3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-10 23:57:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: replace httpbin with verify (#1702)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
bobby 2020-12-22 09:53:08 -08:00 committed by GitHub
parent 4eec2ed1d5
commit c23c8b34b3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
34 changed files with 154 additions and 154 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.devcontainer/envs/nginx.yaml
View file

@ -7,14 +7,14 @@ services:
- "80:80"
- "443:443"
volumes:
- ../../examples/nginx/httpbin.conf:/etc/nginx/conf.d/httpbin.conf
- ../../examples/nginx/verify.conf:/etc/nginx/conf.d/verify.conf
- ../../examples/nginx/pomerium.conf:/etc/nginx/conf.d/pomerium.conf
- ../../examples/nginx/proxy.conf:/etc/nginx/proxy.conf
- ../../examples/nginx/_wildcard.localhost.pomerium.io.pem:/etc/nginx/nginx.pem
- ../../examples/nginx/_wildcard.localhost.pomerium.io-key.pem:/etc/nginx/nginx-key.pem
httpbin:
image: kennethreitz/httpbin:latest
verify:
image: pomerium/verify
expose:
- 80

12
.devcontainer/envs/traefik.yaml
View file

@ -18,18 +18,18 @@ services:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
httpbin:
image: kennethreitz/httpbin:latest
verify:
image: pomerium/verify:latest
labels:
- "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Claim-Email,X-Pomerium-Claim-User,X-Pomerium-Claim-Groups,X-Pomerium-Jwt-Assertion"
- "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/"
- "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true"
- "traefik.http.routers.httpbin.middlewares=pomerium@docker"
- "traefik.http.routers.verify.middlewares=pomerium@docker"
- "traefik.enable=true"
- "traefik.http.routers.httpbin.rule=Host(`httpbin.localhost.pomerium.io`)"
- "traefik.http.routers.httpbin.entrypoints=websecure"
- "traefik.http.routers.httpbin.tls=true"
- "traefik.http.routers.verify.rule=Host(`verify.localhost.pomerium.io`)"
- "traefik.http.routers.verify.entrypoints=websecure"
- "traefik.http.routers.verify.tls=true"
pomerium:
build: ../.

2
docs/docs/community/contributing.md
View file

@ -89,7 +89,7 @@ We use [Netlify](https://www.netlify.com) to build and host our docs. One of nic
[configuration variables]: ../../reference/readme.md
[download]: https://github.com/pomerium/pomerium/releases
[environmental configuration variables]: https://12factor.net/config
[httpbin]: https://httpbin.org/
[verify]: https://verify.pomerium.com/
[identity provider]: ../identity-providers/readme.md
[make]: https://en.wikipedia.org/wiki/Make_(software)
[tls certificates]: ../topics/certificates.md

4
docs/docs/quick-start/binary.md
View file

@ -39,10 +39,10 @@ Finally, source the configuration `env` file and run pomerium specifying the `co
## Navigate
Browse to `external-httpbin.your.domain.example`. Connections between you and [httpbin] will now be proxied and managed by Pomerium.
Browse to `external-verify.your.domain.example`. Connections between you and [verify] will now be proxied and managed by Pomerium.
[configuration variables]: ../../reference/readme.md
[download]: https://github.com/pomerium/pomerium/releases
[httpbin]: https://httpbin.org/
[verify]: https://verify.pomerium.com/
[identity provider]: ../identity-providers/
[tls certificates]: ../topics/certificates.md

4
docs/docs/quick-start/from-source.md
View file

@ -69,10 +69,10 @@ make && ./bin/pomerium -config config.yaml
### Navigate
Browse to `httpbin.localhost.pomerium.io`. Connections between you and [httpbin] will now be proxied and managed by Pomerium.
Browse to `verify.localhost.pomerium.io`. Connections between you and [verify] will now be proxied and managed by Pomerium.
[configuration variables]: ../../reference/readme.md
[httpbin]: https://httpbin.org/
[verify]: https://verify.pomerium.com/
[identity provider]: ../identity-providers/
[make]: https://en.wikipedia.org/wiki/Make_(software)
[tls certificates]: ../topics/certificates.md

