diff --git a/.devcontainer/envs/nginx.yaml b/.devcontainer/envs/nginx.yaml index c79504f35..0dc77c0f2 100644 --- a/.devcontainer/envs/nginx.yaml +++ b/.devcontainer/envs/nginx.yaml @@ -7,14 +7,14 @@ services: - "80:80" - "443:443" volumes: - - ../../examples/nginx/httpbin.conf:/etc/nginx/conf.d/httpbin.conf + - ../../examples/nginx/verify.conf:/etc/nginx/conf.d/verify.conf - ../../examples/nginx/pomerium.conf:/etc/nginx/conf.d/pomerium.conf - ../../examples/nginx/proxy.conf:/etc/nginx/proxy.conf - ../../examples/nginx/_wildcard.localhost.pomerium.io.pem:/etc/nginx/nginx.pem - ../../examples/nginx/_wildcard.localhost.pomerium.io-key.pem:/etc/nginx/nginx-key.pem - httpbin: - image: kennethreitz/httpbin:latest + verify: + image: pomerium/verify expose: - 80 diff --git a/.devcontainer/envs/traefik.yaml b/.devcontainer/envs/traefik.yaml index 8111d413d..483222e5f 100644 --- a/.devcontainer/envs/traefik.yaml +++ b/.devcontainer/envs/traefik.yaml @@ -18,18 +18,18 @@ services: volumes: - /var/run/docker.sock:/var/run/docker.sock - httpbin: - image: kennethreitz/httpbin:latest + verify: + image: pomerium/verify:latest labels: - "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Claim-Email,X-Pomerium-Claim-User,X-Pomerium-Claim-Groups,X-Pomerium-Jwt-Assertion" - "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/" - "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true" - - "traefik.http.routers.httpbin.middlewares=pomerium@docker" + - "traefik.http.routers.verify.middlewares=pomerium@docker" - "traefik.enable=true" - - "traefik.http.routers.httpbin.rule=Host(`httpbin.localhost.pomerium.io`)" - - "traefik.http.routers.httpbin.entrypoints=websecure" - - "traefik.http.routers.httpbin.tls=true" + - "traefik.http.routers.verify.rule=Host(`verify.localhost.pomerium.io`)" + - "traefik.http.routers.verify.entrypoints=websecure" + - "traefik.http.routers.verify.tls=true" pomerium: build: ../. diff --git a/docs/docs/community/contributing.md b/docs/docs/community/contributing.md index 6262531e0..5fd3b2236 100644 --- a/docs/docs/community/contributing.md +++ b/docs/docs/community/contributing.md @@ -89,7 +89,7 @@ We use [Netlify](https://www.netlify.com) to build and host our docs. One of nic [configuration variables]: ../../reference/readme.md [download]: https://github.com/pomerium/pomerium/releases [environmental configuration variables]: https://12factor.net/config -[httpbin]: https://httpbin.org/ +[verify]: https://verify.pomerium.com/ [identity provider]: ../identity-providers/readme.md [make]: https://en.wikipedia.org/wiki/Make_(software) [tls certificates]: ../topics/certificates.md diff --git a/docs/docs/quick-start/binary.md b/docs/docs/quick-start/binary.md index d39d3d396..bae817137 100644 --- a/docs/docs/quick-start/binary.md +++ b/docs/docs/quick-start/binary.md @@ -39,10 +39,10 @@ Finally, source the configuration `env` file and run pomerium specifying the `co ## Navigate -Browse to `external-httpbin.your.domain.example`. Connections between you and [httpbin] will now be proxied and managed by Pomerium. +Browse to `external-verify.your.domain.example`. Connections between you and [verify] will now be proxied and managed by Pomerium. [configuration variables]: ../../reference/readme.md [download]: https://github.com/pomerium/pomerium/releases -[httpbin]: https://httpbin.org/ +[verify]: https://verify.pomerium.com/ [identity provider]: ../identity-providers/ [tls certificates]: ../topics/certificates.md diff --git a/docs/docs/quick-start/from-source.md b/docs/docs/quick-start/from-source.md index e0858adc7..cf2a25313 100644 --- a/docs/docs/quick-start/from-source.md +++ b/docs/docs/quick-start/from-source.md @@ -69,10 +69,10 @@ make && ./bin/pomerium -config config.yaml ### Navigate -Browse to `httpbin.localhost.pomerium.io`. Connections between you and [httpbin] will now be proxied and managed by Pomerium. +Browse to `verify.localhost.pomerium.io`. Connections between you and [verify] will now be proxied and managed by Pomerium. [configuration variables]: ../../reference/readme.md -[httpbin]: https://httpbin.org/ +[verify]: https://verify.pomerium.com/ [identity provider]: ../identity-providers/ [make]: https://en.wikipedia.org/wiki/Make_(software) [tls certificates]: ../topics/certificates.md diff --git a/docs/docs/quick-start/helm.md b/docs/docs/quick-start/helm.md index eef88c545..95241afd1 100644 --- a/docs/docs/quick-start/helm.md +++ b/docs/docs/quick-start/helm.md @@ -46,9 +46,9 @@ Run [./scripts/helm_gke.sh] which will: ## Navigate -Open a browser and navigate to `httpbin.your.domain.example`. +Open a browser and navigate to `verify.your.domain.example`. -You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details. +You can also navigate to the special pomerium endpoint `verify.your.domain.example/.pomerium/` to see your current user details. ![currently logged in user](./img/logged-in-as.png) diff --git a/docs/docs/quick-start/readme.md b/docs/docs/quick-start/readme.md index 148087b42..a97c85f67 100644 --- a/docs/docs/quick-start/readme.md +++ b/docs/docs/quick-start/readme.md @@ -58,11 +58,11 @@ Finally, simply run docker compose. docker-compose up ``` -Docker will automatically download the required [container images] for Pomerium and [httpbin]. Then, Pomerium will run with the configuration details set in the previous steps. +Docker will automatically download the required [container images] for Pomerium and [verify]. Then, Pomerium will run with the configuration details set in the previous steps. -You should now be able access to the routes (e.g. `https://httpbin.corp.yourdomain.example`) as specified in your policy file. +You should now be able access