that generally support Authelia outside a [Kubernetes] cluster, there are a few situations where that does
|
||||||
|
not translate to being possible when used as an [Ingress Controller]. There are various reasons for this such as the
|
||||||
|
reverse proxy in question does not even support running as a [Kubernetes] [Ingress Controller], or the required modules
|
||||||
|
to perform authentication transparently to the user are not typically available inside a cluster.
|
||||||
|
|
||||||
|
More information about [Kubernetes] deployments of Authelia can be read in the
|
||||||
|
[documentation](../deployment/deployment-kubernetes.md).
|
||||||
|
|
||||||
|
### XHR Redirect
|
||||||
|
|
||||||
|
XML HTTP Requests do not typically redirect browsers when returned 30x status codes. Instead, the standard method is to
|
||||||
|
return a 401 status code with a Location header. While this may seem trivial; currently there isn't wide support for it.
|
||||||
|
For example nginx's ngx_http_auth_request_module does not seem to support this in any way.
|
||||||
|
|
||||||
|
### Request Method
|
||||||
|
|
||||||
|
Authelia detects the upstream request method using the X-Forwarded-Method header. Some proxies set this out of the box,
|
||||||
|
some require you to configure this manually. At the present time all proxies that have
|
||||||
|
[Standard Support](#standard-support) do support this.
|
||||||
|
|
||||||
|
## Specific proxy notes
|
||||||
|
|
||||||
|
### HAProxy
|
||||||
|
|
||||||
|
[HAProxy] is only supported via a lua [module](https://github.com/haproxytech/haproxy-lua-http). Lua is typically not
|
||||||
|
available in [Kubernetes]. You would likely have to build your own [HAProxy] image.
|
||||||
|
|
||||||
|
### Envoy
|
||||||
|
|
||||||
|
[Envoy] is currently not documented however we believe it is likely to be technically supported. This should be possible
|
||||||
|
via [Envoy]'s [external authorization](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto.html#extensions-filters-http-ext-authz-v3-extauthz).
|
||||||
|
|
||||||
|
### Caddy
|
||||||
|
|
||||||
|
[Work](https://github.com/authelia/caddy-forwardauth) is being done to support Caddy 2.x, however this is a low
|
||||||
|
priority. You can see the progress and try it for yourself if you're interested. Regular feedback would accelerate this
|
||||||
|
work.
|
||||||
|
|
||||||
|
### Apache
|
||||||
|
|
||||||
|
[Apache] has no module that supports this kind of authentication method. It's not certain this would even be possible,
|
||||||
|
however if anyone did something like this in the past we'd be interested in a contribution.
|
||||||
|
|
||||||
|
### IIS
|
||||||
|
|
||||||
|
Microsoft [IIS] not currently supported since no auth module exists for this purpose out-of-the-box or from any known
|
||||||
|
third party. It's likely possible but unlikely to be highly used so there is little to be gained by supporting this proxy.
|
||||||
|
|
||||||
|
[NGINX]: https://www.nginx.com/
|
||||||
|
[Traefik]: https://traefik.io/
|
||||||
|
[HAProxy]: https://www.haproxy.com/
|
||||||
|
[Envoy]: https://www.envoyproxy.io/
|
||||||
|
[Caddy]: https://caddyserver.com/
|
||||||
|
[Apache]: https://httpd.apache.org/
|
||||||
|
[IIS]: https://www.iis.net/
|
||||||
|
[Kubernetes]: https://kubernetes.io/
|
||||||
|
[Ingress Controller]: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
|
Loading…
Reference in New Issue