4
docs/docs/quick-start/helm.md
View file

@ -46,9 +46,9 @@ Run [./scripts/helm_gke.sh] which will:
## Navigate
Open a browser and navigate to `httpbin.your.domain.example`.
Open a browser and navigate to `verify.your.domain.example`.
You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details.
You can also navigate to the special pomerium endpoint `verify.your.domain.example/.pomerium/` to see your current user details.
![currently logged in user](./img/logged-in-as.png)

8
docs/docs/quick-start/readme.md
View file

@ -58,11 +58,11 @@ Finally, simply run docker compose.
docker-compose up
```
Docker will automatically download the required [container images] for Pomerium and [httpbin]. Then, Pomerium will run with the configuration details set in the previous steps.
Docker will automatically download the required [container images] for Pomerium and [verify]. Then, Pomerium will run with the configuration details set in the previous steps.
You should now be able access to the routes (e.g. `https://httpbin.corp.yourdomain.example`) as specified in your policy file.
You should now be able access to the routes (e.g. `https://verify.localhost.pomerium.io`) as specified in your policy file.
You can also navigate to the special pomerium endpoint `httpbin.corp.yourdomain.example/.pomerium/` to see your current user details.
You can also navigate to the special pomerium endpoint `verify.corp.yourdomain.example/.pomerium/` to see your current user details.
![currently logged in user](./img/logged-in-as.png)
@ -70,6 +70,6 @@ You can also navigate to the special pomerium endpoint `httpbin.corp.yourdomain.
[container images]: https://hub.docker.com/r/pomerium/pomerium
[docker]: https://docs.docker.com/install/
[docker-compose]: https://docs.docker.com/compose/install/
[httpbin]: https://httpbin.org/
[verify]: https://verify.pomerium.com/
[identity provider]: ../identity-providers/readme.md
[tls certificates]: ../topics/certificates.md

12
docs/docs/topics/programmatic-access.md
View file

@ -18,9 +18,9 @@ The API returns a cryptographically signed sign-in url that can be used to compl
For example:
```bash
$ curl "https://httpbin.example.com/.pomerium/api/v1/login?redirect_uri=http://localhost:8000"
$ curl "https://verify.example.com/.pomerium/api/v1/login?redirect_uri=http://localhost:8000"
https://authenticate.example.com/.pomerium/sign_in?redirect_uri=http%3A%2F%2Flocalhost%3Fpomerium_callback_uri%3Dhttps%253A%252F%252Fhttpbin.corp.example%252F.pomerium%252Fapi%252Fv1%252Flogin%253Fredirect_uri%253Dhttp%253A%252F%252Flocalhost&sig=hsLuzJctmgsN4kbMeQL16fe_FahjDBEcX0_kPYfg8bs%3D&ts=1573262981
https://authenticate.example.com/.pomerium/sign_in?redirect_uri=http%3A%2F%2Flocalhost%3Fpomerium_callback_uri%3Dhttps%253A%252F%verify.corp.example%252F.pomerium%252Fapi%252Fv1%252Flogin%253Fredirect_uri%253Dhttp%253A%252F%252Flocalhost&sig=hsLuzJctmgsN4kbMeQL16fe_FahjDBEcX0_kPYfg8bs%3D&ts=1573262981
```
### Callback handler
@ -35,13 +35,13 @@ Your script or application should anticipate the possibility that your underlyin
## High level workflow
The application interacting with Pomerium must manage the following workflow. Consider the following example where a script or program desires delegated, programmatic access to the domain `httpbin.corp.domain.example`:
The application interacting with Pomerium must manage the following workflow. Consider the following example where a script or program desires delegated, programmatic access to the domain `verify.corp.domain.example`:
1. The script or application requests a new login url from the pomerium managed endpoint (e.g. `https://httpbin.corp.domain.example/.pomerium/api/v1/login`) and takes a `redirect_uri` as an argument.
1. The script or application requests a new login url from the pomerium managed endpoint (e.g. `https://verify.corp.domain.example/.pomerium/api/v1/login`) and takes a `redirect_uri` as an argument.
1. The script or application opens a browser or redirects the user to the returned login page.
1. The user completes the identity providers login flow.
1. The identity provider makes a callback to pomerium's authenticate service (e.g. `authenticate.corp.domain.example`) .
1. Pomerium's authenticate service creates a user session and redirect token, then redirects back to the managed endpoint (e.g. `httpbin.corp.domain.example`)
1. Pomerium's authenticate service creates a user session and redirect token, then redirects back to the managed endpoint (e.g. `verify.corp.domain.example`)
1. Pomerium's proxy service makes a callback request to the original `redirect_uri` with the user session and as an argument.
1. The script or application is responsible for handling that http callback request, and securely handling the callback session (`pomerium_jwt`) queryparam.
1. The script or application can now make any requests as normal to the upstream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header.
@ -52,7 +52,7 @@ Please consider see the following minimal but complete python example.
```bash
python3 scripts/programmatic_access.py \
--dst https://httpbin.example.com/headers
--dst https://verify.example.com/headers
```
<<< @/scripts/programmatic_access.py

30
docs/docs/upgrading.md
View file

@ -241,15 +241,15 @@ Previous programmatic authentication endpoints (`/api/v1/token`) has been remove
