> Interesting that this project supports features you'd need for an internal network setup (trusted headers, forward auth) and an external facing network (support for Google/other identity providers, anonymous clients based on domain name).

Yep. There are two primary schools of thought on self-hosting, with echos of the VPN vs BeyondCorps tradeoffs.

The VPN approach is to keep everything locked down on a private network, likely a virtual network using WireGuard, and likely provided by Tailscale. The main tradeoff here for self-hosting is that everyone you want to share with needs access to your network, and unless no one has any private data you're still going to need account management of some sort. Also if one of your trusted devices gets compromised, the attacker can get access to the "soft squishy" inside of your network. If you're doing single user instance (SUI) hosting, this is likely what you want.

The BeyondCorps approach raises security to the application level, and exposes services directly to the internet. The main tradeoff here is that each app represents a potential attack vector. Since I host websites and file servers, obligator was built to facilitate this use case.