Proxy

Changelog

?: Init
2023-12-28: Add feature comparison section.

Forward proxy, more specifically. The goal is to have the following setup:

Web-based forward authentication proxy to access internal resources
- Actually, why? Unless I'm trying to proxy non-HTTP content, there shouldn't even be a need.

Some other articles:

https://www.admin-magazine.com/Archive/2021/61/Secure-authentication-with-FIDO2
Nginx + Lua for FIDO: https://github.com/gutschke/fido-u2f-nginx-lua/blob/master/u2f.lua
FIDO2-capable services are already available:
- 1Password: https://passage.1password.com/demo
- Bitwarden: https://bitwarden.com/products/passwordless/
  - WebAuthn flow implementation: https://docs.passwordless.dev/guide/
  - Demo: https://demo-backend.passwordless.dev/
  - Backend: https://github.com/bitwarden/passwordless-python
  - Frontend: https://github.com/passwordless/passwordless-python-example
THIS IS THE APP I NEEDED: https://www.authelia.com/
Other SOCK5 stuff:
- microsocks: https://github.com/rofl0r/microsocks
- shadowsocks: https://github.com/shadowsocks/shadowsocks-org
- https://www.digitalocean.com/community/conceptual-articles/introduction-to-proxies

Comparisons

After bouncing off Authelia keyword in Google Search, this Reddit post on which authentication server to choose popped up. Main offerings are Authentik, Authelia, and Keycloak, at least for homelab usage (others specified in Authentik's comparison page suggest AD, Okta, and Duo as alternatives as well).

Provider	Notes
Authentik	See here. Runs on top of Django, with PostgreSQL and Redis backends. Seems to be a two-developer team as of 2023. Relatively frequently updated. Impressions from two years ago don't seem particularly positive with regard to security focus. Problem is the non-implementation of Single Log-off (SLO), which is actively worked on since 2022, but as of 2023 is still unresolved. Their integrations page look really helpful.
Authelia	Consider looking at the scripts used in auto-authelia to simplify the setup process. Some Reddit user mentioned it has a simple config file setup for secrets, which is easier to manage. Currently stuck on v4.37.5 for about a year now, due to stalling development for multi-device support in v4.38.0, although there is a workaround.
Keycloak	Seems to be quite resource-heavy? Under stewardship of Red Hat, and has security audits. Strange that it seems to have problems in the codebase, see below.

LDAP: https://www.zytrax.com/books/ldap/ch2/index.html#history

Authelia: https://www.authelia.com/configuration/first-factor/introduction/