### Forward-auth route change
Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${forwardauth}/.pomerium/verify/httpbin.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${forwardauth}/.pomerium/verify?url=https://httpbin.some.example)` where the routed domain is the value of the `uri` key.
Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${forwardauth}/.pomerium/verify/verify.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${forwardauth}/.pomerium/verify?url=https://verify.some.example)` where the routed domain is the value of the `uri` key.
Note that the verification URL is no longer nested under the `.pomerium` endpoint.
For example, in nginx this would look like:
```diff
- nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no_redirect=true
- nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
- nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/.pomerium/verify/verify.corp.example.com?no_redirect=true
- nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com/.pomerium/verify/verify.corp.example.com
+ nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/verify?uri=$scheme://$host$request_uri
+ nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com?uri=$scheme://$host$request_uri
```
@ -324,12 +324,12 @@ Previously, it was allowable to define a policy without a schema (e.g. `http`/`h
```yaml
policy:
- from: httpbin.corp.domain.example
to: http://httpbin
- from: verify.corp.domain.example
to: http://verify
allowed_domains:
- pomerium.io
- from: external-httpbin.corp.domain.example
to: https://httpbin.org
- from: external-verify.corp.domain.example
to: https://verify.pomerium.com
allow_public_unauthenticated_access: true
```
@ -337,12 +337,12 @@ Should now be:
```yaml
policy:
- from: https://httpbin.corp.domain.example
to: http://httpbin
- from: https://verify.corp.domain.example
to: http://verify
allowed_domains:
- pomerium.io
- from: https://external-httpbin.corp.domain.example
to: https://httpbin.org
- from: https://external-verify.corp.domain.example
to: https://verify.pomerium.com
allow_public_unauthenticated_access: true
```
@ -364,8 +364,8 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p
Old:
```yaml
- from: httpbin.corp.beyondperimeter.com
to: http://httpbin
- from: verify.localhost.pomerium.io
to: http://verify
allowed_domains:
- pomerium.io
cors_allow_preflight: true
@ -376,8 +376,8 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p
```yaml
policy:
- from: httpbin.corp.beyondperimeter.com
to: http://httpbin
- from: verify.localhost.pomerium.io
to: http://verify
allowed_domains:
- pomerium.io
cors_allow_preflight: true

2
docs/guides/cloud-run.md
View file

@ -108,7 +108,7 @@ And a hello page:
If your target application is not running on GCP, you can also perform your own header validation.
Browse to [https://httpbin.cloudrun.pomerium.io](https://httpbin.cloudrun.pomerium.io/headers)
Browse to [https://verify.cloudrun.pomerium.io](https://verify.cloudrun.pomerium.io/headers)
You should see your identity header set:

10
docs/guides/local-oidc.md
View file

@ -34,8 +34,8 @@ services:
depends_on:
- identityprovider
httpbin:
image: kennethreitz/httpbin:latest
verify:
image: pomerium/verify
expose:
- 80
@ -75,8 +75,8 @@ cookie_secret: <reducted>
# https://www.pomerium.io/configuration/#policy
policy:
- from: https://httpbin.localhost.pomerium.io
to: http://httpbin
- from: https://verify.localhost.pomerium.io
to: http://verify
allowed_domains:
- example.org
```
@ -147,7 +147,7 @@ $ : wait identityprovider up
$ docker-compose up -d
```
Now accessing to `https://httpbin.localhost.pomerium.io` and you will be redireted to OIDC server for authentication.
Now accessing to `https://verify.localhost.pomerium.io` and you will be redireted to OIDC server for authentication.
[identity provider]: ../docs/identity-providers/
[qlik/simple-oidc-provider]: https://hub.docker.com/r/qlik/simple-oidc-provider/

8
docs/guides/mtls.md
View file

@ -74,8 +74,8 @@ idp_client_id: YOUR_CLIENT_ID
idp_client_secret: YOUR_SECRET
policy:
- from: "https://httpbin.localhost.pomerium.io:8443"
to: "https://httpbin.org"
- from: "https://verify.localhost.pomerium.io:8443"
to: "https://verify.org"
allow_public_unauthenticated_access: true
```
@ -89,7 +89,7 @@ Before visiting the page in your browser we have one final step.
## Install Client Certificate
Because `https://httpbin.localhost.pomerium.io:8443` now requires a client certificate to be accessed, we first need to install that client certificate in our browser. The following instructions are for Chrome, but client certificates are supported in all major browsers.
Because `https://verify.localhost.pomerium.io:8443` now requires a client certificate to be accessed, we first need to install that client certificate in our browser. The following instructions are for Chrome, but client certificates are supported in all major browsers.
Go to <chrome://settings/certificates>:
@ -109,6 +109,6 @@ You should see the `org-mkcert development certificate` in the list of your cert
## Using the Client Certificate
You can now visit **<https://httpbin.localhost.pomerium.io>** and you should be prompted to choose a client certificate:
You can now visit **<https://verify.localhost.pomerium.io>** and you should be prompted to choose a client certificate:
![choose client certificate](./img/mtls/05-select-client-certificate.png)

