Fork me on GitHub Link Search Menu Expand Document Survey contribution
Help the team improve Authelia by taking this 10-second survey.

The following table is a support matrix for Authelia features and specific reverse proxies.

Proxy Standard Support Kubernetes Support XHR Redirect Request Method
NGINX check_circle check_circle cancel check_circle
Traefik 1.x check_circle error check_circle check_circle
Traefik 2.x check_circle check_circle check_circle check_circle
HAProxy check_circle cancel error check_circle
Envoy error error error error
Caddy 2.x error cancel error error
Apache cancel cancel cancel cancel
IIS cancel cancel cancel cancel

check_circle Support confirmed, additionally these icons are links to documentation for both the Standard and Kubernetes support columns

error Support is likely and being investigated

cancel Either not supported or unlikely to be supported

Support

Standard

Standard support includes the essential features in securing an application with Authelia such as:

  • Redirecting users to the Authelia portal if they are not authenticated.
  • Redirecting users to the target application after authentication has occurred successfully.

It does not include actually running Authelia as a service behind the proxy, any proxy should be compatible with serving the Authelia portal itself. Standard support is only important for protected applications.

Kubernetes

While proxies that generally support Authelia outside a Kubernetes cluster, there are a few situations where that does not translate to being possible when used as an Ingress Controller. There are various reasons for this such as the reverse proxy in question does not even support running as a Kubernetes, or the required modules to perform authentication transparently to the user are not typically available inside a cluster.

More information about Kubernetes deployments of Authelia can be read in the documentation.

XHR Redirect

XML HTTP Requests do not typically redirect browsers when returned 30x status codes. Instead, the standard method is to return a 401 status code with a Location header. While this may seem trivial; currently there isn’t wide support for it. For example nginx’s ngx_http_auth_request_module does not seem to support this in any way.

Request Method

Authelia detects the upstream request method using the X-Forwarded-Method header. Some proxies set this out of the box, some require you to configure this manually. At the present time all proxies that have Standard Support do support this.

Specific proxy notes

HAProxy

HAProxy is only supported via a lua module. Lua is typically not available in Kubernetes. You would likely have to build your own HAProxy image.

Envoy

Envoy is currently not documented however we believe it is likely to be technically supported. This should be possible via Envoy’s external authorization.

Caddy

Work is being done to support Caddy 2.x, however this is a low priority. You can see the progress and try it for yourself if you’re interested. Regular feedback would accelerate this work.

Apache

Apache has no module that supports this kind of authentication method. It’s not certain this would even be possible, however if anyone did something like this in the past we’d be interested in a contribution.

IIS

Microsoft IIS not currently supported since no auth module exists for this purpose out-of-the-box or from any known third party. It’s likely possible but unlikely to be highly used so there is little to be gained by supporting this proxy.