From caab396b56a011031b8d414dd179ff6345980f73 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 13 Dec 2021 15:36:05 +0100
Subject: [PATCH] web/admin: improve wording for froward_auth, don't show setup
 when using proxy mode

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/locales/en.po                         |  41 ++++++-
 web/src/locales/fr_FR.po                      |  41 ++++++-
 web/src/locales/pseudo-LOCALE.po              |  39 ++++++-
 .../providers/proxy/ProxyProviderForm.ts      |  28 +++--
 .../providers/proxy/ProxyProviderViewPage.ts  | 109 ++++++++++--------
 5 files changed, 189 insertions(+), 69 deletions(-)

diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index 215ed92d7..7e849d917 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -296,6 +296,10 @@ msgstr "Alternatively, if your current device has Duo installed, click on this l
 msgid "Always require consent"
 msgstr "Always require consent"
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "An example setup can look like this:"
+msgstr "An example setup can look like this:"
+
 #: src/pages/stages/prompt/PromptForm.ts
 msgid "Any HTML can be used."
 msgstr "Any HTML can be used."
@@ -445,6 +449,10 @@ msgstr "Authentication"
 msgid "Authentication Type"
 msgstr "Authentication Type"
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication URL"
+msgstr "Authentication URL"
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #: src/pages/sources/plex/PlexSourceForm.ts
 #: src/pages/sources/saml/SAMLSourceForm.ts
@@ -1855,7 +1863,6 @@ msgstr "External Applications which use authentik as Identity-Provider, utilizin
 msgid "External Host"
 msgstr "External Host"
 
-#: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 msgid "External host"
@@ -2344,6 +2351,10 @@ msgstr "Import certificates of external providers or create certificates to sign
 msgid "In case you can't access any other method."
 msgstr "In case you can't access any other method."
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com."
+msgstr "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com."
+
 #: src/pages/users/UserListPage.ts
 msgid "Inactive"
 msgstr "Inactive"
@@ -2996,6 +3007,10 @@ msgstr "No Stages bound"
 msgid "No additional data available."
 msgstr "No additional data available."
 
+#: src/pages/providers/proxy/ProxyProviderViewPage.ts
+msgid "No additional setup is required."
+msgstr "No additional setup is required."
+
 #: src/elements/forms/ModalForm.ts
 msgid "No form found"
 msgstr "No form found"
@@ -3210,8 +3225,8 @@ msgid "Optionally set the 'FriendlyName' value of the Assertion attribute."
 msgstr "Optionally set the 'FriendlyName' value of the Assertion attribute."
 
 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
-msgstr "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+#~ msgid "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+#~ msgstr "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
 
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/flows/StageBindingForm.ts
@@ -4109,6 +4124,10 @@ msgstr "Set a custom HTTP-Basic Authentication header based on values from authe
 msgid "Set custom attributes using YAML or JSON."
 msgstr "Set custom attributes using YAML or JSON."
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+msgstr "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Setup"
 msgstr "Setup"
@@ -4845,8 +4864,12 @@ msgid "The external URL you'll access the application at. Include any non-standa
 msgstr "The external URL you'll access the application at. Include any non-standard port."
 
 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "The external URL you'll authenticate at. Can be the same domain as authentik."
-msgstr "The external URL you'll authenticate at. Can be the same domain as authentik."
+#~ msgid "The external URL you'll authenticate at. Can be the same domain as authentik."
+#~ msgstr "The external URL you'll authenticate at. Can be the same domain as authentik."
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "The external URL you'll authenticate at. The authentik core server should be reachable under this URL."
+msgstr "The external URL you'll authenticate at. The authentik core server should be reachable under this URL."
 