to the routes (e.g. `https://verify.localhost.pomerium.io`) as specified in your policy file. -You can also navigate to the special pomerium endpoint `httpbin.corp.yourdomain.example/.pomerium/` to see your current user details. +You can also navigate to the special pomerium endpoint `verify.corp.yourdomain.example/.pomerium/` to see your current user details. ![currently logged in user](./img/logged-in-as.png) @@ -70,6 +70,6 @@ You can also navigate to the special pomerium endpoint `httpbin.corp.yourdomain. [container images]: https://hub.docker.com/r/pomerium/pomerium [docker]: https://docs.docker.com/install/ [docker-compose]: https://docs.docker.com/compose/install/ -[httpbin]: https://httpbin.org/ +[verify]: https://verify.pomerium.com/ [identity provider]: ../identity-providers/readme.md [tls certificates]: ../topics/certificates.md diff --git a/docs/docs/topics/programmatic-access.md b/docs/docs/topics/programmatic-access.md index 754727691..44e9b9df1 100644 --- a/docs/docs/topics/programmatic-access.md +++ b/docs/docs/topics/programmatic-access.md @@ -18,9 +18,9 @@ The API returns a cryptographically signed sign-in url that can be used to compl For example: ```bash -$ curl "https://httpbin.example.com/.pomerium/api/v1/login?redirect_uri=http://localhost:8000" +$ curl "https://verify.example.com/.pomerium/api/v1/login?redirect_uri=http://localhost:8000" -https://authenticate.example.com/.pomerium/sign_in?redirect_uri=http%3A%2F%2Flocalhost%3Fpomerium_callback_uri%3Dhttps%253A%252F%252Fhttpbin.corp.example%252F.pomerium%252Fapi%252Fv1%252Flogin%253Fredirect_uri%253Dhttp%253A%252F%252Flocalhost&sig=hsLuzJctmgsN4kbMeQL16fe_FahjDBEcX0_kPYfg8bs%3D&ts=1573262981 +https://authenticate.example.com/.pomerium/sign_in?redirect_uri=http%3A%2F%2Flocalhost%3Fpomerium_callback_uri%3Dhttps%253A%252F%verify.corp.example%252F.pomerium%252Fapi%252Fv1%252Flogin%253Fredirect_uri%253Dhttp%253A%252F%252Flocalhost&sig=hsLuzJctmgsN4kbMeQL16fe_FahjDBEcX0_kPYfg8bs%3D&ts=1573262981 ``` ### Callback handler @@ -35,13 +35,13 @@ Your script or application should anticipate the possibility that your underlyin ## High level workflow -The application interacting with Pomerium must manage the following workflow. Consider the following example where a script or program desires delegated, programmatic access to the domain `httpbin.corp.domain.example`: +The application interacting with Pomerium must manage the following workflow. Consider the following example where a script or program desires delegated, programmatic access to the domain `verify.corp.domain.example`: -1. The script or application requests a new login url from the pomerium managed endpoint (e.g. `https://httpbin.corp.domain.example/.pomerium/api/v1/login`) and takes a `redirect_uri` as an argument. +1. The script or application requests a new login url from the pomerium managed endpoint (e.g. `https://verify.corp.domain.example/.pomerium/api/v1/login`) and takes a `redirect_uri` as an argument. 1. The script or application opens a browser or redirects the user to the returned login page. 1. The user completes the identity providers login flow. 1. The identity provider makes a callback to pomerium's authenticate service (e.g. `authenticate.corp.domain.example`) . -1. Pomerium's authenticate service creates a user session and redirect token, then redirects back to the managed endpoint (e.g. `httpbin.corp.domain.example`) +1. Pomerium's authenticate service creates a user session and redirect token, then redirects back to the managed endpoint (e.g. `verify.corp.domain.example`) 1. Pomerium's proxy service makes a callback request to the original `redirect_uri` with the user session and as an argument. 1. The script or application is responsible for handling that http callback request, and securely handling the callback session (`pomerium_jwt`) queryparam. 1. The script or application can now make any requests as normal to the upstream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header. @@ -52,7 +52,7 @@ Please consider see the following minimal but complete python example. ```bash python3 scripts/programmatic_access.py \ - --dst https://httpbin.example.com/headers + --dst https://verify.example.com/headers ``` <<< @/scripts/programmatic_access.py diff --git a/docs/docs/upgrading.md b/docs/docs/upgrading.md index fd5314bf1..05ad75e07 100644 --- a/docs/docs/upgrading.md +++ b/docs/docs/upgrading.md @@ -241,15 +241,15 @@ Previous programmatic authentication endpoints (`/api/v1/token`) has been remove ### Forward-auth route change -Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${forwardauth}/.pomerium/verify/httpbin.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${forwardauth}/.pomerium/verify?url=https://httpbin.some.example)` where the routed domain is the value of the `uri` key. +Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${forwardauth}/.pomerium/verify/verify.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${forwardauth}/.pomerium/verify?url=https://verify.some.example)` where the routed domain is the value of the `uri` key. Note that the verification URL is no longer nested under the `.pomerium` endpoint. For example, in nginx this would look like: ```diff -- nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no_redirect=true -- nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com +- nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/.pomerium/verify/verify.corp.example.com?no_redirect=true +- nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com/.pomerium/verify/verify.corp.example.com + nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/verify?uri=$scheme://$host$request_uri + nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com?uri=$scheme://$host$request_uri ``` @@ -324,12 +324,12 @@ Previously, it was allowable to define a policy without a schema (e.g. `http`/`h ```yaml policy: - - from: httpbin.corp.domain.example - to: http://httpbin + - from: verify.corp.domain.example + to: http://verify allowed_domains: - pomerium.io - - from: external-httpbin.corp.domain.example - to: https://httpbin.org + - from: external-verify.corp.domain.example + to: https://verify.pomerium.com allow_public_unauthenticated_access: true ``` @@ -337,12 +337,12 @@ Should now be: ```yaml policy: - - from: https://httpbin.corp.domain.example - to: http://httpbin + - from: https://verify.corp.domain.example + to: http://verify allowed_domains: - pomerium.io - - from: https://external-httpbin.corp.domain.example - to: https://httpbin.org + - from: https://external-verify.corp.domain.example + to: https://verify.pomerium.com allow_public_unauthenticated_access: true ``` @@ -364,8 +364,8 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p Old: ```yaml - - from: httpbin.corp.beyondperimeter.com - to: http://httpbin + - from: verify.localhost.pomerium.io + to: http://verify allowed_domains: - pomerium.io cors_allow_preflight: true @@ -376,8 +376,8 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p ```yaml policy: - - from: httpbin.corp.beyondperimeter.com - to: http://httpbin + - from: verify.localhost.pomerium.io + to: http://verify allowed_domains: - pomerium.io cors_allow_preflight: true diff --git a/docs/guides/cloud-run.md b/docs/guides/cloud-run.md index 798865fd4..c8668c630 100644 --- a/docs/guides/cloud-run.md +++ b/docs/guides/cloud-run.md @@ -108,7 +108,7 @@ And a hello page: If your target application is not running on GCP, you can also perform your own header validation. -Browse to [https://httpbin.cloudrun.pomerium.io](https://httpbin.cloudrun.pomerium.io/headers) +Browse to [https://verify.cloudrun.pomerium.io](https://verify.cloudrun.pomerium.io/headers) You should see your identity header set: diff --git a/docs/guides/local-oidc.md b/docs/guides/local-oidc.md index e38068163..061aa1699 100644 --- a/docs/guides/local-oidc.md +++ b/docs/guides/local-oidc.md @@ -34,8 +34,8 @@ services: depends_on: - identityprovider - httpbin: - image: kennethreitz/httpbin:latest + verify: + image: pomerium/verify expose: - 80 @@ -75,8 +75,8 @@ cookie_secret: # https://www.pomerium.io/configuration/#policy policy: - - from: https://httpbin.localhost.pomerium.io - to: http://httpbin + - from: https://verify.localhost.pomerium.io + to: http://verify allowed_domains: - example.org ``` @@ -147,7 +147,7 @@ $ : wait identityprovider up $ docker-compose up -d ``` -Now accessing to `https://httpbin.localhost.pomerium.io` and you will be redireted to OIDC server for authentication. +Now accessing to `https://verify.localhost.pomerium.io` and you will be redireted to OIDC server for authentication. [identity provider]: ../docs/identity-providers/ [qlik/simple-oidc-provider]: https://hub.docker.com/r/qlik/simple-oidc-provider/ diff --git a/docs/guides/mtls.md b/docs/guides/mtls.md index 3204abaf7..f04e4171c 100644 --- a/docs/guides/mtls.md +++ b/docs/guides/mtls.md @@ -74,8 +74,8 @@ idp_client_id: YOUR_CLIENT_ID idp_client_secret: YOUR_SECRET policy: - - from: "https://httpbin.localhost.pomerium.io:8443" - to: "https://httpbin.org" + - from: "https://verify.localhost.pomerium.io:8443" + to: "https://verify.org" allow_public_unauthenticated_access: true ``` @@ -89,7 +89,7 @@ Before visiting the page in your browser we have one final step. ## Install Client Certificate -Because `https://httpbin.localhost.pomerium.io:8443` now requires a client certificate to be accessed, we first need to install that client certificate in our browser. The following instructions are for Chrome, but client certificates are supported in all major browsers. +Because `https://verify.localhost.pomerium.io:8443` now requires a client certificate to be accessed, we first need to install that client certificate in our browser. The following instructions are for Chrome, but client certificates are supported in all major browsers. Go to : @@ -109,6 +109,6 @@ You should see the `org-mkcert development certificate` in the list of your cert ## Using the Client Certificate -You can now visit **** and you should be prompted to choose a client certificate: +You can now visit **** and you should be prompted to choose a client certificate: ![choose client certificate](./img/mtls/05-select-client-certificate.png) diff --git a/docs/guides/nginx.md b/docs/guides/nginx.md index 1c3c82f89..e37d32004 100644 --- a/docs/guides/nginx.md +++ b/docs/guides/nginx.md @@ -13,7 +13,7 @@ description: >- This recipe's sources can be found [on github](https://github.com/pomerium/pomerium/tree/master/examples/nginx) -At the end, you will have a locally running install of [httpbin](https://httpbin.org/) behind nginx with policy enforced by Pomerium. +At the end, you will have a locally running install of [verify](https://verify.pomerium.com/) behind nginx with policy enforced by Pomerium. ## Background @@ -72,28 +72,28 @@ Nginx configuration for Pomerium endpoints <<< @/examples/nginx/pomerium.conf -### Nginx - httpbin +### Nginx - verify Nginx configuration for the protected endpoint -<<< @/examples/nginx/httpbin.conf +<<< @/examples/nginx/verify.conf ### Docker Compose <<< @/examples/nginx/docker-compose.yaml -Run `docker-compose up`. After a few seconds, browse to [httpbin.localhost.pomerium.io](https://httpbin.localhost.pomerium.io). +Run `docker-compose up`. After a few seconds, browse to [verify.localhost.pomerium.io](https://verify.localhost.pomerium.io). -You