Ory Oathkeeper
envoy
| Ory Oathkeeper | envoy | |
|---|---|---|
| 4 | 67 | |
| 3,172 | 23,937 | |
| 0.4% | 0.8% | |
| 6.8 | 10.0 | |
| 3 days ago | 6 days ago | |
| Go | C++ | |
| Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Ory Oathkeeper
- Launch HN: PropelAuth (YC W22) – End-to-end auth service for B2B products
-
oathkeeper alternatives - emissary, envoy, and Nginx
4 projects | 18 Jan 2022
- Launch YC S21: Meet the Batch, Thread #4
-
The reason okta spent $6.5B Auth0
Hydra feels mature. I think it's their longest-developed product so far. Besides breaking changes during big upgrades(v0 -> v1beta -> v1), everything has been painless:
- It runs anywhere with or without containers
- API makes sense, good SDKs are available in all my used languages
- RAM usage is surprisingly low compared to usage and has been great for resource-constrained environments
- Stateless means horizontal scaling is as easy as `replicas++`
- Sub-millisecond response times for some calls, much faster than our previous setup
With Hydra, I know it's the client's fault when OAuth calls fail and not just a buggy server implementation. This is reinforced in dev mode with great errors like:
- The authorization code has already been used
- The request is missing the response_type parameter
- Parameter "nonce" must be set when using the implicit flow
- Redirect URL "https://example.com/callback" does not match
On the flipside, Oathkeeper is not a mature product and has not yet reached v1. There are breaking changes planned [1]. It lacks support for at least one popular usecase (mine) out of the box [2]. Rules can be hard to create and debug. I wouldn't recommend Oathkeeper in its current state unless you're ready to dive in and fix things yourself. Once configured it sticks with the Ory trend: fast, lean, and stable.
Depending on your usecase, Oathkeeper could be swapped out with any IAP like Pomerium or just with your reverse proxy's auth request support + some small custom shim.
I haven't tried Keto (access control) or Kratos (user management) yet. Kratos is on my todo list.
[1] https://github.com/ory/oathkeeper/issues/441
envoy
-
Multipath TCP for Linux
Apple also contributed[1] MPTCP support to Envoy Proxy.
[1]https://github.com/envoyproxy/envoy/pull/18780
- Google Chrome's new "IP Protection" will hide users' IP addresses
-
Running an Arweave Gateway on GitHub Codespaces
After it finishes (it can take a few minutes), Docker-Compose automatically starts a cluster with two containers. One is an Envoy proxy (running on port 3000) that relays requests from outside the cluster to the other container (running on port 4000), which is our AR.IO gateway that will handle the requests.
-
Show HN: WebAssembly dev environment for Envoy Proxy
Hi HN!
For the past few weeks we've been working on Proximal - a workflow engine that lets you quickly iterate on WebAssembly extensions for Envoy Proxy[0] (or other proxies) right on your local machine: https://github.com/apoxy-dev/proximal
This work is based on Proxy-WASM[1] extension ABI for Envoy (and other proxies like APISIX and Mosn[2]) which allows you to execute WebAssembly code on every API request a la Cloudflare Workers. As part of our wider effort at https://apoxy.dev to improve API glue code we built an experimentation / development platform and hope you will find it useful!
On the technical side this project packs Envoy itself, Envoy controller, REST API (for controlling the controller =)), React SPA, and Temporal server/worker (for orchestration) - all baked into a single Go binary. You can find more on architecture and limitations in the repository README[4].
This project is pretty early stage and we would appreciate community feedback!
Previous HN discussions on this topic:
* https://news.ycombinator.com/item?id=36113542
* https://news.ycombinator.com/item?id=22582276
---
[0] https://www.envoyproxy.io/
[1] https://github.com/proxy-wasm/spec/blob/master/docs/WebAssem...
[2] https://apisix.apache.org/ https://mosn.io/
[3] https://github.com/apoxy-dev/proximal/blob/main/README.md#ar...
-
Show HN: Envoy Playground in the Browser
Hey HN,
We made an Envoy Proxy[0] playground so we could test out our Envoy configs directly in the browser. This is based on Julia's work with Nginx Playround[1] (we forked[2] that repo and added more Envoy to it). Check it out!
[0] - Envoy is a popular programmable proxy similar to Nginx or HAProxy that is popular with cloud-native setups: https://www.envoyproxy.io
-
Istio moved to CNCF Graduation stage
Envoy is the proxy that does the heavy lifting. Istio is just a glorified configuration system. Even if you choose to use Istio you're still using Envoy.
You're spot-on about using iptables rules. There is an example here with a yaml configuration and some iptables commands: https://github.com/envoyproxy/envoy/blob/main/configs/origin...
You might be able to re-use some of that. It should be pretty easy to get metrics for outbound/inbound http requests, but I don't remember the exact yaml incantation.
-
Need advice on K3s cluster setup
I'm using the default RaspiOS Lite 64bits and as highlighted in this issue, the RaspiOS kernel does not support CONFIG_ARM64_VA_BITS_48, which makes cilium-envoy to fail building. As solution, I was told to use either Ubuntu as base OS or Traefik Ingress Controller, which is not configured in K3s.
-
I'm looking for an SSO server/reverse proxy with features I'm not sure exist
I know envoy (https://www.envoyproxy.io/, https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/jwt_authn_filter) can do this natively, I'm sure you could probably build something with nginx and its Lua scripting, not sure about traefik and caddy but I dont think they support that.
-
Envoy External Authorization with Golang GRPC service
Envoy is a cloud native opensource proxy server. The Envoy proxy offers a variety of http filters to handle incoming requests.
-
A Comprehensive Guide to API Gateways, Kubernetes Gateways, and Service Meshes
Istio: By far the most popular service mesh. It is built on top of Envoy proxy, which many service meshes use.
What are some alternatives?
Ory Keto - Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
YARP - A toolkit for developing high-performance HTTP reverse proxy applications.
fusionauth-issues - FusionAuth issue submission project
Squid - Squid Web Proxy Cache
emissary - open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
traefik - The Cloud Native Application Proxy
warrant-demo-app-ts - Example demonstrating how to add end-to-end authorization & access control to an ExpressJS + React app using Warrant
Caddy - Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
OPA (Open Policy Agent) - Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Varnish - The project homepage
edge-agent - Warrant Edge agent
Nginx - An official read-only mirror of http://hg.nginx.org/nginx/ which is updated hourly. Pull requests on GitHub cannot be accepted and will be automatically closed. The proper way to submit changes to nginx is via the nginx development mailing list, see http://nginx.org/en/docs/contributing_changes.html