--- # Enable the admin interface at http://192.168.240.100:9901/ for debugging. admin: address: socket_address: address: 0.0.0.0 port_value: 9901 static_resources: listeners: - name: listener_0 address: socket_address: address: 0.0.0.0 port_value: 8080 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager # yamllint disable-line rule:line-length stat_prefix: ingress_http use_remote_address: true skip_xff_append: false access_log: - name: envoy.access_loggers.stdout typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog route_config: name: local_route virtual_hosts: - name: login_service domains: ["login.example.com:8080"] typed_per_filter_config: envoy.filters.http.ext_authz: "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute disabled: true routes: - match: prefix: "/.well-known/" route: cluster: authelia-backend - match: prefix: "/api/" route: cluster: authelia-backend - match: prefix: "/locales/" route: cluster: authelia-backend - match: path: "/devworkflow" route: cluster: authelia-backend - match: path: "/jwks.json" route: cluster: authelia-backend - match: prefix: "/" route: cluster: authelia-frontend - name: mail_service domains: ["mail.example.com:8080"] typed_per_filter_config: envoy.filters.http.ext_authz: "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute disabled: true routes: - match: prefix: "/" route: cluster: smtp - name: http_service domains: ["*.example.com:8080"] routes: - match: prefix: "/headers" route: cluster: httpbin - match: prefix: "/" route: cluster: nginx-backend http_filters: - name: envoy.filters.http.ext_authz typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz transport_api_version: v3 allowed_headers: patterns: - exact: authorization - exact: proxy-authorization - exact: accept - exact: cookie http_service: path_prefix: /api/authz/ext-authz/ server_uri: uri: authelia-backend:9091 cluster: authelia-backend timeout: 0.25s authorization_request: headers_to_add: - key: X-Forwarded-Proto value: '%REQ(:SCHEME)%' authorization_response: allowed_upstream_headers: patterns: - exact: authorization - exact: proxy-authorization - prefix: remote- - prefix: authelia- allowed_client_headers: patterns: - exact: set-cookie allowed_client_headers_on_success: patterns: - exact: set-cookie failure_mode_allow: false - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - certificate_chain: filename: /pki/public.bundle.crt private_key: filename: /pki/private.pem clusters: - name: authelia-frontend transport_socket_matches: - name: "enableTLS" match: enableTLS: true transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext common_tls_context: {} - name: "defaultTLSDisabled" match: {} transport_socket: name: envoy.transport_sockets.raw_buffer typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer connect_timeout: 0.25s type: strict_dns dns_lookup_family: V4_ONLY lb_policy: round_robin load_assignment: cluster_name: authelia-frontend endpoints: - locality: region: dev priority: 0 lb_endpoints: - endpoint: health_check_config: hostname: authelia-frontend port_value: 3000 address: socket_address: address: authelia-frontend port_value: 3000 - locality: region: ci priority: 1 lb_endpoints: - endpoint: address: socket_address: address: authelia-backend port_value: 9091 metadata: filter_metadata: envoy.transport_socket_match: enableTLS: true - name: authelia-backend connect_timeout: 0.25s type: logical_dns dns_lookup_family: v4_only lb_policy: round_robin load_assignment: cluster_name: authelia-backend endpoints: - lb_endpoints: - endpoint: address: socket_address: address: authelia-backend port_value: 9091 transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext common_tls_context: {} - name: smtp connect_timeout: 0.25s type: logical_dns dns_lookup_family: v4_only lb_policy: round_robin load_assignment: cluster_name: smtp endpoints: - lb_endpoints: - endpoint: address: socket_address: address: smtp port_value: 1080 - name: httpbin connect_timeout: 0.25s type: logical_dns dns_lookup_family: v4_only lb_policy: round_robin load_assignment: cluster_name: httpbin endpoints: - lb_endpoints: - endpoint: address: socket_address: address: httpbin port_value: 8000 - name: nginx-backend connect_timeout: 0.25s type: logical_dns dns_lookup_family: v4_only lb_policy: round_robin load_assignment: cluster_name: nginx-backend endpoints: - lb_endpoints: - endpoint: address: socket_address: address: nginx-backend port_value: 80 layered_runtime: layers: - name: static_layer_0 static_layer: envoy: resource_limits: listener: example_listener_name: connection_limit: 10000 overload: global_downstream_max_connections: 50000 ...