--- # Enable the admin interface at http://192.168.240.100:9901/ for debugging. admin: address: socket_address: address: 0.0.0.0 port_value: 9901 static_resources: listeners: - name: 'listener_0' address: socket_address: address: '0.0.0.0' port_value: 8080 filter_chains: - filters: - name: 'envoy.filters.network.http_connection_manager' typed_config: "@type": 'type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager' # yamllint disable-line rule:line-length stat_prefix: 'ingress_http' use_remote_address: true skip_xff_append: false access_log: - name: 'envoy.access_loggers.stdout' typed_config: "@type": 'type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog' route_config: name: 'local_route' virtual_hosts: - name: 'login_service' domains: ['login.example.com:8080'] typed_per_filter_config: envoy.filters.http.ext_authz: "@type": 'type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute' disabled: true routes: - match: prefix: '/.well-known/' route: cluster: 'authelia-backend' - match: prefix: '/api/' route: cluster: 'authelia-backend' - match: prefix: '/locales/' route: cluster: 'authelia-backend' - match: path: '/devworkflow' route: cluster: 'authelia-backend' - match: path: '/jwks.json' route: cluster: 'authelia-backend' - match: prefix: '/' route: cluster: 'authelia-frontend' - name: 'mail_service' domains: ['mail.example.com:8080'] typed_per_filter_config: envoy.filters.http.ext_authz: "@type": 'type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute' disabled: true routes: - match: prefix: '/' route: cluster: 'smtp' - name: 'http_service' domains: ['*.example.com:8080'] routes: - match: prefix: '/headers' route: cluster: 'httpbin' - match: prefix: '/' route: cluster: 'nginx-backend' http_filters: - name: 'envoy.filters.http.ext_authz' typed_config: "@type": 'type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz' transport_api_version: 'v3' allowed_headers: patterns: - exact: 'authorization' - exact: 'proxy-authorization' - exact: 'accept' - exact: 'cookie' http_service: path_prefix: '/api/authz/ext-authz/' server_uri: uri: 'authelia-backend:9091' cluster: 'authelia-backend' timeout: '0.25s' authorization_request: headers_to_add: - key: 'X-Forwarded-Proto' value: '%REQ(:SCHEME)%' authorization_response: allowed_upstream_headers: patterns: - exact: 'authorization' - exact: 'proxy-authorization' - prefix: 'remote-' - prefix: 'authelia-' allowed_client_headers: patterns: - exact: 'set-cookie' allowed_client_headers_on_success: patterns: - exact: 'set-cookie' failure_mode_allow: false - name: 'envoy.filters.http.router' typed_config: "@type": 'type.googleapis.com/envoy.extensions.filters.http.router.v3.Router' transport_socket: name: 'envoy.transport_sockets.tls' typed_config: "@type": 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext' common_tls_context: tls_certificates: - certificate_chain: filename: '/pki/public.chain.pem' private_key: filename: '/pki/private.pem' clusters: - name: 'authelia-frontend' transport_socket_matches: - name: 'enableTLS' match: enableTLS: true transport_socket: name: 'envoy.transport_sockets.tls' typed_config: "@type": 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext' common_tls_context: {} - name: 'defaultTLSDisabled' match: {} transport_socket: name: 'envoy.transport_sockets.raw_buffer' typed_config: "@type": 'type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer' connect_timeout: '0.25s' type: 'strict_dns' dns_lookup_family: 'V4_ONLY' lb_policy: 'round_robin' load_assignment: cluster_name: 'authelia-frontend' endpoints: - locality: region: 'dev' priority: 0 lb_endpoints: - endpoint: health_check_config: hostname: 'authelia-frontend' port_value: 3000 address: socket_address: address: 'authelia-frontend' port_value: 3000 - locality: region: 'ci' priority: 1 lb_endpoints: - endpoint: address: socket_address: address: 'authelia-backend' port_value: 9091 metadata: filter_metadata: envoy.transport_socket_match: enableTLS: true - name: 'authelia-backend' connect_timeout: '0.25s' type: 'logical_dns' dns_lookup_family: 'v4_only' lb_policy: 'round_robin' load_assignment: cluster_name: 'authelia-backend' endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 'authelia-backend' port_value: 9091 transport_socket: name: 'envoy.transport_sockets.tls' typed_config: "@type": 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext' common_tls_context: {} - name: 'smtp' connect_timeout: '0.25s' type: 'logical_dns' dns_lookup_family: 'v4_only' lb_policy: 'round_robin' load_assignment: cluster_name: 'smtp' endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 'smtp' port_value: 1080 - name: 'httpbin' connect_timeout: '0.25s' type: 'logical_dns' dns_lookup_family: 'v4_only' lb_policy: 'round_robin' load_assignment: cluster_name: 'httpbin' endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 'httpbin' port_value: 8000 - name: 'nginx-backend' connect_timeout: '0.25s' type: 'logical_dns' dns_lookup_family: 'v4_only' lb_policy: 'round_robin' load_assignment: cluster_name: 'nginx-backend' endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 'nginx-backend' port_value: 80 layered_runtime: layers: - name: 'static_layer_0' static_layer: envoy: resource_limits: listener: example_listener_name: connection_limit: 10000 overload: global_downstream_max_connections: 50000 ...