Question 1

How to set up Beyond with Google OAuth for internal apps?

Accepted Answer

Use the OIDC configuration example with Google as the issuer: provide -oidc-issuer https://accounts.google.com, along with your client ID and secret. Ensure -cookie-domain and -beyond-host are set correctly for your domain, and use -allowlist-url to control access.

Question 2

Beyond vs Pomerium: which is better for zero-trust?

Accepted Answer

Beyond is simpler and more focused on web services with built-in support for developer tools like GitHub and Docker registries, while Pomerium offers broader features like device identity and more granular policies. Choose Beyond if you need quick deployment for specific services; Pomerium for comprehensive zero-trust across diverse endpoints.

Question 3

How to configure host rewriting in Beyond for legacy apps?

Accepted Answer

Use the -hosts-csv flag or -hosts-url with a JSON file to map old hostnames to new ones, including protocols and ports. For example, -hosts-csv "old-api.example.com=https://new-api.example.com:8443" rewrites the backend connection accordingly.

Question 4

Does Beyond support LDAP authentication directly?

Accepted Answer

No, Beyond does not have native LDAP support. You must integrate LDAP via an identity provider that supports OIDC, SAML, or OAuth2, such as Keycloak or Active Directory Federation Services, and then configure Beyond to use that IdP.

Question 5

How to scale Beyond for high-traffic production use?

Accepted Answer

Deploy multiple Beyond instances behind a load balancer, ensure consistent -cookie-key across instances for session persistence, and use external config URLs for centralized management. Monitor with -log-elastic for analytics and adjust timeouts as needed.

Question 6

Can Beyond be integrated with Kubernetes ingress?

Accepted Answer

Yes, but it's not a drop-in replacement. You can run Beyond as a sidecar or standalone proxy, configuring it to authenticate requests before routing to Kubernetes services. Use host rewriting to map external domains to internal service names, and ensure proper network policies.

transcend

What is transcend?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions