253 lines
9.5 KiB
YAML
253 lines
9.5 KiB
YAML
---
|
|
# Enable the admin interface at http://192.168.240.100:9901/ for debugging.
|
|
admin:
|
|
address:
|
|
socket_address:
|
|
address: 0.0.0.0
|
|
port_value: 9901
|
|
static_resources:
|
|
listeners:
|
|
- name: 'listener_0'
|
|
address:
|
|
socket_address:
|
|
address: '0.0.0.0'
|
|
port_value: 8080
|
|
filter_chains:
|
|
- filters:
|
|
- name: 'envoy.filters.network.http_connection_manager'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager' # yamllint disable-line rule:line-length
|
|
stat_prefix: 'ingress_http'
|
|
use_remote_address: true
|
|
skip_xff_append: false
|
|
access_log:
|
|
- name: 'envoy.access_loggers.stdout'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog'
|
|
route_config:
|
|
name: 'local_route'
|
|
virtual_hosts:
|
|
- name: 'login_service'
|
|
domains: ['login.example.com:8080']
|
|
typed_per_filter_config:
|
|
envoy.filters.http.ext_authz:
|
|
"@type": 'type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute'
|
|
disabled: true
|
|
routes:
|
|
- match:
|
|
prefix: '/.well-known/'
|
|
route:
|
|
cluster: 'authelia-backend'
|
|
- match:
|
|
prefix: '/api/'
|
|
route:
|
|
cluster: 'authelia-backend'
|
|
- match:
|
|
prefix: '/locales/'
|
|
route:
|
|
cluster: 'authelia-backend'
|
|
- match:
|
|
path: '/devworkflow'
|
|
route:
|
|
cluster: 'authelia-backend'
|
|
- match:
|
|
path: '/jwks.json'
|
|
route:
|
|
cluster: 'authelia-backend'
|
|
- match:
|
|
prefix: '/'
|
|
route:
|
|
cluster: 'authelia-frontend'
|
|
- name: 'mail_service'
|
|
domains: ['mail.example.com:8080']
|
|
typed_per_filter_config:
|
|
envoy.filters.http.ext_authz:
|
|
"@type": 'type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute'
|
|
disabled: true
|
|
routes:
|
|
- match:
|
|
prefix: '/'
|
|
route:
|
|
cluster: 'smtp'
|
|
- name: 'http_service'
|
|
domains: ['*.example.com:8080']
|
|
routes:
|
|
- match:
|
|
prefix: '/headers'
|
|
route:
|
|
cluster: 'httpbin'
|
|
- match:
|
|
prefix: '/'
|
|
route:
|
|
cluster: 'nginx-backend'
|
|
http_filters:
|
|
- name: 'envoy.filters.http.ext_authz'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz'
|
|
transport_api_version: 'v3'
|
|
allowed_headers:
|
|
patterns:
|
|
- exact: 'authorization'
|
|
- exact: 'proxy-authorization'
|
|
- exact: 'accept'
|
|
- exact: 'cookie'
|
|
http_service:
|
|
path_prefix: '/api/authz/ext-authz/'
|
|
server_uri:
|
|
uri: 'authelia-backend:9091'
|
|
cluster: 'authelia-backend'
|
|
timeout: '0.25s'
|
|
authorization_request:
|
|
headers_to_add:
|
|
- key: 'X-Forwarded-Proto'
|
|
value: '%REQ(:SCHEME)%'
|
|
authorization_response:
|
|
allowed_upstream_headers:
|
|
patterns:
|
|
- exact: 'authorization'
|
|
- exact: 'proxy-authorization'
|
|
- prefix: 'remote-'
|
|
- prefix: 'authelia-'
|
|
allowed_client_headers:
|
|
patterns:
|
|
- exact: 'set-cookie'
|
|
allowed_client_headers_on_success:
|
|
patterns:
|
|
- exact: 'set-cookie'
|
|
failure_mode_allow: false
|
|
- name: 'envoy.filters.http.router'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.filters.http.router.v3.Router'