 #: 
 #~ msgid "The following objects use {0}:"
@@ -5782,6 +5805,10 @@ msgstr "You're about to be redirect to the following URL."
 msgid "You're currently impersonating {0}. Click to stop."
 msgstr "You're currently impersonating {0}. Click to stop."
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "app1 running on app1.example.com"
+msgstr "app1 running on app1.example.com"
+
 #: 
 #~ msgid "authentik Builtin Database"
 #~ msgstr "authentik Builtin Database"
@@ -5790,6 +5817,10 @@ msgstr "You're currently impersonating {0}. Click to stop."
 #~ msgid "authentik LDAP Backend"
 #~ msgstr "authentik LDAP Backend"
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "authentik running on auth.example.com"
+msgstr "authentik running on auth.example.com"
+
 #: src/elements/forms/DeleteForm.ts
 msgid "connecting object will be deleted"
 msgstr "connecting object will be deleted"
diff --git a/web/src/locales/fr_FR.po b/web/src/locales/fr_FR.po
index cb2d9a9c9..a1795f88b 100644
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@@ -300,6 +300,10 @@ msgstr "Sinon, si Duo est installé sur cet appareil, cliquez sur ce lien :"
 msgid "Always require consent"
 msgstr "Toujours exiger l'approbation"
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "An example setup can look like this:"
+msgstr ""
+
 #: src/pages/stages/prompt/PromptForm.ts
 msgid "Any HTML can be used."
 msgstr ""
@@ -449,6 +453,10 @@ msgstr "Authentification"
 msgid "Authentication Type"
 msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication URL"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #: src/pages/sources/plex/PlexSourceForm.ts
 #: src/pages/sources/saml/SAMLSourceForm.ts
@@ -1841,7 +1849,6 @@ msgstr "Applications externes qui utilisent authentik comme fournisseur d'identi
 msgid "External Host"
 msgstr "Hôte externe"
 
-#: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 msgid "External host"
@@ -2327,6 +2334,10 @@ msgstr "Importer les certificats des fournisseurs externes ou créer des certifi
 msgid "In case you can't access any other method."
 msgstr "Au cas où aucune autre méthode ne soit disponible."
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com."
+msgstr ""
+
 #: src/pages/users/UserListPage.ts
 msgid "Inactive"
 msgstr "Inactif"
@@ -2974,6 +2985,10 @@ msgstr "Aucune étape liée"
 msgid "No additional data available."
 msgstr "Aucune donnée additionnelle disponible."
 
+#: src/pages/providers/proxy/ProxyProviderViewPage.ts
+msgid "No additional setup is required."
+msgstr ""
+
 #: src/elements/forms/ModalForm.ts
 msgid "No form found"
 msgstr "Aucun formulaire trouvé"
@@ -3185,8 +3200,8 @@ msgid "Optionally set the 'FriendlyName' value of the Assertion attribute."
 msgstr "Indiquer la valeur \"FriendlyName\" de l'attribut d'assertion (optionnel)"
 
 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
-msgstr "Indiquer votre domaine parent (optionnel), si vous souhaitez que l'authentification et l'autorisation soient réalisés au niveau du domaine. Si vous exécutez des applications sur app1.domain.tld, app2.domain.tld, indiquez ici \"domain.tld\"."
+#~ msgid "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+#~ msgstr "Indiquer votre domaine parent (optionnel), si vous souhaitez que l'authentification et l'autorisation soient réalisés au niveau du domaine. Si vous exécutez des applications sur app1.domain.tld, app2.domain.tld, indiquez ici \"domain.tld\"."
 
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/flows/StageBindingForm.ts
@@ -4072,6 +4087,10 @@ msgstr "Définir un en-tête d'authentification HTTP-Basic personnalisé basé s
 msgid "Set custom attributes using YAML or JSON."
 msgstr "Définissez des attributs personnalisés via YAML ou JSON."
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+msgstr ""
+
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Setup"
 msgstr ""
@@ -4799,8 +4818,12 @@ msgid "The external URL you'll access the application at. Include any non-standa
 msgstr "L'URL externe par laquelle vous accéderez à l'application. Incluez un port non-standard si besoin."
 
