zitadel/site/docs/integrate/05-proxy.en.md

---
title:  Proxy / WAF
description: ...
---

### Proxy Protocol and Flow recommendation

### Ambassador Example

According to [https://www.getambassador.io/docs/latest/](https://www.getambassador.io/docs/latest/) Ambassador is a:

>The Ambassador Edge Stack is a comprehensive, self-service edge stack and API Gateway for Kubernetes built on Envoy Proxy. The shift to Kubernetes and microservices has profound consequences for the capabilities you need at the edge, as well as how you manage the edge. The Ambassador Edge Stack has been engineered with this world in mind.

You can use **ZITADEL** for Authentication and Authorization with **Ambassador**.

> The redirect URI is `https://{AMBASSADOR_URL}/.ambassador/oauth2/redirection-endpoint`

#### Use Ambassador to Authenticate with ZITADEL

With this you can use Ambassador to initiate the Authorization Code Flow.

```yaml
apiVersion: getambassador.io/v2
kind: Filter
metadata:
  name: zitadel-filter
  namespace: default
spec:
  OAuth2:
    authorizationURL: https://accounts.zitadel.ch/oauth/v2/authorize
    clientID: {ZITADEL_GENERATED_CLIENT_ID}
    secret: {ZITADEL_GENERATED_CLIENT_SECRET}
    protectedOrigins:
    - origin: https://{PROTECTED_URL}
```

```yaml
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
  name: zitadel-policy
  namespace: default
spec:
  rules:
    - host: "*"
      path: /backend/get-quote/
      filters:
        - name: zitadel-filter
```

#### Use Ambassador to check JWT Bearer Tokens

If you would like **Ambassador** to verify a JWT token from the authorization header you can do so by configuring **ZITADEL's** endpoints.

> Make sure that in your client settings of **ZITADEL** the "AuthToken Options" is **JWT** by default **ZITADEL** will use opaque tokens!

```yaml
apiVersion: getambassador.io/v2
kind: Filter
metadata:
  name: zitadel-filter
  namespace: default
spec:
  JWT:
    jwksURI:            "https://api.zitadel.ch/oauth/v2/keys"
    validAlgorithms:
    - "RS256"
    issuer:             "https://issuer.zitadel.ch"
    requireIssuer:      true
```

```yaml
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
  name: zitadel-policy
  namespace: default
spec:
  rules:
    - host: "*"
      path: /backend/get-quote/
      filters:
        - name: zitadel-filter
```

> Additional Infos can be found with [Ambassadors Documentation](https://www.getambassador.io/docs/latest/howtos/oauth-oidc-auth/)

### OAuth2 Proxy Example

[OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a project which allows services to delegate the authentication flow to a IDP, for example **ZITADEL**

#### OAuth2 Proxy Authentication Example

```toml
provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name "ZITADEL"
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
oidc_issuer_url = "https://issuer.zitadel.ch"
upstreams = [
    "https://example.corp.com"
]
email_domains = [
    "*"
]
client_id = "{ZITADEL_GENERATED_CLIENT_ID}"
client_secret = "{ZITADEL_GENERATED_CLIENT_SECRET}"
pass_access_token = true
cookie_secret = "{SUPPLY_SOME_SECRET_HERE}"
skip_provider_button = true
cookie_secure = false #localdev only false
http_address = "127.0.0.1:4180" #localdev only
```

> This was tested with version `oauth2-proxy v6.1.1 (built with go1.14.2)`

#### OAuth2 Proxy Authorization Example

> Not yet supported but with the work of [https://github.com/oauth2-proxy/oauth2-proxy/pull/797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) it should be possible in the future

### Cloudflare Access Example

> TODO

### NGINX Example

> TODO