|
|
transport_socket:
|
|
name: 'envoy.transport_sockets.tls'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext'
|
|
common_tls_context:
|
|
tls_certificates:
|
|
- certificate_chain:
|
|
filename: '/pki/public.chain.pem'
|
|
private_key:
|
|
filename: '/pki/private.pem'
|
|
clusters:
|
|
- name: 'authelia-frontend'
|
|
transport_socket_matches:
|
|
- name: 'enableTLS'
|
|
match:
|
|
enableTLS: true
|
|
transport_socket:
|
|
name: 'envoy.transport_sockets.tls'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext'
|
|
common_tls_context: {}
|
|
- name: 'defaultTLSDisabled'
|
|
match: {}
|
|
transport_socket:
|
|
name: 'envoy.transport_sockets.raw_buffer'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer'
|
|
connect_timeout: '0.25s'
|
|
type: 'strict_dns'
|
|
dns_lookup_family: 'V4_ONLY'
|
|
lb_policy: 'round_robin'
|
|
load_assignment:
|
|
cluster_name: 'authelia-frontend'
|
|
endpoints:
|
|
- locality:
|
|
region: 'dev'
|
|
priority: 0
|
|
lb_endpoints:
|
|
- endpoint:
|
|
health_check_config:
|
|
hostname: 'authelia-frontend'
|
|
port_value: 3000
|
|
address:
|
|
socket_address:
|
|
address: 'authelia-frontend'
|
|
port_value: 3000
|
|
- locality:
|
|
region: 'ci'
|
|
priority: 1
|
|
lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: 'authelia-backend'
|
|
port_value: 9091
|
|
metadata:
|
|
filter_metadata:
|
|
envoy.transport_socket_match:
|
|
enableTLS: true
|
|
- name: 'authelia-backend'
|
|
connect_timeout: '0.25s'
|
|
type: 'logical_dns'
|
|
dns_lookup_family: 'v4_only'
|
|
lb_policy: 'round_robin'
|
|
load_assignment:
|
|
cluster_name: 'authelia-backend'
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: 'authelia-backend'
|
|
port_value: 9091
|
|
transport_socket:
|
|
name: 'envoy.transport_sockets.tls'
|
|
typed_config:
|
|
"@type": 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext'
|
|
common_tls_context: {}
|
|
- name: 'smtp'
|
|
connect_timeout: '0.25s'
|
|
type: 'logical_dns'
|
|
dns_lookup_family: 'v4_only'
|
|
lb_policy: 'round_robin'
|
|
load_assignment:
|
|
cluster_name: 'smtp'
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: 'smtp'
|
|
port_value: 1080
|
|
- name: 'httpbin'
|
|
connect_timeout: '0.25s'
|
|
type: 'logical_dns'
|
|
dns_lookup_family: 'v4_only'
|
|
lb_policy: 'round_robin'
|
|
load_assignment:
|
|
cluster_name: 'httpbin'
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: 'httpbin'
|
|
port_value: 8000
|
|
- name: 'nginx-backend'
|
|
connect_timeout: '0.25s'
|
|
type: 'logical_dns'
|
|
dns_lookup_family: 'v4_only'
|
|
lb_policy: 'round_robin'
|
|
load_assignment:
|
|
cluster_name: 'nginx-backend'
|
|
endpoints:
|
|
- lb_endpoints:
|
|
- endpoint:
|
|
address:
|
|
socket_address:
|
|
address: 'nginx-backend'
|
|
port_value: 80
|
|
layered_runtime:
|
|
layers:
|
|
- name: 'static_layer_0'
|
|
static_layer:
|
|
envoy:
|
|
resource_limits:
|
|
listener:
|
|
example_listener_name:
|
|
connection_limit: 10000
|
|
overload:
|
|
global_downstream_max_connections: 50000
|
|
...
|