 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "The external URL you'll authenticate at. Can be the same domain as authentik."
-msgstr "L'URL externe sur laquelle vous vous authentifierez. Cela peut être le même domaine qu'authentik."
+#~ msgid "The external URL you'll authenticate at. Can be the same domain as authentik."
+#~ msgstr "L'URL externe sur laquelle vous vous authentifierez. Cela peut être le même domaine qu'authentik."
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "The external URL you'll authenticate at. The authentik core server should be reachable under this URL."
+msgstr ""
 
 #~ msgid "The following objects use {0}:"
 #~ msgstr "Les objets suivants utilisent {0} :"
@@ -5718,12 +5741,20 @@ msgstr "Vous allez être redirigé vers l'URL suivante."
 msgid "You're currently impersonating {0}. Click to stop."
 msgstr "Vous êtes en train de vous faire passer pour {0}. Cliquez pour arrêter."
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "app1 running on app1.example.com"
+msgstr ""
+
 #~ msgid "authentik Builtin Database"
 #~ msgstr "Base de données intégrée à authentik"
 
 #~ msgid "authentik LDAP Backend"
 #~ msgstr "Backend LDAP authentik"
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "authentik running on auth.example.com"
+msgstr ""
+
 #: src/elements/forms/DeleteForm.ts
 msgid "connecting object will be deleted"
 msgstr "L'objet connecté sera supprimé"
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 3082044af..9ccb43584 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -296,6 +296,10 @@ msgstr ""
 msgid "Always require consent"
 msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "An example setup can look like this:"
+msgstr ""
+
 #: src/pages/stages/prompt/PromptForm.ts
 msgid "Any HTML can be used."
 msgstr ""
@@ -441,6 +445,10 @@ msgstr ""
 msgid "Authentication Type"
 msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Authentication URL"
+msgstr ""
+
 #: src/pages/sources/oauth/OAuthSourceForm.ts
 #: src/pages/sources/plex/PlexSourceForm.ts
 #: src/pages/sources/saml/SAMLSourceForm.ts
@@ -1847,7 +1855,6 @@ msgstr ""
 msgid "External Host"
 msgstr ""
 
-#: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 msgid "External host"
@@ -2336,6 +2343,10 @@ msgstr ""
 msgid "In case you can't access any other method."
 msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com."
+msgstr ""
+
 #: src/pages/users/UserListPage.ts
 msgid "Inactive"
 msgstr ""
@@ -2986,6 +2997,10 @@ msgstr ""
 msgid "No additional data available."
 msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderViewPage.ts
+msgid "No additional setup is required."
+msgstr ""
+
 #: src/elements/forms/ModalForm.ts
 msgid "No form found"
 msgstr ""
@@ -3200,8 +3215,8 @@ msgid "Optionally set the 'FriendlyName' value of the Assertion attribute."
 msgstr ""
 
 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
-msgstr ""
+#~ msgid "Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+#~ msgstr ""
 
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/flows/StageBindingForm.ts
@@ -4099,6 +4114,10 @@ msgstr ""
 msgid "Set custom attributes using YAML or JSON."
 msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'."
+msgstr ""
+
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Setup"
 msgstr ""
@@ -4835,7 +4854,11 @@ msgid "The external URL you'll access the application at. Include any non-standa
 msgstr ""
 
 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "The external URL you'll authenticate at. Can be the same domain as authentik."
+#~ msgid "The external URL you'll authenticate at. Can be the same domain as authentik."
+#~ msgstr ""
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "The external URL you'll authenticate at. The authentik core server should be reachable under this URL."
 msgstr ""
 
 #: 
@@ -5760,6 +5783,10 @@ msgstr ""
 msgid "You're currently impersonating {0}. Click to stop."
 msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "app1 running on app1.example.com"
+msgstr ""
+
 #: 
 #~ msgid "authentik Builtin Database"
 #~ msgstr ""
@@ -5768,6 +5795,10 @@ msgstr ""
 #~ msgid "authentik LDAP Backend"
 #~ msgstr ""
 
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "authentik running on auth.example.com"
+msgstr ""
+
 #: src/elements/forms/DeleteForm.ts
 msgid "connecting object will be deleted"
 msgstr ""
diff --git a/web/src/pages/providers/proxy/ProxyProviderForm.ts b/web/src/pages/providers/proxy/ProxyProviderForm.ts
index 0218ebe02..bff2c5169 100644
--- a/web/src/pages/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/pages/providers/proxy/ProxyProviderForm.ts
@@ -7,6 +7,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 import { until } from "lit/directives/until.js";
 
 import PFContent from "@patternfly/patternfly/components/Content/content.css";
+import PFList from "@patternfly/patternfly/components/List/list.css";
 import PFToggleGroup from "@patternfly/patternfly/components/ToggleGroup/toggle-group.css";
 import PFSpacing from "@patternfly/patternfly/utilities/Spacing/spacing.css";
 
