3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-08 22:03:29 +02:00
Code Issues Projects Releases Packages Wiki Activity

doc updates (#2433)

Browse source 
* remove reference to EdDSA, fix numbering, typo

* fix ppl example

* update jwt verification routes

* update kubernetes route

* update local oidc routes

* update mtls routes

* fix transmission policy

* policy -> routes

* update settings

* fix has

* update numbering
This commit is contained in:
Caleb Doxsey 2021-08-04 16:00:31 -06:00 committed by GitHub
parent 5332a752d0
commit 0d3ef4564e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 40 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

8
docs/docs/topics/getting-users-identity.md
View file

@ -12,7 +12,7 @@ This article describes how to retrieve a user's identity from a pomerium managed
To secure your app with signed headers, you'll need the following: To secure your app with signed headers, you'll need the following:
- An application you want users to connect to. - An application you want users to connect to.
- A [JWT] library. We strongly recommend using `ES256` or `EdDSA` over `RSA` based algorithms which are often much faster. When in doubt, use `ES256` - A [JWT] library. We strongly recommend using `ES256` over `RSA` based algorithms which are often much faster. When in doubt, use `ES256`
## Verification ## Verification
@ -69,7 +69,7 @@ $ curl https://authenticate.int.example.com/.well-known/pomerium/jwks.json | jq
Though you will very likely be verifying signed-headers programmatically in your application's middleware, and using a third-party JWT library, if you are new to JWT it may be helpful to show what manual verification looks like. Though you will very likely be verifying signed-headers programmatically in your application's middleware, and using a third-party JWT library, if you are new to JWT it may be helpful to show what manual verification looks like.
1\. Provide pomerium with a base64 encoded Elliptic Curve ([NIST P-256] aka [secp256r1] aka prime256v1) Private Key. In production, you'd likely want to get these from your KMS. 1. Provide pomerium with a base64 encoded Elliptic Curve ([NIST P-256] aka [secp256r1] aka prime256v1) Private Key. In production, you'd likely want to get these from your KMS.
```bash ```bash
# see ./scripts/generate_self_signed_signing_key.sh # see ./scripts/generate_self_signed_signing_key.sh
@ -85,13 +85,13 @@ Copy the base64 encoded value of your private key to `pomerium-proxy`'s environm
SIGNING_KEY=ZxqyyIPPX0oWrrOwsxXgl0hHnTx3mBVhQ2kvW1YB4MM= SIGNING_KEY=ZxqyyIPPX0oWrrOwsxXgl0hHnTx3mBVhQ2kvW1YB4MM=
``` ```
1. Reload `pomerium-proxy`. Navigate to httpbin (by default, `https://httpbin.corp.${YOUR-DOMAIN}.com`), and login as usual. Click **request inspection**. Select `/headers'. Click **try it out** and then **execute**. You should see something like the following. 1. Reload `pomerium-proxy`. Navigate to httpbin (by default, `https://httpbin.corp.${YOUR-DOMAIN}.com`), and login as usual. Click **request inspection**. Select `/headers`. Click **try it out** and then **execute**. You should see something like the following.
![httpbin displaying jwt headers](./img/inspect-headers.png) ![httpbin displaying jwt headers](./img/inspect-headers.png)
1. `X-Pomerium-Jwt-Assertion` is the signature value. It's less scary than it looks and basically just a compressed, json blob as described above. Navigate to [jwt.io] which provides a helpful GUI to manually verify JWT values. 1. `X-Pomerium-Jwt-Assertion` is the signature value. It's less scary than it looks and basically just a compressed, json blob as described above. Navigate to [jwt.io] which provides a helpful GUI to manually verify JWT values.
2. Paste the value of `X-Pomerium-Jwt-Assertion` header token into the `Encoded` form. You should notice that the decoded values look much more familiar. 1. Paste the value of `X-Pomerium-Jwt-Assertion` header token into the `Encoded` form. You should notice that the decoded values look much more familiar.
![httpbin displaying decoded jwt](./img/verifying-headers-1.png) ![httpbin displaying decoded jwt](./img/verifying-headers-1.png)