14
docs/guides/nginx.md
View file

@ -13,7 +13,7 @@ description: >-
This recipe's sources can be found [on github](https://github.com/pomerium/pomerium/tree/master/examples/nginx)
At the end, you will have a locally running install of [httpbin](https://httpbin.org/) behind nginx with policy enforced by Pomerium.
At the end, you will have a locally running install of [verify](https://verify.pomerium.com/) behind nginx with policy enforced by Pomerium.
## Background
@ -72,28 +72,28 @@ Nginx configuration for Pomerium endpoints
<<< @/examples/nginx/pomerium.conf
### Nginx - httpbin
### Nginx - verify
Nginx configuration for the protected endpoint
<<< @/examples/nginx/httpbin.conf
<<< @/examples/nginx/verify.conf
### Docker Compose
<<< @/examples/nginx/docker-compose.yaml
Run `docker-compose up`. After a few seconds, browse to [httpbin.localhost.pomerium.io](https://httpbin.localhost.pomerium.io).
Run `docker-compose up`. After a few seconds, browse to [verify.localhost.pomerium.io](https://verify.localhost.pomerium.io).
You should be prompted to log in through your IdP and then granted access to the deployed `httpbin` instance.
You should be prompted to log in through your IdP and then granted access to the deployed `verify` instance.
## That's it!
Your `httpbin` install is protected by Pomerium.
Your `verify` install is protected by Pomerium.
## Adapting
To re-use the configuration in this demo in other contexts:
- Update `httpbin.conf` to reflect the correct forward auth URL in `location @error401`
- Update `verify.conf` to reflect the correct forward auth URL in `location @error401`
- Update `pomerium.conf` to reflect the pomerium hostname(s) or IP(s) in `upstream pomerium`
- Update `pomerium.conf` to reflect your pomerium authenticate and forward auth hostnames in `server_name`