@@ -32,6 +33,7 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
         return super.styles.concat(
             PFToggleGroup,
             PFContent,
+            PFList,
             PFSpacing,
             css`
                 .pf-c-toggle-group {
@@ -162,7 +164,7 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
     renderSettings(): TemplateResult {
         switch (this.mode) {
             case ProxyMode.Proxy:
-                return html` <p class="pf-u-mb-xl">
+                return html`<p class="pf-u-mb-xl">
                         ${t`This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.`}
                     </p>
                     <ak-form-element-horizontal
@@ -211,7 +213,7 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                         </p>
                     </ak-form-element-horizontal>`;
             case ProxyMode.ForwardSingle:
-                return html` <p class="pf-u-mb-xl">
+                return html`<p class="pf-u-mb-xl">
                         ${t`Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /akprox must be routed to the outpost (when using a manged outpost, this is done for you).`}
                     </p>
                     <ak-form-element-horizontal
@@ -230,11 +232,19 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                         </p>
                     </ak-form-element-horizontal>`;
             case ProxyMode.ForwardDomain:
-                return html` <p class="pf-u-mb-xl">
+                return html`<p class="pf-u-mb-xl">
                         ${t`Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.`}
                     </p>
+                    <div class="pf-u-mb-xl">
+                        ${t`An example setup can look like this:`}
+                        <ul class="pf-c-list">
+                            <li>${t`authentik running on auth.example.com`}</li>
+                            <li>${t`app1 running on app1.example.com`}</li>
+                        </ul>
+                        ${t`In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.`}
+                    </div>
                     <ak-form-element-horizontal
-                        label=${t`External host`}
+                        label=${t`Authentication URL`}
                         ?required=${true}
                         name="externalHost"
                     >
@@ -245,10 +255,14 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                             required
                         />
                         <p class="pf-c-form__helper-text">
-                            ${t`The external URL you'll authenticate at. Can be the same domain as authentik.`}
+                            ${t`The external URL you'll authenticate at. The authentik core server should be reachable under this URL.`}
                         </p>
                     </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${t`Cookie domain`} name="cookieDomain">
+                    <ak-form-element-horizontal
+                        label=${t`Cookie domain`}
+                        name="cookieDomain"
+                        ?required=${true}
+                    >
                         <input
                             type="text"
                             value="${ifDefined(this.instance?.cookieDomain)}"
@@ -256,7 +270,7 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                             required
                         />
                         <p class="pf-c-form__helper-text">
-                            ${t`Optionally set this to your parent domain, if you want authentication and authorization to happen on a domain level. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.`}
+                            ${t`Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.`}
                         </p>
                     </ak-form-element-horizontal>`;
         }
diff --git a/web/src/pages/providers/proxy/ProxyProviderViewPage.ts b/web/src/pages/providers/proxy/ProxyProviderViewPage.ts
index 8165419d1..7192fffa7 100644
--- a/web/src/pages/providers/proxy/ProxyProviderViewPage.ts
+++ b/web/src/pages/providers/proxy/ProxyProviderViewPage.ts
@@ -92,10 +92,17 @@ export class ProxyProviderViewPage extends LitElement {
 
     renderConfigTemplate(tmpl: string): TemplateResult {
         // See website/docs/providers/proxy/forward_auth.mdx
-        const final = tmpl
-            .replaceAll("authentik.company", window.location.hostname)
-            .replaceAll("outpost.company", window.location.hostname)
-            .replaceAll("app.company", this.provider?.externalHost || "");
+        let final = "";
+        if (this.provider?.mode === ProxyMode.ForwardSingle) {
+            final = tmpl
+                .replaceAll("authentik.company", window.location.hostname)
+                .replaceAll("outpost.company", window.location.hostname)
+                .replaceAll("app.company", this.provider?.externalHost || "");
+        } else if (this.provider?.mode == ProxyMode.ForwardDomain) {
+            final = tmpl
+                .replaceAll("authentik.company", window.location.hostname)
+                .replaceAll("outpost.company", this.provider?.externalHost || "");
+        }
         return html`${unsafeHTML(final)}`;
     }
 
