Pomerium VS vouch-proxy

Option 3: Pomerium might be an alternative as well.

That is not how you do Zero Trust. You want to use an Identity Aware Proxy. There are lots of ways you can implement this with Google as your core auth. For example Pomerium or oauth2-proxy.

I’m really surprised this sub has no love for Pomerium. I feel like it’s as simple as Caddy with all the security benefits of Traefik.

I am not sure if I understand how Pomerium works (or any identity-aware proxy).

Pomerium sidecar.

Just want to drop https://www.pomerium.com/ here. We use it at our company with ~1500 people with many apps behind the proxy. It also supports JWT for the backend, so you can integrate your apps easily without having to worry about the OAuth flow and also your apps are protected from random internet attacks.

You’ve got to protect. Anonymity is not going to work. Pomerium is another option in addition to those already suggested. https://github.com/pomerium/pomerium

I am currently looking at Wireguard/Tailscale (Wireguard based) options - early days for me so far. Also planning to look at something like Pomerium for a zero trust approach. https://www.pomerium.com/

Look into vouch proxy

Vouch proxy is designed for this usage: https://github.com/vouch/vouch-proxy I don't think there are any nice UIs to configure it though so you'll need to be familiar with running it yourself.

Not sure this is a "best practice", but it lets me keep control of the Ingress resources inside their YAML configs. I've also layered Vouch Proxy into the ingress configurations to require SSO/MFA auth to access the resources behind the Ingress. Cloudflare has the ability to do this, but I found it cumbersome to keep track of the configs outside the K8s cluster.

I've used vouch proxy for my own stuff previously, before more recently moving to Cloudflare Access. vouch can be slightly janky at times to get working right, but once set up, it's been solid.

For example: nginx -> Vouch proxy -> KeyCloak -> Jellyfin

While this works, we were hoping to make access a bit easier with say an OpenID Connect SSO and reverse-proxy solution. I've seen Vouch Proxy, https://github.com/vouch/vouch-proxy which is really just SSO on top of nginx, but I'm wondering if there's a simpler way to do this.

You seem to be quite knowledgeable and a minimal provider with just the bare minimum would suffice for you. Have a look at Vouch Proxy, it does one thing and it does it well.