should be prompted to log in through your IdP and then granted access to the deployed `httpbin` instance. +You should be prompted to log in through your IdP and then granted access to the deployed `verify` instance. ## That's it! -Your `httpbin` install is protected by Pomerium. +Your `verify` install is protected by Pomerium. ## Adapting To re-use the configuration in this demo in other contexts: -- Update `httpbin.conf` to reflect the correct forward auth URL in `location @error401` +- Update `verify.conf` to reflect the correct forward auth URL in `location @error401` - Update `pomerium.conf` to reflect the pomerium hostname(s) or IP(s) in `upstream pomerium` - Update `pomerium.conf` to reflect your pomerium authenticate and forward auth hostnames in `server_name` diff --git a/docs/reference/readme.md b/docs/reference/readme.md index 4872b68be..40b8ade00 100644 --- a/docs/reference/readme.md +++ b/docs/reference/readme.md @@ -141,8 +141,8 @@ For example, if specifying multiple certificates at once: certificates: - cert: "$HOME/.acme.sh/authenticate.example.com_ecc/fullchain.cer" key: "$HOME/.acme.sh/authenticate.example.com_ecc/authenticate.example.com.key" - - cert: "$HOME/.acme.sh/httpbin.example.com_ecc/fullchain.cer" - key: "$HOME/.acme.sh/httpbin.example.com_ecc/httpbin.example.com.key" + - cert: "$HOME/.acme.sh/verify.example.com_ecc/fullchain.cer" + key: "$HOME/.acme.sh/verify.example.com_ecc/verify.example.com.key" - cert: "$HOME/.acme.sh/prometheus.example.com_ecc/fullchain.cer" key: "$HOME/.acme.sh/prometheus.example.com_ecc/prometheus.example.com.key" ``` @@ -244,7 +244,7 @@ For example, if `true` ``` 10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124 -10:37AM INF proxy: new route from=httpbin.localhost.pomerium.io to=https://httpbin.org +10:37AM INF proxy: new route from=verify.localhost.pomerium.io to=https://verify.org 10:37AM INF proxy: new route from=ssl.localhost.pomerium.io to=http://neverssl.com 10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.localhost.pomerium.io:443 ``` @@ -253,7 +253,7 @@ If `false` ``` {"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"} -{"level":"info","from":"httpbin.localhost.pomerium.io","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} +{"level":"info","from":"verify.localhost.pomerium.io","to":"https://verify.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","from":"ssl.localhost.pomerium.io","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","OverrideCertificateName":"","addr":"auth.localhost.pomerium.io:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"} ``` @@ -283,7 +283,7 @@ Some reverse-proxies, such as nginx split access control flow into two parts: ve apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: httpbin + name: verify annotations: kubernetes.io/ingress.class: "nginx" certmanager.k8s.io/issuer: "letsencrypt-prod" @@ -292,15 +292,15 @@ metadata: spec: tls: - hosts: - - httpbin.corp.example.com + - verify.corp.example.com secretName: quickstart-example-tls rules: - - host: httpbin.corp.example.com + - host: verify.corp.example.com http: paths: - path: / backend: - serviceName: httpbin + serviceName: verify servicePort: 80 ``` @@ -329,15 +329,15 @@ services: volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock - httpbin: + verify: # A container that exposes an API to show its IP address - image: kennethreitz/httpbin:latest + image: pomerium/verify labels: - - "traefik.http.routers.httpbin.rule=Host(`httpbin.corp.example.com`)" + - "traefik.http.routers.verify.rule=Host(`verify.corp.example.com`)" # Create a middleware named `foo-add-prefix` - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion" - - "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://httpbin.corp.example.com" - - "traefik.http.routers.httpbin.middlewares=test-auth@docker" + - "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://verify.corp.example.com" + - "traefik.http.routers.verify.middlewares=test-auth@docker" ``` @@ -1044,7 +1044,7 @@ Requires setting [Google Cloud Serverless Authentication Service Account](./#goo - `yaml`/`json` setting: `from` - Type: `URL` (must contain a scheme and hostname, must not contain a path) - Required -- Example: `https://httpbin.corp.example.com` +- Example: `https://verify.corp.example.com` `From` is the externally accessible source of the proxied request. @@ -1200,13 +1200,13 @@ See [ProxyPreserveHost](http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#prox Set Request Headers allows you to set static values for given request headers. This can be useful if you want to pass along additional information to downstream applications as headers, or set authentication header to the request. For example: ```yaml -- from: https://httpbin.corp.example.com - to: https://httpbin.org +- from: https://verify.corp.example.com + to: https://verify.pomerium.com allowed_users: - bdd@pomerium.io set_request_headers: # works auto-magically! - # https://httpbin.corp.example.com/basic-auth/root/hunter42 + # https://verify.corp.example.com/basic-auth/root/hunter42 Authorization: Basic cm9vdDpodW50ZXI0Mg== X-Your-favorite-authenticating-Proxy: "Pomerium" ``` @@ -1220,8 +1220,8 @@ Set Request Headers allows you to set static values for given request headers. T Remove Request Headers allows you to remove given request headers. This can be useful if you want to prevent privacy information from being passed to downstream applications. For example: ```yaml -- from: https://httpbin.corp.example.com - to: https://httpbin.org +- from: https://verify.corp.example.com + to: https://verify.pomerium.com allowed_users: - bdd@pomerium.io remove_request_headers: @@ -1234,7 +1234,7 @@ Remove Request Headers allows you to remove given request headers. This can be u - `yaml`/`json` setting: `to` - Type: `URL` (must contain a scheme and hostname) - Required -- Example: `http://httpbin` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://httpbin.org/anything/` +- Example: `http://verify` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://verify.org/anything/` `To` is the destination of a proxied request. It can be an internal resource, or an external resource. @@ -1245,20 +1245,20 @@ Be careful with trailing slash. With rule: ```yaml -- from: https://httpbin.corp.example.com - to: https://httpbin.org/anything +- from: https://verify.corp.example.com + to: https://verify.pomerium.com/anything ``` -Requests to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything`, while requests to `https://httpbin.corp.example.com/foo` will be forwarded to `https://httpbin.org/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`. +Requests to `https://verify.corp.example.com` will be forwarded to `https://verify.org/anything`, while requests to `https://verify.corp.example.com/foo` will be forwarded to `https://verify.org/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`. While the rule: ```yaml -- from: https://httpbin.corp.example.com - to: https://httpbin.org/anything/ +- from: https://verify.corp.example.com + to: https://verify.pomerium.com/anything/ ``` -All requests to `https://httpbin.corp.example.com/*` will be forwarded to `https://httpbin.org/anything/*`. That means accessing to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found. +All requests to `https://verify.corp.example.com/*` will be forwarded to `https://verify.org/anything/*`. That means accessing to `https://verify.corp.example.com` will be forwarded to `https://verify.org/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found. ::: diff --git a/docs/reference/settings.yaml b/docs/reference/settings.yaml index b6d97eb5b..41b9c74ad 100644 --- a/docs/reference/settings.yaml +++ b/docs/reference/settings.yaml @@ -175,8 +175,8 @@ settings: certificates: - cert: "$HOME/.acme.sh/authenticate.example.com_ecc/fullchain.cer" key: "$HOME/.acme.sh/authenticate.example.com_ecc/authenticate.example.com.key" - - cert: "$HOME/.acme.sh/httpbin.example.com_ecc/fullchain.cer" - key: "$HOME/.acme.sh/httpbin.example.com_ecc/httpbin.example.com.key" + - cert: "$HOME/.acme.sh/verify.example.com_ecc/fullchain.cer" + key: "$HOME/.acme.sh/verify.example.com_ecc/verify.example.com.key" - cert: "$HOME/.acme.sh/prometheus.example.com_ecc/fullchain.cer" key: "$HOME/.acme.sh/prometheus.example.com_ecc/prometheus.example.com.key" ``` @@ -290,7 +290,7 @@ settings: ``` 10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124 - 10:37AM INF proxy: new route from=httpbin.localhost.pomerium.io to=https://httpbin.org + 10:37AM INF proxy: new route from=verify.localhost.pomerium.io to=https://verify.pomerium.com 10:37AM INF proxy: new route from=ssl.localhost.pomerium.io to=http://neverssl.com 10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.localhost.pomerium.io:443 ``` @@ -299,7 +299,7 @@ settings: ``` {"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"} - {"level":"info","from":"httpbin.localhost.pomerium.io","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} + {"level":"info","from":"verify.localhost.pomerium.io","to":"https://verify.pomerium.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","from":"ssl.localhost.pomerium.io","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","OverrideCertificateName":"","addr":"auth.localhost.pomerium.io:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"} ``` @@ -331,7 +331,7 @@ settings: apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: httpbin + name: verify annotations: kubernetes.io/ingress.class: "nginx" certmanager.k8s.io/issuer: "letsencrypt-prod" @@ -340,15 +340,15 @@ settings: spec: tls: - hosts: - - httpbin.corp.example.com + - verify.corp.example.com secretName: quickstart-example-tls rules: - - host: httpbin.corp.example.com + - host: verify.corp.example.com http: paths: - path: / backend: - serviceName: httpbin + serviceName: verify servicePort: 80 ``` @@ -377,15 +377,15 @@ settings: volumes: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock - httpbin: + verify: # A container that exposes an API to show its IP address - image: kennethreitz/httpbin:latest + image: pomerium/verify:latest labels: - - "traefik.http.routers.httpbin.rule=Host(`httpbin.corp.example.com`)" + - "traefik.http.routers.verify.rule=Host(`verify.corp.example.com`)" # Create a middleware named `foo-add-prefix` - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion" - - "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://httpbin.corp.example.com" - - "traefik.http.routers.httpbin.middlewares=test-auth@docker" + - "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://verify.corp.example.com" + - "traefik.http.routers.verify.middlewares=test-auth@docker" ``` shortdoc: | Forward authentication creates an endpoint that can be used with third-party proxies. @@ -1160,7 +1160,7 @@ settings: - `yaml`/`json` setting: `from` - Type: `URL` (must contain a scheme and hostname, must not contain a path) - Required - - Example: `https://httpbin.corp.example.com` + - Example: `https://verify.corp.example.com` doc: | `From` is the externally accessible source of the proxied request. - name: "Kubernetes Service Account Token" @@ -1326,13 +1326,13 @@ settings: Set Request Headers allows you to set static values for given request headers. This can be useful if you want to pass along additional information to downstream applications