update docs (#1645)

2025-06-01 10:22:43 +02:00 · 2020-12-03 08:29:17 -08:00 · 2020-12-03 08:29:17 -08:00 · 0cdd727d5e
commit 0cdd727d5e
parent 23249c8df9
16 changed files with 128 additions and 221 deletions
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -61,18 +61,18 @@ module.exports = {
    sidebar: {
      "/docs/": [
        {
-          title: "",
+          title: "Overview",
          type: "group",
          collapsable: false,
          sidebarDepth: 0,
          children: [
            "",
-            "background",
-            "releases",
            "installation",
+            "architecture",
+            "background",
+            "FAQ",
            "upgrading",
            "CHANGELOG",
-            "FAQ",
          ],
        },
        {
@ -85,7 +85,6 @@ module.exports = {
            "quick-start/",
            "quick-start/binary",
            "quick-start/helm",
-            "quick-start/kubernetes",
            "quick-start/synology",
            "quick-start/from-source",
          ],
@ -156,7 +155,7 @@ module.exports = {
            "kubernetes-dashboard",
            "local-oidc",
            "mtls",
-            'nginx',
+            "nginx",
            "tiddlywiki",
            "traefik-ingress",
            "vs-code-server",
--- a/docs/docs/FAQ.md
+++ b/docs/docs/FAQ.md
@ -1,5 +1,5 @@
 ---
-title: Troubleshooting
+title: FAQ
 lang: en-US
 meta:
  - name: keywords
--- a/docs/docs/architecture.md
+++ b/docs/docs/architecture.md
@ -0,0 +1,56 @@
+---
+title: Architecture
+lang: en-US
+sidebarDepth: 0
+meta:
+  - name: keywords
+    content: >-
+      pomerium architecture
+---
+
+## Architecture
+
+### System Level
+
+Pomerium sits between end users and services requiring strong authentication. After verifying identity with your identity provider (IdP), Pomerium uses a configurable policy to decide how to route your user's request and if they are authorized to access the service.
+
+![pomerium architecture diagram](./img/pomerium-system-context.svg)
+
+### Component Level
+
+Pomerium is composed of 4 logical components:
+
+- Proxy Service
+  - All user traffic flows through the proxy
+  - Verifies all requests with Authentication service
+  - Directs users to Authentication service to establish session identity
+  - Processes policy to determine external/internal route mappings
+- Authentication Service
+  - Handles authentication flow to your IdP as needed
+  - Handles identity verification after initial Authentication
+  - Establishes user session cookie
+  - Stores user OIDC tokens in cache service
+- Authorization Service
+  - Processes policy to determine permissions for each service
+  - Handles authorization check for all user sessions
+  - Directs Proxy service to initiate Authentication flow as required
+  - Provides additional security releated headers for upstream services to consume
+- Cache Service
+  - Retrieves identity provider related data such as group membership
+  - Stores and refreshes identity provider access and refresh tokens
+  - Provides streaming authoritative session and identity data to Authorize service
+  - Stores session and identity data in persistent storage
+
+In production deployments, it is recommended that you deploy each component separately. This allows you to limit external attack surface, as well as scale and manage the services independently.
+
+In test deployments, all four components may run from a single binary and configuration.
+
+![pomerium architecture diagram](./img/pomerium-container-context.svg)
+
+### Authentication Flow
+
+Pomerium's internal and external component interactions during full authentication from a fresh user are diagramed below.
+
+After initial authentication to provide a session token, only the authorization check interactions occur.
+
+[![pomerium architecture diagram](./img/pomerium-auth-flow.svg)](/pomerium-auth-flow.svg)
--- a/docs/docs/community/security.md
+++ b/docs/docs/community/security.md
@ -11,7 +11,7 @@ meta:

 We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly.

-If you would like to report a vulnerability, or have any security concerns, please e-mail info@pomerium.io or reach out on [keybase](https://keybase.io/bdesimone).
+If you would like to report a vulnerability, or have any security concerns, please e-mail security@pomerium.com or reach out on [keybase](https://keybase.io/bdesimone).

 Though we accept PGP-encrypted email, please only use it for critical security reports.

--- a/docs/docs/identity-providers/cognito.md
+++ b/docs/docs/identity-providers/cognito.md
@ -1,5 +1,5 @@
 ---
-title: AWS Cognito
+title: Cognito
 lang: en-US
 # sidebarDepth: 0
 meta:
@ -7,7 +7,7 @@ meta:
    content: amazon aws cognito open-id oidc
 ---

-# AWS Cognito
+# Cognito

 This document describes the use of AWS Cognito as an identity provider with Pomerium.

--- a/docs/docs/identity-providers/google.md
+++ b/docs/docs/identity-providers/google.md
@ -1,13 +1,13 @@
 ---
-title: Google / GSuite
+title: Google
 lang: en-US
 sidebarDepth: 0
 meta:
  - name: keywords
-    content: google gsuite gmail oidc openid-connect
+    content: google gsuite gmail oidc openid-connect workspaces
 ---

-# Google
+# Google Workspace (formerly known as G Suite)

 Log in to your Google account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials). Navigate to **Credentials** using the left-hand menu.

@ -27,10 +27,10 @@ Click the button on the banner to go to the consent screen configuration. If all

 On the **Create [Client ID]** page, select **Web application**. In the new fields that display, set the following parameters:

-| Field        | Description                                                              |
-| ------------ | ------------------------------------------------------------------------ |
-| Name         | The name of your web app                                                 |
-| Redirect URI | Redirect URL (e.g.`https://${authenticate_service_url}/oauth2/callback`) |
+Field        | Description
+------------ | ------------------------------------------------------------------------
+Name         | The name of your web app
+Redirect URI | Redirect URL (e.g.`https://${authenticate_service_url}/oauth2/callback`)

 ![Web App Credentials Configuration](./img/google-create-client-id-config.png)

--- a/docs/docs/installation.md
+++ b/docs/docs/installation.md
@ -1,21 +1,21 @@
 ---
-title: Installation
+title: Download
 sidebarDepth: 2
-description: >-
-  This article describes various ways to install pomerium
+description: This article describes various ways to install pomerium
 ---

-# Installation
-
-## Overview
+# Releases

 Pomerium is shipped in multiple formats and architectures to suit a variety of deployment patterns. There are two binaries:

-`pomerium` is the server component.  It is a monolithic binary that can perform the function of any [services mode](/reference/#service-mode), depending on configuration.
+- `pomerium` is the primary server component. It is a monolithic binary that can perform the function of any [services mode](/reference/#service-mode).
+- `pomerium-cli` (optional) is a command-line client for working with Pomerium.  Functions include generating service accounts, and acting as an authentication helper for tools like [kubtctl](topics/kubernetes-integration.md).

-`pomerium-cli` is the user component.  It is a similarly monolithic binary handling user facing capabilities such as pomerium service account creation and authentication helper functions.

-## Pomerium
+[[toc]]
+
+
+## pomerium

 - Supported Operating Systems: `linux`, `darwin`
 - Supported Architectures: `amd64`, `arm64`
@ -59,15 +59,15 @@ Pomerium utilizes a [minimal](https://github.com/GoogleContainerTools/distroless

 - `:master` : which will pull an image in sync with git's [master](https://github.com/pomerium/pomerium/tree/master) branch.

-```shell
-docker pull pomerium/pomerium:latest
-```
+  ```bash
+  docker pull pomerium/pomerium:latest
+  ```

 ### Helm

-Pomerium maintains a [helm](https://helm.sh) chart for easy Kubernetes deployment with best practices [https://helm.pomerium.io/](https://helm.pomerium.io/)
+Pomerium maintains a [helm](https://helm.sh) chart for easy Kubernetes deployment with best practices <https://helm.pomerium.io/>

-```shell
+```bash
 helm repo add pomerium https://helm.pomerium.io
 helm install pomerium/pomerium
 ```
@ -77,18 +77,19 @@ See the [README](https://github.com/pomerium/pomerium-helm/blob/master/charts/po
 ### Source

 ::: tip
-Officially supported build platforms are limited by envoy proxy.  If you have an
-enoy binary for your platform in your path at start time, `pomerium` should function correctly.
+
+Officially supported build platforms are limited by [envoy proxy](https://www.envoyproxy.io/). If you have an enoy binary for your platform in your path at start time, `pomerium` should function correctly.
+
 :::

-```shell
+```bash
 git clone git@github.com:pomerium/pomerium.git
 cd pomerium
 make
 ./bin/pomerium --version
 ```