@@ -233,50 +240,56 @@ export class ProxyProviderViewPage extends LitElement {
                 <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                     <div class="pf-c-card__title">${t`Setup`}</div>
                     <div class="pf-c-card__body">
-                        <ak-tabs pageIdentifier="proxy-setup">
-                            <section
-                                slot="page-nginx-ingress"
-                                data-tab-title="${t`Nginx (Ingress)`}"
-                                class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
-                            >
-                                ${this.renderConfigTemplate(MDNginxIngress.html)}
-                            </section>
-                            <section
-                                slot="page-nginx-proxy-manager"
-                                data-tab-title="${t`Nginx (Proxy Manager)`}"
-                                class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
-                            >
-                                ${this.renderConfigTemplate(MDNginxPM.html)}
-                            </section>
-                            <section
-                                slot="page-nginx-standalone"
-                                data-tab-title="${t`Nginx (standalone)`}"
-                                class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
-                            >
-                                ${this.renderConfigTemplate(MDNginxStandalone.html)}
-                            </section>
-                            <section
-                                slot="page-traefik-ingress"
-                                data-tab-title="${t`Traefik (Ingress)`}"
-                                class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
-                            >
-                                ${this.renderConfigTemplate(MDTraefikIngres.html)}
-                            </section>
-                            <section
-                                slot="page-traefik-compose"
-                                data-tab-title="${t`Traefik (Compose)`}"
-                                class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
-                            >
-                                ${this.renderConfigTemplate(MDTraefikCompose.html)}
-                            </section>
-                            <section
-                                slot="page-traefik-standalone"
-                                data-tab-title="${t`Traefik (Standalone)`}"
-                                class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
-                            >
-                                ${this.renderConfigTemplate(MDTraefikStandalone.html)}
-                            </section>
-                        </ak-tabs>
+                        ${[ProxyMode.ForwardSingle, ProxyMode.ForwardDomain].includes(
+                            this.provider?.mode || ProxyMode.Proxy,
+                        )
+                            ? html`
+                                  <ak-tabs pageIdentifier="proxy-setup">
+                                      <section
+                                          slot="page-nginx-ingress"
+                                          data-tab-title="${t`Nginx (Ingress)`}"
+                                          class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
+                                      >
+                                          ${this.renderConfigTemplate(MDNginxIngress.html)}
+                                      </section>
+                                      <section
+                                          slot="page-nginx-proxy-manager"
+                                          data-tab-title="${t`Nginx (Proxy Manager)`}"
+                                          class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
+                                      >
+                                          ${this.renderConfigTemplate(MDNginxPM.html)}
+                                      </section>
+                                      <section
+                                          slot="page-nginx-standalone"
+                                          data-tab-title="${t`Nginx (standalone)`}"
+                                          class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
+                                      >
+                                          ${this.renderConfigTemplate(MDNginxStandalone.html)}
+                                      </section>
+                                      <section
+                                          slot="page-traefik-ingress"
+                                          data-tab-title="${t`Traefik (Ingress)`}"
+                                          class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
+                                      >
+                                          ${this.renderConfigTemplate(MDTraefikIngres.html)}
+                                      </section>
+                                      <section
+                                          slot="page-traefik-compose"
+                                          data-tab-title="${t`Traefik (Compose)`}"
+                                          class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
+                                      >
+                                          ${this.renderConfigTemplate(MDTraefikCompose.html)}
+                                      </section>
+                                      <section
+                                          slot="page-traefik-standalone"
+                                          data-tab-title="${t`Traefik (Standalone)`}"
+                                          class="pf-c-page__main-section pf-m-light pf-m-no-padding-mobile"
+                                      >
+                                          ${this.renderConfigTemplate(MDTraefikStandalone.html)}
+                                      </section>
+                                  </ak-tabs>
+                              `
+                            : html` <p>${t`No additional setup is required.`}</p> `}
                     </div>
                 </div>
             </div>`;