Docs/batch link fixes (#2621)

* add redirect for installation

* batch of link fixes

docs/docs/identity-providers/okta.md

@@ -97,5 +97,5 @@ IDP_SERVICE_ACCOUNT="REPLACE_ME" # base64 encoded JSON object
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [oauth2]: https://oauth.net/2/
 [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect
-[pomerium-install]: /docs/install/
+[pomerium-install]: /docs/install/readme.md
 [Group ID]: https://developer.okta.com/docs/reference/api/groups/

docs/docs/install/readme.md

@@ -63,4 +63,4 @@ If you followed all the steps in this doc your Pomerium environment is not using
 [tls certificates]: ../topics/certificates.md
 [fqdn]: https://en.wikipedia.org/wiki/Fully_qualified_domain_name
 [mkcert]: https://github.com/FiloSottile/mkcert
-[Self-signed wildcard certificate]: /docs/topics/certificates.md##self-signed-wildcard-certificate
+[Self-signed wildcard certificate]: /docs/topics/certificates.md#self-signed-wildcard-certificate

docs/docs/topics/original-request-context.md

@@ -54,7 +54,7 @@ routes:
 - **API** is also accessed through it's Pomerium Route, but is only accessible by the **App**, using a [service account](/enterprise/service-accounts.md) to authenticate.
 - The **API** service needs to know the user making the request to **App** in order to formulate the correct response.
 
-Both Routes include [`pass_identity_headers`](/reference.md#pass-identity-headers), which provides (at minimum) the `X-Pomerium-Jwt-Assertion` header to the downstream application.
+Both Routes include [`pass_identity_headers`](/reference/readme.md#pass-identity-headers), which provides (at minimum) the `X-Pomerium-Jwt-Assertion` header to the downstream application.
 
 When a user makes a request that requires data from the API service, the following happens:
 

docs/enterprise/changelog.md

@@ -45,7 +45,7 @@ sidebarDepth: 0
 - Impersonation: Impersonation is now done on an individual session basis.
 - Various other bug fixes and improvements.
 
-[`signing key`]: /reference/readme.md/#signing-key
+[`signing key`]: /reference/readme.md#signing-key
 [Telemetry]: /enterprise/reference/reports.md#traffic
 [policy language]: /enterprise/reference/manage.md#pomerium-policy-language
 [Google Cloud Serverless]: /reference/readme.md#enable-google-cloud-serverless-authentication

docs/enterprise/concepts.md

@@ -86,7 +86,7 @@ Pomerium populates users and groups from your IdP. This data is cached to preven
 You may encounter a situation where you may want to add users that are not directly associated with your corporate identity provider service. For example, if you have a corporate GSuite account and want to add a contractor with a gmail account. In this case, there are two workarounds:
 
 - Create a group within your identity provider directly with the non-domain users in it. This group can be found and added to Namespaces and Policies.
-- Manually add the user's unique ID. Identify the ID from a user's Session Details page, or the [Sessions](/enterprise/reference/reports.html#sessions) page in Pomerium Enterprise.
+- Manually add the user's unique ID. Identify the ID from a user's Session Details page, or the [Sessions](/enterprise/reference/reports.md#sessions) page in Pomerium Enterprise.
 
    A user can see their session ID by navigating to the special `/.pomerium` URL endpoint from any Pomerium managed route. The unique ID is listed as "sub" under User Claims:
 
@@ -108,7 +108,7 @@ This term refers to the system or service the route provides or restricts access
 
 ### Moving Routes
 
-When moving a Route from one [Namespace](#namespace) to another, enforced policies will automatically be removed or applied. Optional policies available in the source Namespace but not the target will prevent the move. This is intentional to prevent unassociated policies.
+When moving a Route from one [Namespace](#namespaces) to another, enforced policies will automatically be removed or applied. Optional policies available in the source Namespace but not the target will prevent the move. This is intentional to prevent unassociated policies.
 