-## Pomerium CLI
+## pomerium-cli

 - Supported Operating Systems: `linux`, `darwin`, `windows`, `freebsd`
 - Supported Architectures: `amd64`, `arm64`, `armv6`, `armv7`
@ -104,6 +105,7 @@ VERSION=[desired version]
 curl -L https://github.com/pomerium/pomerium/releases/download/${VERSION}/pomerium-cli-${OS}-${ARCH}.tar.gz \
    | tar -z -x
 ```
+
 ### Packages

 - Supported formats: `rpm`, `deb`
@ -125,3 +127,17 @@ cd pomerium
 make
 ./bin/pomerium-cli --help
 ```
+
+## Release cycle
+
+The current release cycle is aligned on a monthly basis. Pre-`1.0.0` we target a `MINOR` release on or around the **first day of each month**. We try to hit the targets as closely as possible, while still delivering a quality release.
+
+Pomerium uses [Semantic Versioning](https://semver.org/). In practice this means for a given version number **vMAJOR**.**MINOR**.**PATCH** (e.g. `v0.1.0`):
+
+- **MAJOR** indicates an incompatible API change,
+- **MINOR** indicates a new functionality in a backwards-compatible manner, and
+- **PATCH** indicates a backwards-compatible bug fixe.
+
+As Pomerium is still pre-`v1.0.0`, breaking changes between releases should be expected.
+
+To see difference between releases, please refer to the changelog and upgrading documents.
--- a/docs/docs/quick-start/binary.md
+++ b/docs/docs/quick-start/binary.md
@ -29,18 +29,11 @@ Create a config file (`config.yaml`). This file will be used to determine Pomeri

 <<< @/examples/config/config.minimal.yaml

-### Environmental Variables
-
-As mentioned above, Pomerium supports mixing and matching configuration. For example, we can specify our secret values and domains certificates as [environmental configuration variables], and set the rest as part of the configuration file.
-
-<<< @/examples/config/config.minimal.env
-
 ## Run

 Finally, source the configuration `env` file and run pomerium specifying the `config.yaml` .

 ```bash
-source ./env
 ./bin/pomerium -config config.yaml
 ```

@ -50,8 +43,6 @@ Browse to `external-httpbin.your.domain.example`. Connections between you and [h

 [configuration variables]: ../../reference/readme.md
 [download]: https://github.com/pomerium/pomerium/releases
-[environmental configuration variables]: https://12factor.net/config
 [httpbin]: https://httpbin.org/
 [identity provider]: ../identity-providers/
-[make]: https://en.wikipedia.org/wiki/Make_(software)
 [tls certificates]: ../topics/certificates.md
--- a/docs/docs/quick-start/helm.md
+++ b/docs/docs/quick-start/helm.md
@ -1,5 +1,5 @@
 ---
-title: Helm
+title: Kubernetes / Helm
 lang: en-US
 meta:
  - name: keywords
--- a/docs/docs/quick-start/kubernetes.md
+++ b/docs/docs/quick-start/kubernetes.md
@ -1,71 +0,0 @@
---
-title: Kubernetes
-lang: en-US
-meta:
-  - name: keywords
-    content: pomerium identity-access-proxy oidc kubernetes reverse-proxy
---
-
-# Pomerium using Kubernetes
-
-This quickstart will cover how to deploy Pomerium with Kubernetes.
-
-## Prerequisites
-
- A configured [identity provider]
- [TLS certificates]
- A [Google Cloud Account](https://console.cloud.google.com/)
- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
- [Google Cloud SDK](https://cloud.google.com/kubernetes-engine/docs/quickstart)
-
-## Download
-
-Retrieve the latest copy of pomerium's source-code by cloning the repository.
-
-```bash
-git clone https://github.com/pomerium/pomerium.git $HOME/pomerium
-cd $HOME/pomerium/examples/kubernetes
-```
-
-## Configure
-
-Edit [./kubernetes_gke.sh] making sure to change the identity provider secret value to match your [identity provider] and [TLS certificates] settings.
-
-<<<@/examples/kubernetes/kubernetes_gke.sh
-
-## Run
-
-Run [./kubernetes_gke.sh] which will:
-
-1. Provision a new cluster.
-2. Create authenticate, authorize, and proxy [deployments](https://cloud.google.com/kubernetes-engine/docs/concepts/deployment).
-3. Provision and apply authenticate, authorize, and proxy [services](https://cloud.google.com/kubernetes-engine/docs/concepts/service).
-4. Configure an ingress load balancer.
-
-```bash
-cd $HOME/pomerium/docs/configuration/examples/kubernetes
-sh ./kubernetes_gke.sh
-```
-
-You should see roughly the following in your terminal. Note, provisioning does take a few minutes.
-
-[![asciicast](https://asciinema.org/a/223821.svg)](https://asciinema.org/a/223821)
-
-And if you check out Google's Kubernetes Engine dashboard you'll see something like:
-
-![Google's Kubernetes Engine dashboard](./img/kubernetes-gke.png)
-
-## Navigate
-
-Open a browser and navigate to `httpbin.your.domain.example`.
-
-You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details.
-
-![currently logged in user](./img/logged-in-as.png)
-
-[./kubernetes_gke.sh]: https://github.com/pomerium/pomerium/tree/master/examples
-[example kubernetes files]: https://github.com/pomerium/pomerium/tree/master/examples
-[identity provider]: ../identity-providers/readme.md
-[letsencrypt]: https://letsencrypt.org/
-[script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
-[tls certificates]: ../topics/certificates.md
--- a/docs/docs/quick-start/synology.md
+++ b/docs/docs/quick-start/synology.md
@ -23,7 +23,7 @@ Pomerium is lightweight, can easily handle hundreds of concurrent requests, and