2
docs/docs/topics/tcp-support.md
View file

@ -39,7 +39,7 @@ routes:
- email: - email:
is: contractor@not-example.com is: contractor@not-example.com
- groups: - groups:
has: ["datascience@example.com"] has: "datascience@example.com"
``` ```
Notes: Notes:

9
docs/guides/jwt-verification.md
View file

@ -206,11 +206,14 @@ cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
shared_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg= shared_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdxWllpVzJycVo3TUdKTGp4bnNZVWJJcmZxNFdwR044RlgzQVh2UnRjSHdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFYVd1UkNKMjFrL2JvUjNNRytPOVlHQjNXR0R1anVXMHFLVWhucUVwVS9JKzFoZmhuZEJ0WApDZGFpaGVGb0FOWXVCRUp3MFZhRml6QnVZb3l5RVAzOXBRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdxWllpVzJycVo3TUdKTGp4bnNZVWJJcmZxNFdwR044RlgzQVh2UnRjSHdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFYVd1UkNKMjFrL2JvUjNNRytPOVlHQjNXR0R1anVXMHFLVWhucUVwVS9JKzFoZmhuZEJ0WApDZGFpaGVGb0FOWXVCRUp3MFZhRml6QnVZb3l5RVAzOXBRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
policy: routes:
- from: https://verify.localhost.pomerium.io - from: https://verify.localhost.pomerium.io
to: http://envoy-jwt-checker:10000 to: http://envoy-jwt-checker:10000
allowed_domains: policy:
- pomerium.com - allow:
or:
- domain:
is: pomerium.com
pass_identity_headers: true pass_identity_headers: true
``` ```

7
docs/guides/kubernetes.md
View file

@ -194,8 +194,11 @@ The policy should be a base64-encoded block of yaml:
to: https://kubernetes.default.svc to: https://kubernetes.default.svc
tls_skip_verify: true tls_skip_verify: true
allow_spdy: true allow_spdy: true
allowed_domains: policy:
- pomerium.com - allow:
or:
- domain:
is: pomerium.com
kubernetes_service_account_token: "..." #$(kubectl get secret/"$(kubectl get serviceaccount/pomerium -o json | jq -r '.secrets[0].name')" -o json | jq -r .data.token | base64 -d) kubernetes_service_account_token: "..." #$(kubectl get secret/"$(kubectl get serviceaccount/pomerium -o json | jq -r '.secrets[0].name')" -o json | jq -r .data.token | base64 -d)
``` ```

9
docs/guides/local-oidc.md
View file

@ -78,11 +78,14 @@ idp_client_secret: bar
cookie_secret: <reducted> cookie_secret: <reducted>
# https://www.pomerium.io/configuration/#policy # https://www.pomerium.io/configuration/#policy
policy: routes:
- from: https://verify.localhost.pomerium.io - from: https://verify.localhost.pomerium.io
to: http://verify to: http://verify
allowed_domains: policy:
- example.org - allow:
or:
- domain:
is: example.org
``` ```
### identityprovider.json ### identityprovider.json