52
docs/reference/readme.md
View file

@ -141,8 +141,8 @@ For example, if specifying multiple certificates at once:
certificates:
- cert: "$HOME/.acme.sh/authenticate.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/authenticate.example.com_ecc/authenticate.example.com.key"
- cert: "$HOME/.acme.sh/httpbin.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/httpbin.example.com_ecc/httpbin.example.com.key"
- cert: "$HOME/.acme.sh/verify.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/verify.example.com_ecc/verify.example.com.key"
- cert: "$HOME/.acme.sh/prometheus.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/prometheus.example.com_ecc/prometheus.example.com.key"
```
@ -244,7 +244,7 @@ For example, if `true`
```
10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124
10:37AM INF proxy: new route from=httpbin.localhost.pomerium.io to=https://httpbin.org
10:37AM INF proxy: new route from=verify.localhost.pomerium.io to=https://verify.org
10:37AM INF proxy: new route from=ssl.localhost.pomerium.io to=http://neverssl.com
10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.localhost.pomerium.io:443
```
@ -253,7 +253,7 @@ If `false`
```
{"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"}
{"level":"info","from":"httpbin.localhost.pomerium.io","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","from":"verify.localhost.pomerium.io","to":"https://verify.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","from":"ssl.localhost.pomerium.io","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","OverrideCertificateName":"","addr":"auth.localhost.pomerium.io:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"}
```
@ -283,7 +283,7 @@ Some reverse-proxies, such as nginx split access control flow into two parts: ve
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: httpbin
name: verify
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-prod"
@ -292,15 +292,15 @@ metadata:
spec:
tls:
- hosts:
- httpbin.corp.example.com
- verify.corp.example.com
secretName: quickstart-example-tls
rules:
- host: httpbin.corp.example.com
- host: verify.corp.example.com
http:
paths:
- path: /
backend:
serviceName: httpbin
serviceName: verify
servicePort: 80
```
@ -329,15 +329,15 @@ services:
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
httpbin:
verify:
# A container that exposes an API to show its IP address
image: kennethreitz/httpbin:latest
image: pomerium/verify
labels:
- "traefik.http.routers.httpbin.rule=Host(`httpbin.corp.example.com`)"
- "traefik.http.routers.verify.rule=Host(`verify.corp.example.com`)"
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
- "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://httpbin.corp.example.com"
- "traefik.http.routers.httpbin.middlewares=test-auth@docker"
- "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://verify.corp.example.com"
- "traefik.http.routers.verify.middlewares=test-auth@docker"
```
@ -1044,7 +1044,7 @@ Requires setting [Google Cloud Serverless Authentication Service Account](./#goo
- `yaml`/`json` setting: `from`
- Type: `URL` (must contain a scheme and hostname, must not contain a path)
- Required
- Example: `https://httpbin.corp.example.com`
- Example: `https://verify.corp.example.com`
`From` is the externally accessible source of the proxied request.
@ -1200,13 +1200,13 @@ See [ProxyPreserveHost](http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#prox
Set Request Headers allows you to set static values for given request headers. This can be useful if you want to pass along additional information to downstream applications as headers, or set authentication header to the request. For example:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org
- from: https://verify.corp.example.com
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
set_request_headers:
# works auto-magically!
# https://httpbin.corp.example.com/basic-auth/root/hunter42
# https://verify.corp.example.com/basic-auth/root/hunter42
Authorization: Basic cm9vdDpodW50ZXI0Mg==
X-Your-favorite-authenticating-Proxy: "Pomerium"
```
@ -1220,8 +1220,8 @@ Set Request Headers allows you to set static values for given request headers. T
Remove Request Headers allows you to remove given request headers. This can be useful if you want to prevent privacy information from being passed to downstream applications. For example:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org
- from: https://verify.corp.example.com
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
remove_request_headers:
@ -1234,7 +1234,7 @@ Remove Request Headers allows you to remove given request headers. This can be u
- `yaml`/`json` setting: `to`
- Type: `URL` (must contain a scheme and hostname)
- Required
- Example: `http://httpbin` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://httpbin.org/anything/`
- Example: `http://verify` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://verify.org/anything/`
`To` is the destination of a proxied request. It can be an internal resource, or an external resource.
@ -1245,20 +1245,20 @@ Be careful with trailing slash.
With rule:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org/anything
- from: https://verify.corp.example.com
to: https://verify.pomerium.com/anything
```
Requests to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything`, while requests to `https://httpbin.corp.example.com/foo` will be forwarded to `https://httpbin.org/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`.
Requests to `https://verify.corp.example.com` will be forwarded to `https://verify.org/anything`, while requests to `https://verify.corp.example.com/foo` will be forwarded to `https://verify.org/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`.
While the rule:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org/anything/
- from: https://verify.corp.example.com
to: https://verify.pomerium.com/anything/
```
All requests to `https://httpbin.corp.example.com/*` will be forwarded to `https://httpbin.org/anything/*`. That means accessing to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found.
All requests to `https://verify.corp.example.com/*` will be forwarded to `https://verify.org/anything/*`. That means accessing to `https://verify.corp.example.com` will be forwarded to `https://verify.org/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found.
:::