 - A [docker-capable] synology product
 - A [Google Cloud Account](https://console.cloud.google.com/)
- A configured Google OAuth2 [identity provider]
+- A configured [identity provider]
 - [TLS certificates][certificate documentation]

 Though any supported [identity provider] would work, this guide uses google.
@ -181,7 +181,6 @@ COOKIE_SECRET            | output of `head -c32 /dev/urandom
 AUTHENTICATE_SERVICE_URL | `https://authenticate.int.nas.example`
 SHARED_SECRET            | output of `head -c32 /dev/urandom                               | base64`

-
 For a detailed explanation, and additional options, please refer to the [configuration variable docs]. Also note, though not covered in this guide, settings can be made via a mounted configuration file.

 Click **Launch**.
--- a/docs/docs/readme.md
+++ b/docs/docs/readme.md
@ -1,15 +1,17 @@
 ---
-title: Overview
+title: What is Pomerium?
 lang: en-US
 sidebarDepth: 0
 meta:
  - name: keywords
-    content: pomerium overview identity-access-proxy beyondcorp zero-trust reverse-proxy ztn zero-trust-networks
+    content: >-
+      pomerium overview identity-access-proxy beyondcorp zero-trust
+      reverse-proxy ztn zero-trust-networks
 ---

-# Overview
+# What is Pomerium

-## What is Pomerium?
+## Overview?

 Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked-in. Pomerium gateways both internal and external requests, and can be used in situations where you'd typically reach for a VPN.

@ -27,66 +29,17 @@ Pomerium can be used to:
  - [Custom applications](/docs/topics/getting-users-identity.md)
 - provide a **VPN alternative**.

-## Architecture
+## Demo

-### System Level
+To make this a bit more concrete, click the image thumbnail to see a short youtube demo:

-Pomerium sits between end users and services requiring strong authentication. After verifying identity with your identity provider (IdP), Pomerium uses a configurable policy to decide how to route your user's request and if they are authorized to access the service.
+[![demo](https://img.youtube.com/vi/ddmrkvBSO60/0.jpg)](https://www.youtube.com/watch?v=ddmrkvBSO60 "Pomerium demo")

-<img alt="pomerium architecture diagram" src="./img/pomerium-system-context.svg" width="65%">
+The above video shows the flow for both an unauthorized and authorized user.