as headers, or set authentication header to the request. For example: ```yaml - - from: https://httpbin.corp.example.com - to: https://httpbin.org + - from: https://verify.corp.example.com + to: https://verify.pomerium.com allowed_users: - bdd@pomerium.io set_request_headers: # works auto-magically! - # https://httpbin.corp.example.com/basic-auth/root/hunter42 + # https://verify.corp.example.com/basic-auth/root/hunter42 Authorization: Basic cm9vdDpodW50ZXI0Mg== X-Your-favorite-authenticating-Proxy: "Pomerium" ``` @@ -1346,8 +1346,8 @@ settings: Remove Request Headers allows you to remove given request headers. This can be useful if you want to prevent privacy information from being passed to downstream applications. For example: ```yaml - - from: https://httpbin.corp.example.com - to: https://httpbin.org + - from: https://verify.corp.example.com + to: https://verify.pomerium.com allowed_users: - bdd@pomerium.io remove_request_headers: @@ -1360,7 +1360,7 @@ settings: - `yaml`/`json` setting: `to` - Type: `URL` (must contain a scheme and hostname) - Required - - Example: `http://httpbin` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://httpbin.org/anything/` + - Example: `http://verify` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://verify.pomerium.com/anything/` doc: | `To` is the destination of a proxied request. It can be an internal resource, or an external resource. @@ -1371,20 +1371,20 @@ settings: With rule: ```yaml - - from: https://httpbin.corp.example.com - to: https://httpbin.org/anything + - from: https://verify.corp.example.com + to: https://verify.pomerium.com/anything ``` - Requests to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything`, while requests to `https://httpbin.corp.example.com/foo` will be forwarded to `https://httpbin.org/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`. + Requests to `https://verify.corp.example.com` will be forwarded to `https://verify.pomerium.com/anything`, while requests to `https://verify.corp.example.com/foo` will be forwarded to `https://verify.pomerium.com/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`. While the rule: ```yaml - - from: https://httpbin.corp.example.com - to: https://httpbin.org/anything/ + - from: https://verify.corp.example.com + to: https://verify.pomerium.com/anything/ ``` - All requests to `https://httpbin.corp.example.com/*` will be forwarded to `https://httpbin.org/anything/*`. That means accessing to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found. + All requests to `https://verify.corp.example.com/*` will be forwarded to `https://verify.pomerium.com/anything/*`. That means accessing to `https://verify.corp.example.com` will be forwarded to `https://verify.pomerium.com/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found. ::: - name: "TLS Skip Verification" diff --git a/examples/cloudrun/README.md b/examples/cloudrun/README.md index 3c80f5038..9940ebd2c 100644 --- a/examples/cloudrun/README.md +++ b/examples/cloudrun/README.md @@ -1,7 +1,7 @@ # Pomerium on Cloud Run -Run this demo with gcloud command line configured for your project. The commands assume -all resources (Cloud Run, Cloud DNS, and Secret Manager) are in a single project. +Run this demo with gcloud command line configured for your project. The commands assume +all resources (Cloud Run, Cloud DNS, and Secret Manager) are in a single project. We recommend a dedicated project that is easy to clean up. @@ -28,6 +28,6 @@ This demo includes a Cloud Run target configured to only accept requests from th - Deploy config.yaml to Secret Manager - Deploy the demo hello world app - Deploy pomerium with policy -- Navigate to `https://httpbin.cloudrun.pomerium.io` +- Navigate to `https://verify.cloudrun.pomerium.io` - Navigate to `https://hello-direct.cloudrun.pomerium.io` -- Navigate to `https://hello.cloudrun.pomerium.io` \ No newline at end of file +- Navigate to `https://hello.cloudrun.pomerium.io` diff --git a/examples/cloudrun/policy.template.yaml b/examples/cloudrun/policy.template.yaml index 19fac1cdb..55bc6f34f 100644 --- a/examples/cloudrun/policy.template.yaml +++ b/examples/cloudrun/policy.template.yaml @@ -4,8 +4,8 @@ allowed_domains: - gmail.com enable_google_cloud_serverless_authentication: true -- from: https://httpbin.cloudrun.pomerium.io - to: https://httpbin.org +- from: https://verify.cloudrun.pomerium.io + to: https://verify.pomerium.com pass_identity_headers: true allowed_domains: - gmail.com diff --git a/examples/config/config.example.yaml b/examples/config/config.example.yaml index b95fb2c02..9eb0b7787 100644 --- a/examples/config/config.example.yaml +++ b/examples/config/config.example.yaml @@ -75,7 +75,7 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io # Proxied routes and per-route policies are defined in a policy block policy: - - from: https://httpbin.localhost.pomerium.io + - from: https://verify.localhost.pomerium.io to: http://httpbin allowed_domains: - pomerium.io @@ -83,8 +83,8 @@ policy: timeout: 30s pass_identity_headers: true - - from: https://external-httpbin.localhost.pomerium.io - to: https://httpbin.org + - from: https://external-verify.localhost.pomerium.io + to: https://verify.pomerium.com allowed_domains: - gmail.com pass_identity_headers: true diff --git a/examples/config/config.minimal.yaml b/examples/config/config.minimal.yaml index e80225f0e..1f0af56ee 100644 --- a/examples/config/config.minimal.yaml +++ b/examples/config/config.minimal.yaml @@ -19,8 +19,8 @@ cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg= # https://www.pomerium.io/configuration/#policy policy: - - from: https://httpbin.localhost.pomerium.io - to: https://httpbin.org + - from: https://verify.localhost.pomerium.io + to: https://verify.pomerium.com allowed_users: - bdd@pomerium.io pass_identity_headers: true diff --git a/examples/config/policy.example.yaml b/examples/config/policy.example.yaml index 51e1492f3..b6ec7ffd0 100644 --- a/examples/config/policy.example.yaml +++ b/examples/config/policy.example.yaml @@ -8,14 +8,14 @@ # Proxied routes and per-route policies are defined in a policy block # NOTA BENE: You must uncomment the below 'policy' key if you are loading policy as a file. # policy: -- from: https://httpbin.localhost.pomerium.io +- from: https://verify.localhost.pomerium.io to: http://localhost:8000 allowed_domains: - pomerium.io cors_allow_preflight: true timeout: 30s -- from: https://external-httpbin.localhost.pomerium.io - to: https://httpbin.org +- from: https://external-verify.localhost.pomerium.io + to: https://verify.pomerium.com allowed_domains: - gmail.com - from: https://weirdlyssl.localhost.pomerium.io diff --git a/examples/docker/autocert.docker-compose.yml b/examples/docker/autocert.docker-compose.yml index 2318724fe..453796c13 100644 --- a/examples/docker/autocert.docker-compose.yml +++ b/examples/docker/autocert.docker-compose.yml @@ -11,8 +11,8 @@ services: ports: - 443:443 - # https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin - httpbin: - image: kennethreitz/httpbin:latest + # https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify + verify: + image: pomerium/verify:latest expose: - 80 diff --git a/examples/docker/basic.docker-compose.yml b/examples/docker/basic.docker-compose.yml index 06745d465..739b60803 100644 --- a/examples/docker/basic.docker-compose.yml +++ b/examples/docker/basic.docker-compose.yml @@ -14,8 +14,8 @@ services: ports: - 443:443 - # https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin - httpbin: - image: kennethreitz/httpbin:latest + # https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify + verify: + image: pomerium/verify:latest expose: - 80 diff --git a/examples/docker/nginx.docker-compose.yml b/examples/docker/nginx.docker-compose.yml index 417b3e48b..e10c98e34 100644 --- a/examples/docker/nginx.docker-compose.yml +++ b/examples/docker/nginx.docker-compose.yml @@ -91,9 +91,9 @@ services: expose: - 443 - # https://httpbin.corp.beyondperimeter.com - httpbin: - image: kennethreitz/httpbin:latest + # https://verify.corp.beyondperimeter.com + verify: + image: pomerium/verify:latest expose: - 80 # https://hello.corp.beyondperimeter.com diff --git a/examples/kubernetes/kubernetes-config.yaml b/examples/kubernetes/kubernetes-config.yaml index 5c72845e9..8a0b42969 100644 --- a/examples/kubernetes/kubernetes-config.yaml +++ b/examples/kubernetes/kubernetes-config.yaml @@ -18,7 +18,7 @@ idp_client_secret: "REPLACE_ME" idp_service_account: YOUR_SERVICE_ACCOUNT policy: - - from: https://httpbin.localhost.pomerium.io + - from: https://verify.localhost.pomerium.io to: http://httpbin.default.svc.cluster.local:8000 allowed_domains: - gmail.com diff --git a/examples/mutual-tls/README.md b/examples/mutual-tls/README.md index 3d2657b52..33dfb8ee7 100644 --- a/examples/mutual-tls/README.md +++ b/examples/mutual-tls/README.md @@ -25,8 +25,8 @@ policy: tls_client_cert_file: "/Users/bdd/examples/mutual-tls/out/pomerium.crt" tls_client_key_file: "/Users/bdd/examples/mutual-tls/out/pomerium.key" - - from: https://httpbin.corp.domain.example - to: https://httpbin.org + - from: https://verify.corp.domain.example + to: https://verify.pomerium.com allow_public_unauthenticated_access: true ``` diff --git a/examples/mutual-tls/example.config.yaml b/examples/mutual-tls/example.config.yaml index 71186f515..2dad53abf 100644 --- a/examples/mutual-tls/example.config.yaml +++ b/examples/mutual-tls/example.config.yaml @@ -19,6 +19,6 @@ policy: # pomerium.key tls_client_key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBNjdLanFtUVlHcTBNVnRBQ1ZwZUNtWG1pbmxRYkRQR0xtc1pBVUV3dWVIUW5ydDNXCnR2cERPbTZBbGFKTVVuVytIdTU1ampva2FsS2VWalRLbWdZR2JxVXpWRG9NYlBEYUhla2x0ZEJUTUdsT1VGc1AKNFVKU0RyTzR6ZE4rem80MjhUWDJQbkcyRkNkVktHeTRQRThpbEhiV0xjcjg3MVlqVjUxZnc4Q0xEWDlQWkpOdQo4NjFDRjdWOWlFSm02c1NmUWxtbmhOOGozK1d6VmJQUU55MVdzUjdpOWU5ajYzRXFLdDIyUTlPWEwrV0FjS3NrCm9JU21DTlZSVUFqVThZUlZjZ1FKQit6UTM0QVFQbHowT3A1Ty9RTi9NZWRqYUY4d0xTK2l2L3p2aVM4Y3FQYngKbzZzTHE2Rk5UbHRrL1FreGVDZUtLVFFlLzNrUFl2UUFkbmw2NVFJREFRQUJBb0lCQVFEQVQ0eXN2V2pSY3pxcgpKcU9SeGFPQTJEY3dXazJML1JXOFhtQWhaRmRTWHV2MkNQbGxhTU1yelBmTG41WUlmaHQzSDNzODZnSEdZc3pnClo4aWJiYWtYNUdFQ0t5N3lRSDZuZ3hFS3pRVGpiampBNWR3S0h0UFhQUnJmamQ1Y2FMczVpcDcxaWxCWEYxU3IKWERIaXUycnFtaC9kVTArWGRMLzNmK2VnVDl6bFQ5YzRyUm84dnZueWNYejFyMnVhRVZ2VExsWHVsb2NpeEVrcgoySjlTMmxveWFUb2tFTnNlMDNpSVdaWnpNNElZcVowOGJOeG9IWCszQXVlWExIUStzRkRKMlhaVVdLSkZHMHUyClp3R2w3YlZpRTFQNXdiQUdtZzJDeDVCN1MrdGQyUEpSV3Frb2VxY3F2RVdCc3RFL1FEcDFpVThCOHpiQXd0Y3IKZHc5TXZ6Q2hBb0dCQVBObzRWMjF6MGp6MWdEb2tlTVN5d3JnL2E4RkJSM2R2Y0xZbWV5VXkybmd3eHVucnFsdwo2U2IrOWdrOGovcXEvc3VQSDhVdzNqSHNKYXdGSnNvTkVqNCt2b1ZSM3UrbE5sTEw5b21rMXBoU0dNdVp0b3huCm5nbUxVbkJUMGI1M3BURkJ5WGsveE5CbElreWdBNlg5T2MreW5na3RqNlRyVnMxUERTdnVJY0s1QW9HQkFQZmoKcEUzR2F6cVFSemx6TjRvTHZmQWJBdktCZ1lPaFNnemxsK0ZLZkhzYWJGNkdudFd1dWVhY1FIWFpYZTA1c2tLcApXN2xYQ3dqQU1iUXI3QmdlazcrOSszZElwL1RnYmZCYnN3Syt6Vng3Z2doeWMrdytXRWExaHByWTZ6YXdxdkFaCkhRU2lMUEd1UGp5WXBQa1E2ZFdEczNmWHJGZ1dlTmd4SkhTZkdaT05Bb0dCQUt5WTF3MUM2U3Y2c3VuTC8vNTcKQ2Z5NTAwaXlqNUZBOWRqZkRDNWt4K1JZMnlDV0ExVGsybjZyVmJ6dzg4czBTeDMrYS9IQW1CM2dMRXBSRU5NKwo5NHVwcENFWEQ3VHdlcGUxUnlrTStKbmp4TzlDSE41c2J2U25sUnBQWlMvZzJRTVhlZ3grK2trbkhXNG1ITkFyCndqMlRrMXBBczFXbkJ0TG9WaGVyY01jSkFvR0JBSTYwSGdJb0Y5SysvRUcyY21LbUg5SDV1dGlnZFU2eHEwK0IKWE0zMWMzUHE0amdJaDZlN3pvbFRxa2d0dWtTMjBraE45dC9ibkI2TmhnK1N1WGVwSXFWZldVUnlMejVwZE9ESgo2V1BMTTYzcDdCR3cwY3RPbU1NYi9VRm5Yd0U4OHlzRlNnOUF6VjdVVUQvU0lDYkI5ZHRVMWh4SHJJK0pZRWdWCkFrZWd6N2lCQW9HQkFJRncrQVFJZUIwM01UL0lCbGswNENQTDJEak0rNDhoVGRRdjgwMDBIQU9mUWJrMEVZUDEKQ2FLR3RDbTg2MXpBZjBzcS81REtZQ0l6OS9HUzNYRk00Qm1rRk9nY1NXVENPNmZmTGdLM3FmQzN4WDJudlpIOQpYZGNKTDQrZndhY0x4c2JJKzhhUWNOVHRtb3pkUjEzQnNmUmIrSGpUL2o3dkdrYlFnSkhCT0syegotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - - from: https://httpbin.corp.domain.example - to: https://httpbin.org + - from: https://verify.corp.domain.example + to: https://verify.pomerium.com allow_public_unauthenticated_access: true diff --git a/examples/nginx/README.md b/examples/nginx/README.md index 01f74f966..989335427 100644 --- a/examples/nginx/README.md +++ b/examples/nginx/README.md @@ -12,6 +12,6 @@ Run this demo locally on your docker-compose capable workstation, or replace `lo - Update `config.yaml` for your e-mail address, if not using gmail/google. - Replace secrets in `config.yaml`. - Run `docker-compose up` from this directory. -- Navigate to `https://httpbin.localhost.pomerium.io` +- Navigate to `https://verify.localhost.pomerium.io` - ??? - Profit diff --git a/examples/nginx/config.yaml b/examples/nginx/config.yaml index 64f9adbeb..30d519b34 100644 --- a/examples/nginx/config.yaml +++ b/examples/nginx/config.yaml @@ -14,7 +14,7 @@ forward_auth_url: http://fwdauth.localhost.pomerium.io authenticate_service_url: https://authenticate.localhost.pomerium.io policy: - - from: https://httpbin.localhost.pomerium.io + - from: https://verify.localhost.pomerium.io to: https://httpbin allowed_domains: - pomerium.com diff --git a/examples/nginx/docker-compose.yaml b/examples/nginx/docker-compose.yaml index 022a35b4c..0a04d5346 100644 --- a/examples/nginx/docker-compose.yaml +++ b/examples/nginx/docker-compose.yaml @@ -11,14 +11,14 @@ services: - "80:80" - "443:443" volumes: - - ./httpbin.conf:/etc/nginx/conf.d/httpbin.conf + - ./verify.conf:/etc/nginx/conf.d/verify.conf - ./pomerium.conf:/etc/nginx/conf.d/pomerium.conf - ./_wildcard.localhost.pomerium.io.pem:/etc/nginx/nginx.pem - ./_wildcard.localhost.pomerium.io-key.pem:/etc/nginx/nginx-key.pem - ./proxy.conf:/etc/nginx/proxy.conf - httpbin: - image: kennethreitz/httpbin:latest + verify: + image: pomerium/verify expose: - 80 pomerium: diff --git a/examples/nginx/httpbin.conf b/examples/nginx/verify.conf similarity index 96% rename from examples/nginx/httpbin.conf rename to examples/nginx/verify.conf index 0d653c7b9..cbe183347 100644 --- a/examples/nginx/httpbin.conf +++ b/examples/nginx/verify.conf @@ -3,7 +3,7 @@ server { listen 80; listen 443 ssl http2; - server_name httpbin.localhost.pomerium.io; + server_name verify.localhost.pomerium.io; ssl_certificate /etc/nginx/nginx.pem; ssl_certificate_key /etc/nginx/nginx-key.pem; @@ -57,7 +57,7 @@ server { } location / { - proxy_pass http://httpbin; + proxy_pass http://verify; include /etc/nginx/proxy.conf; # If we get a 401, respond with a named location diff --git a/examples/traefik/README.md b/examples/traefik/README.md index 245698703..1f71d8bac 100644 --- a/examples/traefik/README.md +++ b/examples/traefik/README.md @@ -12,6 +12,6 @@ Run this demo locally on your docker-compose capable workstation, or replace `lo - Update `config.yaml` for your e-mail address, if not using gmail/google. - Replace secrets in `config.yaml`. - Run `docker-compose up` from this directory. -- Navigate to `https://httpbin.localhost.pomerium.io` +- Navigate to `https://verify.localhost.pomerium.io` - ??? - Profit diff --git a/examples/traefik/config.yaml b/examples/traefik/config.yaml index 9473b482e..1f1a5dd1c 100644 --- a/examples/traefik/config.yaml +++ b/examples/traefik/config.yaml @@ -15,7 +15,7 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io jwt_claims_headers: email,groups,user policy: - - from: https://httpbin.localhost.pomerium.io + - from: https://verify.localhost.pomerium.io to: https://httpbin allowed_domains: - pomerium.io diff --git a/examples/traefik/docker-compose.yaml b/examples/traefik/docker-compose.yaml index e2c7256a9..ed3b85882 100644 --- a/examples/traefik/docker-compose.yaml +++ b/examples/traefik/docker-compose.yaml @@ -18,18 +18,18 @@ services: volumes: - /var/run/docker.sock:/var/run/docker.sock - httpbin: - image: kennethreitz/httpbin:latest + verify: + image: pomerium/verify:latest labels: - "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Claim-Email,X-Pomerium-Claim-User,X-Pomerium-Claim-Groups,X-Pomerium-Jwt-Assertion" - "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/" - "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true" - - "traefik.http.routers.httpbin.middlewares=pomerium@docker" + - "traefik.http.routers.verify.middlewares=pomerium@docker" - "traefik.enable=true" - - "traefik.http.routers.httpbin.rule=Host(`httpbin.localhost.pomerium.io`)" - - "traefik.http.routers.httpbin.entrypoints=websecure" - - "traefik.http.routers.httpbin.tls=true" + - "traefik.http.routers.verify.rule=Host(`verify.localhost.pomerium.io`)" + - "traefik.http.routers.verify.entrypoints=websecure" + - "traefik.http.routers.verify.tls=true" pomerium: image: pomerium/pomerium:latest diff --git a/scripts/programmatic_access.py b/scripts/programmatic_access.py index 5b09d8586..bf60e568a 100755 --- a/scripts/programmatic_access.py +++ b/scripts/programmatic_access.py @@ -14,7 +14,7 @@ done = False parser = argparse.ArgumentParser() parser.add_argument("--login", action="store_true") parser.add_argument( - "--dst", default="https://httpbin.example.com/headers", + "--dst", default="https://verify.example.com/json", ) parser.add_argument("--server", default="localhost", type=str) parser.add_argument("--port", default=8000, type=int)