 ## Policies
 
@@ -130,11 +130,11 @@ Pomerium provides a standardized interface to add access control, regardless if
 
 ### Authentication
 
-Pomerium provides authentication via your existing identity provider (Pomerium supports all major [single sign-on](/docs/identity-providers/) providers (Okta, G Suite, Azure, AD, Ping, Github and so on).
+Pomerium provides authentication via your existing identity provider (Pomerium supports all major [single sign-on](/docs/identity-providers/readme.md) providers (Okta, G Suite, Azure, AD, Ping, Github and so on).
 
 ### Authorization
 
-Authorization policy can be expressed in a high-level, [declarative language](/enterprise/reference/manage.html#pomerium-policy-language) or [as code](/enterprise/reference/manage.html#rego) that can be used to enforce ABAC, RBAC, or any other governance policy controls. Pomerium can make holistic policy and authorization decisions using external data and request context factors such as user groups, roles, time, day, location and vulnerability status.
+Authorization policy can be expressed in a high-level, [declarative language](/enterprise/reference/manage.md#pomerium-policy-language) or [as code](/enterprise/reference/manage.md#rego) that can be used to enforce ABAC, RBAC, or any other governance policy controls. Pomerium can make holistic policy and authorization decisions using external data and request context factors such as user groups, roles, time, day, location and vulnerability status.
 
 Pomerium enables zero-trust based access in which trust flows from identity, device-state, and context, not network location. Every device, user, and application's communication should be authenticated, authorized, and encrypted.
 

docs/enterprise/install/quickstart.md

@@ -187,7 +187,7 @@ Once you have set permissions in the console UI, you should remove this configur
    audience: console.localhost.pomerium.com
    ```
 
-   This sets the expected "audience" key in the [JWT header](/reference/#jwt-claim-headers) to match what's provided by open-source Pomerium as it proxies traffic to the Enterprise Console UI.
+   This sets the expected "audience" key in the [JWT header](/reference/readme.md#jwt-claim-headers) to match what's provided by open-source Pomerium as it proxies traffic to the Enterprise Console UI.
 
 Once complete, your `/etc/pomerium-console/config.yaml` file should look something like this:
 

docs/enterprise/reference/configure.md

@@ -260,7 +260,7 @@ A [Namespace][namespace-concept] is a collection of users, groups, routes, and p
 - Users or groups can be granted permission to edit access to routes within a Namespace, allowing them self-serve access to the routes critical to their work.
 
 ::: tip
-When using an IdP without directory sync or when working with non-domain users, they will not show up in the look-ahead search. See [Non-Domain Users](/enterprise/concepts.html#non-domain-users) for more information.
+When using an IdP without directory sync or when working with non-domain users, they will not show up in the look-ahead search. See [Non-Domain Users](/enterprise/concepts.md#non-domain-users) for more information.
 :::
 
 

docs/enterprise/upgrading.md

@@ -17,7 +17,7 @@ When new version of Pomerium Enterprise are released, check back to this page be
 - `signing-key` is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the [signing key] reference page for more information on generating a key.
 - `audience` is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in the [`from`](/reference/readme.md#routes) field in the Routes entry (not including the protocol).
 
-[signing key]: /reference/readme.md/#signing-key
+[signing key]: /reference/readme.md#signing-key
 
 ### Helm Installations
 

docs/reference/readme.md

@@ -1590,7 +1590,7 @@ When [`lb_policy`](#load-balancing-policy) is configured, you may further custom
 - [`ring_hash_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-ringhashlbconfig)
 - [`maglev_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-maglevlbconfig)
 
-See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.html#load-balancing-method)
+See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.md#load-balancing-method)
 
 
 ### Health Checks
@@ -1610,7 +1610,7 @@ Only one of `http_health_check`, `tcp_health_check`, or `grpc_health_check` may
 - [HTTP](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/health_check.proto#envoy-v3-api-msg-config-core-v3-healthcheck-httphealthcheck)
 - [GRPC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/health_check.proto#envoy-v3-api-msg-config-core-v3-healthcheck-grpchealthcheck)
 
-See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.html#active-health-checks).
+See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.md#active-health-checks).
 
 
 ### Websocket Connections