-### Component Level
-
-Pomerium is composed of 4 logical components:
-
- Proxy Service
-  - All user traffic flows through the proxy
-  - Verifies all requests with Authentication service
-  - Directs users to Authentication service to establish session identity
-  - Processes policy to determine external/internal route mappings
- Authentication Service
-  - Handles authentication flow to your IdP as needed
-  - Handles identity verification after initial Authentication
-  - Establishes user session cookie
-  - Stores user OIDC tokens in cache service
- Authorization Service
-  - Processes policy to determine permissions for each service
-  - Handles authorization check for all user sessions
-  - Directs Proxy service to initiate Authentication flow as required
-  - Provides additional security releated headers for upstream services to consume
- Cache Service
-  - Retrieves identity provider related data such as group membership
-  - Stores and refreshes identity provider access and refresh tokens
-  - Provides streaming authoritative session and identity data to Authorize service
-  - Stores session and identity data in persistent storage
-
-In production deployments, it is recommended that you deploy each component separately. This allows you to limit external attack surface, as well as scale and manage the services independently.
-
-In test deployments, all four components may run from a single binary and configuration.
-
-<img alt="pomerium architecture diagram" src="./img/pomerium-container-context.svg" width="65%">
-
-### Authentication Flow
-
-Pomerium's internal and external component interactions during full authentication from a fresh user are diagramed below.
-
-After initial authentication to provide a session token, only the authorization check interactions occur.
-
-<a href="/pomerium-auth-flow.svg">
-<img alt="pomerium architecture diagram" src="./img/pomerium-auth-flow.svg">
-</a>
-
-## In action
-
-To make this a bit more concrete, see the following short video which demonstrates:
-
-1. An **unauthorized** user authenticating with their corporate single-sign-on provider (in this case Google)
-2. The **unauthorized** user being blocked from a protected resource.
-3. The **unauthorized** user signing out from their session.
-4. An **authorized** user authenticating with their corporate single-sign-on provider.
+1. An **unauthorized** user authenticates with their corporate single-sign-on provider.
+2. The **unauthorized** user is blocked from a protected resource.
+3. The **unauthorized** user signs out from their session.
+4. An **authorized** user authenticates with their corporate single-sign-on provider.
 5. Pomerium delegating and granting access to the requested resource.
 6. The **authorized** user inspecting their user details including group membership.
-
-<video autoplay="" loop="" muted="" playsinline="" width="100%" height="600" control=""><source src="./img/pomerium-in-action-800-600.mp4" type="video/mp4">
-Your browser does not support the video tag.
-</video>
--- a/docs/docs/releases.md
+++ b/docs/docs/releases.md
@ -1,34 +0,0 @@
-# Releases
-
-## Release Cycle
-
-The current release cycle is aligned on a monthly basis. Pre-`1.0.0` we target a `MINOR` release on or around the **first day of each month**. We try to hit the targets as closely as possible, while still delivering a quality release.
-
-## Versioning
-
-Pomerium uses [Semantic Versioning](https://semver.org/). In practice this means for a given version number **vMAJOR**.**MINOR**.**PATCH** (e.g. `v0.1.0`):
-
- **MAJOR** indicates a incompatible API changes,
- **MINOR** indicates a new functionality in a backwards-compatible manner, and
- **PATCH** indicates a backwards-compatible bug fixe.
-
-As Pomerium is still pre-`v1.0.0`, breaking changes between releases should be expected.
-
-To see difference between releases, please refer to the changelog and upgrading documents.
-
-## Versioned Docs
-
-For convenience, we maintain hosted documentation for each tagged release. The format for which is `https://{MAJOR}-{MINOR}-{PATCH}.docs.pomerium.io`. For example:
-
- [github@master](https://master.docs.pomerium.io/)
- [v0.9.0](https://0-9-0.docs.pomerium.io/)
- [v0.8.0](https://0-8-0.docs.pomerium.io/)
- [v0.7.0](https://0-7-0.docs.pomerium.io/)
- [v0.6.0](https://0-6-0.docs.pomerium.io/)
- [v0.5.0](https://0-5-0.docs.pomerium.io/)
- [v0.4.0](https://0-4-0.docs.pomerium.io/)
- [v0.3.0](https://0-3-0.docs.pomerium.io/)
- [v0.2.0](https://0-2-0.docs.pomerium.io/)
- [v0.1.0](https://0-1-0.docs.pomerium.io/)
- [v0.0.5](https://0-0-5.docs.pomerium.io/)
- [v0.0.4](https://0-0-4.docs.pomerium.io/)
--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -11,8 +11,7 @@ description: >-

 ### User impersonation disabled by default

-With the v0.11.0 release, user impersonation by administrators is now disabled by default. To enable this feature, set
-`enable_user_impersonation` to true in the configuration options.
+With the v0.11.0 release, the ability to do user user impersonation is **disabled by default**. To enable user impersonation, set `enable_user_impersonation` to true in the configuration options.

