Pomerium VS traefik

Option 3: Pomerium might be an alternative as well.

That is not how you do Zero Trust. You want to use an Identity Aware Proxy. There are lots of ways you can implement this with Google as your core auth. For example Pomerium or oauth2-proxy.

I’m really surprised this sub has no love for Pomerium. I feel like it’s as simple as Caddy with all the security benefits of Traefik.

I am not sure if I understand how Pomerium works (or any identity-aware proxy).

Pomerium sidecar.

Just want to drop https://www.pomerium.com/ here. We use it at our company with ~1500 people with many apps behind the proxy. It also supports JWT for the backend, so you can integrate your apps easily without having to worry about the OAuth flow and also your apps are protected from random internet attacks.

You’ve got to protect. Anonymity is not going to work. Pomerium is another option in addition to those already suggested. https://github.com/pomerium/pomerium

I am currently looking at Wireguard/Tailscale (Wireguard based) options - early days for me so far. Also planning to look at something like Pomerium for a zero trust approach. https://www.pomerium.com/

However, it's very unlikely that .NET developers will directly expose their Kestrel-based web apps to the internet. Typically, we use other popular web servers like Nginx, Traefik, and Caddy to act as a reverse-proxy in front of Kestrel for various reasons:

Not as good though. Case in point: https://github.com/traefik/traefik/issues/5472#issuecomment-... (that's just from this morning)

I'm speak objectively here. Of course, any built-in auto HTTPS that works (more or less) is better than none. Traefik uses an ACME library that was originally written for Caddy. After the original author left that project, Traefik team started maintaining it. Caddy's users' requirements exceeded what the library was capable of, but unfortunately there was friction in getting it to achieve our requirements. So I ended up writing a new ACME client library in Go and, together with upgrades in CertMagic (Caddy's auto-TLS lib), Caddy has the more flexible, robust, and capable auto-HTTPS functionality.

That is to say, not all auto-HTTPS functionalities are the same.

We'll use Traefik, an open source cloud native gateway that can plug into a Kubernetes cluster. It has the concept of "middleware" that can process API requests before passing them through to a backend. We can configuring a rate limit for all of our API endpoints by matching on the request path:

I did the same question here and here

Sadly there is currently no way of doing so. https://github.com/traefik/traefik/issues/6999

Traefik is another widely used system that has automatic configuration and offers support for more things like swarm/kubernetes/etc.

I have a webapp which I currently have deployed by running nginx in a container. Works as it should, however I am intersted in adding more observability to the webapp and found this reverse-proxy https://github.com/traefik/traefik which seems to expose some nice metrics which can be useful for observability.

``` more details in this (github issue)[https://github.com/traefik/traefik/issues/5059]