7
docs/guides/mtls.md
View file

@ -73,10 +73,13 @@ idp_provider: "google"
idp_client_id: YOUR_CLIENT_ID idp_client_id: YOUR_CLIENT_ID
idp_client_secret: YOUR_SECRET idp_client_secret: YOUR_SECRET
policy: routes:
- from: "https://verify.localhost.pomerium.io:8443" - from: "https://verify.localhost.pomerium.io:8443"
to: "https://verify.org" to: "https://verify.org"
allow_public_unauthenticated_access: true policy:
- allow:
or:
- accept: true
``` ```
Start Pomerium with: Start Pomerium with:

4
docs/guides/transmission.md
View file

@ -40,7 +40,7 @@ In addition to a working instance of Pomerium, have ready the [private IP addres
Edit your `config.yaml` file to add the following policy. Note that `<>` denotes placeholder values that must be replaced if copying this config directly: Edit your `config.yaml` file to add the following policy. Note that `<>` denotes placeholder values that must be replaced if copying this config directly:
```yml ```yml
policy: routes:
- from: https://<transmission.mydomain.com> # Replace with the domain you want to use to access Transmission - from: https://<transmission.mydomain.com> # Replace with the domain you want to use to access Transmission
to: http://<private.ip.address>:9091 # Replace with the private network address of the Transmission host, or `localhost` if running on the same host. to: http://<private.ip.address>:9091 # Replace with the private network address of the Transmission host, or `localhost` if running on the same host.
policy: policy:
@ -49,7 +49,7 @@ policy:
- email: - email:
is: myUser@mydomain.com # Replace with authorized user(s), or remove if using group permissions only. is: myUser@mydomain.com # Replace with authorized user(s), or remove if using group permissions only.
- groups: - groups:
has: ["<transmission-users>"] # Replace with authorized user group(s), or remove if using user permissions only. has: "<transmission-users>" # Replace with authorized user group(s), or remove if using user permissions only.
``` ```
Remember to restart the Pomerium instance after saving your changes. Remember to restart the Pomerium instance after saving your changes.

2
docs/reference/readme.md
View file

@ -1641,7 +1641,7 @@ If set, enables proxying of websocket connections.
- Required - Required
- Example: `https://authorize.corp.example.com` - Example: `https://authorize.corp.example.com`
Authorize Service URL is the location of the internally accessible authorize service. Multiple URLs can be specified with `authorize_service_url`. Authorize Service URL is the location of the internally accessible authorize service. Multiple URLs can be specified with `authorize_service_urls`.
### Google Cloud Serverless Authentication Service Account ### Google Cloud Serverless Authentication Service Account

2
docs/reference/settings.yaml
View file

@ -1782,7 +1782,7 @@ settings:
- Required - Required
- Example: `https://authorize.corp.example.com` - Example: `https://authorize.corp.example.com`
doc: | doc: |
Authorize Service URL is the location of the internally accessible authorize service. Multiple URLs can be specified with `authorize_service_url`. Authorize Service URL is the location of the internally accessible authorize service. Multiple URLs can be specified with `authorize_service_urls`.
shortdoc: | shortdoc: |
Authorize Service URL is the location of the internally accessible authorize service. Authorize Service URL is the location of the internally accessible authorize service.
- name: "Google Cloud Serverless Authentication Service Account" - name: "Google Cloud Serverless Authentication Service Account"

6
examples/config/config.example.yaml
View file

@ -100,11 +100,13 @@ routes:
- email: - email:
is: bdd@pomerium.io is: bdd@pomerium.io
- groups: - groups:
has: ["admins", "developers"] has: "admins"
- groups:
has: "developers"
- from: https://hello.localhost.pomerium.io - from: https://hello.localhost.pomerium.io
to: http://localhost:8080 to: http://localhost:8080
policy: policy:
- allow: - allow:
or: or:
- groups: - groups:
has: ["admins@pomerium.io"] has: "admins@pomerium.io"

6
examples/config/route.example.yaml
View file

@ -31,11 +31,13 @@ routes:
- email: - email:
is: bdd@pomerium.io is: bdd@pomerium.io
- groups: - groups:
has: ["admins", "developers"] has: "admins"
- groups:
has: "developers"
- from: https://hello.localhost.pomerium.io - from: https://hello.localhost.pomerium.io
to: http://localhost:8080 to: http://localhost:8080
policy: policy:
- allow: - allow:
or: or:
- groups: - groups:
has: ["admins@pomerium.io"] has: "admins@pomerium.io"