 ### `cache_service_url` has been renamed to `databroker_service_url`

@ -99,7 +98,6 @@ With this release, Pomerium uses an embedded envoy proxy instead hand-written on

 To preserve 0.8.x behavior, you can use the `set_request_headers` option to explicitly set the Host header.

-
 ### Unsupported platforms

 - With this release we now use an embedded [envoy](https://www.envoyproxy.io/) binary as our proxy server. Due to this change we now only build and support Linux and MacOS binaries with the AMD64 architecture. We plan on supporting more platforms and architectures in future releases.
--- a/docs/reference/readme.md
+++ b/docs/reference/readme.md
@ -9,7 +9,7 @@ meta:

 # Configuration Settings

-Pomerium can be configured using a configuration file ([YAML]/[JSON]/[TOML]) or [environmental variables]. In general, environmental variable keys are identical to config file keys but are in uppercase. If you are coming from a kubernetes or docker background this should feel familiar. If not, check out the following primers.
+Pomerium can be configured using a configuration file ([YAML]/[JSON]/[TOML]) or [environmental variables]. In general, environmental variable keys are identical to config file keys but are uppercase. If you are coming from a kubernetes or docker background this should feel familiar. If not, check out the following primers.

 - [Store config in the environment](https://12factor.net/config)
 - [Kubernetes: Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
@ -65,7 +65,7 @@ Enabling user impersonation allows administrators to impersonate other user acco
 - Type: `bool`
 - Optional

-Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from [Let's Encrypt][letsencrypt] for each of your managed routes as well as for the authenticate service. This setting must be used in conjunction with [Autocert Directory](./#autocert-directory) as Autocert must have a place to persist, and share certificate data between services. Note that autocert also provides [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling).
+Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from [Let's Encrypt][letsencrypt] which includes managed routes and the authenticate service. [Autocert Directory](./#autocert-directory) must be used with Autocert must have a place to persist, and share certificate data between services. Note that autocert also provides [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling).

 This setting can be useful in situations where you may not have Pomerium behind a TLS terminating ingress or proxy that is already handling your public certificates on your behalf.

--- a/docs/reference/settings.yaml
+++ b/docs/reference/settings.yaml
@ -10,7 +10,7 @@ preamble: |

  # Configuration Settings

-  Pomerium can be configured using a configuration file ([YAML]/[JSON]/[TOML]) or [environmental variables]. In general, environmental variable keys are identical to config file keys but are in uppercase. If you are coming from a kubernetes or docker background this should feel familiar. If not, check out the following primers.
+  Pomerium can be configured using a configuration file ([YAML]/[JSON]/[TOML]) or [environmental variables]. In general, environmental variable keys are identical to config file keys but are uppercase. If you are coming from a kubernetes or docker background this should feel familiar. If not, check out the following primers.

  - [Store config in the environment](https://12factor.net/config)
  - [Kubernetes: Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
@ -86,7 +86,7 @@ settings:
          - Type: `bool`
          - Optional
        doc: |
-          Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from [Let's Encrypt][letsencrypt] for each of your managed routes as well as for the authenticate service. This setting must be used in conjunction with [Autocert Directory](./#autocert-directory) as Autocert must have a place to persist, and share certificate data between services. Note that autocert also provides [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling).
+          Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from [Let's Encrypt][letsencrypt] which includes managed routes and the authenticate service.  [Autocert Directory](./#autocert-directory) must be used with Autocert must have a place to persist, and share certificate data between services. Note that autocert also provides [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling).

          This setting can be useful in situations where you may not have Pomerium behind a TLS terminating ingress or proxy that is already handling your public certificates on your behalf.