52
docs/reference/settings.yaml
View file

@ -175,8 +175,8 @@ settings:
certificates:
- cert: "$HOME/.acme.sh/authenticate.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/authenticate.example.com_ecc/authenticate.example.com.key"
- cert: "$HOME/.acme.sh/httpbin.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/httpbin.example.com_ecc/httpbin.example.com.key"
- cert: "$HOME/.acme.sh/verify.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/verify.example.com_ecc/verify.example.com.key"
- cert: "$HOME/.acme.sh/prometheus.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/prometheus.example.com_ecc/prometheus.example.com.key"
```
@ -290,7 +290,7 @@ settings:
```
10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124
10:37AM INF proxy: new route from=httpbin.localhost.pomerium.io to=https://httpbin.org
10:37AM INF proxy: new route from=verify.localhost.pomerium.io to=https://verify.pomerium.com
10:37AM INF proxy: new route from=ssl.localhost.pomerium.io to=http://neverssl.com
10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.localhost.pomerium.io:443
```
@ -299,7 +299,7 @@ settings:
```
{"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"}
{"level":"info","from":"httpbin.localhost.pomerium.io","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","from":"verify.localhost.pomerium.io","to":"https://verify.pomerium.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","from":"ssl.localhost.pomerium.io","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","OverrideCertificateName":"","addr":"auth.localhost.pomerium.io:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"}
```
@ -331,7 +331,7 @@ settings:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: httpbin
name: verify
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-prod"
@ -340,15 +340,15 @@ settings:
spec:
tls:
- hosts:
- httpbin.corp.example.com
- verify.corp.example.com
secretName: quickstart-example-tls
rules:
- host: httpbin.corp.example.com
- host: verify.corp.example.com
http:
paths:
- path: /
backend:
serviceName: httpbin
serviceName: verify
servicePort: 80
```
@ -377,15 +377,15 @@ settings:
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
httpbin:
verify:
# A container that exposes an API to show its IP address
image: kennethreitz/httpbin:latest
image: pomerium/verify:latest
labels:
- "traefik.http.routers.httpbin.rule=Host(`httpbin.corp.example.com`)"
- "traefik.http.routers.verify.rule=Host(`verify.corp.example.com`)"
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
- "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://httpbin.corp.example.com"
- "traefik.http.routers.httpbin.middlewares=test-auth@docker"
- "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://verify.corp.example.com"
- "traefik.http.routers.verify.middlewares=test-auth@docker"
```
shortdoc: |
Forward authentication creates an endpoint that can be used with third-party proxies.
@ -1160,7 +1160,7 @@ settings:
- `yaml`/`json` setting: `from`
- Type: `URL` (must contain a scheme and hostname, must not contain a path)
- Required
- Example: `https://httpbin.corp.example.com`
- Example: `https://verify.corp.example.com`
doc: |
`From` is the externally accessible source of the proxied request.
- name: "Kubernetes Service Account Token"
@ -1326,13 +1326,13 @@ settings:
Set Request Headers allows you to set static values for given request headers. This can be useful if you want to pass along additional information to downstream applications as headers, or set authentication header to the request. For example:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org
- from: https://verify.corp.example.com
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
set_request_headers:
# works auto-magically!
# https://httpbin.corp.example.com/basic-auth/root/hunter42
# https://verify.corp.example.com/basic-auth/root/hunter42
Authorization: Basic cm9vdDpodW50ZXI0Mg==
X-Your-favorite-authenticating-Proxy: "Pomerium"
```
@ -1346,8 +1346,8 @@ settings:
Remove Request Headers allows you to remove given request headers. This can be useful if you want to prevent privacy information from being passed to downstream applications. For example:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org
- from: https://verify.corp.example.com
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
remove_request_headers:
@ -1360,7 +1360,7 @@ settings:
- `yaml`/`json` setting: `to`
- Type: `URL` (must contain a scheme and hostname)
- Required
- Example: `http://httpbin` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://httpbin.org/anything/`
- Example: `http://verify` , `https://192.1.20.12:8080`, `http://neverssl.com`, `https://verify.pomerium.com/anything/`
doc: |
`To` is the destination of a proxied request. It can be an internal resource, or an external resource.
@ -1371,20 +1371,20 @@ settings:
With rule:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org/anything
- from: https://verify.corp.example.com
to: https://verify.pomerium.com/anything
```
Requests to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything`, while requests to `https://httpbin.corp.example.com/foo` will be forwarded to `https://httpbin.org/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`.
Requests to `https://verify.corp.example.com` will be forwarded to `https://verify.pomerium.com/anything`, while requests to `https://verify.corp.example.com/foo` will be forwarded to `https://verify.pomerium.com/anythingfoo`.To make the request forwarded to `https://httbin.org/anything/foo`, you can use double slashes in your request `https://httbin.corp.example.com//foo`.
While the rule:
```yaml
- from: https://httpbin.corp.example.com
to: https://httpbin.org/anything/
- from: https://verify.corp.example.com
to: https://verify.pomerium.com/anything/
```
All requests to `https://httpbin.corp.example.com/*` will be forwarded to `https://httpbin.org/anything/*`. That means accessing to `https://httpbin.corp.example.com` will be forwarded to `https://httpbin.org/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found.
All requests to `https://verify.corp.example.com/*` will be forwarded to `https://verify.pomerium.com/anything/*`. That means accessing to `https://verify.corp.example.com` will be forwarded to `https://verify.pomerium.com/anything/`. That said, if your application does not handle trailing slash, the request will end up with 404 not found.
:::
- name: "TLS Skip Verification"

2
examples/cloudrun/README.md
View file

@ -28,6 +28,6 @@ This demo includes a Cloud Run target configured to only accept requests from th
- Deploy config.yaml to Secret Manager
- Deploy the demo hello world app
- Deploy pomerium with policy
- Navigate to `https://httpbin.cloudrun.pomerium.io`
- Navigate to `https://verify.cloudrun.pomerium.io`
- Navigate to `https://hello-direct.cloudrun.pomerium.io`
- Navigate to `https://hello.cloudrun.pomerium.io`

4
examples/cloudrun/policy.template.yaml
View file

@ -4,8 +4,8 @@
allowed_domains:
- gmail.com
enable_google_cloud_serverless_authentication: true
- from: https://httpbin.cloudrun.pomerium.io
to: https://httpbin.org
- from: https://verify.cloudrun.pomerium.io
to: https://verify.pomerium.com
pass_identity_headers: true
allowed_domains:
- gmail.com

6
examples/config/config.example.yaml
View file

@ -75,7 +75,7 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io
# Proxied routes and per-route policies are defined in a policy block
policy:
- from: https://httpbin.localhost.pomerium.io
- from: https://verify.localhost.pomerium.io
to: http://httpbin
allowed_domains:
- pomerium.io
@ -83,8 +83,8 @@ policy:
timeout: 30s
pass_identity_headers: true
- from: https://external-httpbin.localhost.pomerium.io
to: https://httpbin.org
- from: https://external-verify.localhost.pomerium.io
to: https://verify.pomerium.com
allowed_domains:
- gmail.com
pass_identity_headers: true

4
examples/config/config.minimal.yaml
View file

@ -19,8 +19,8 @@ cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
# https://www.pomerium.io/configuration/#policy
policy:
- from: https://httpbin.localhost.pomerium.io
to: https://httpbin.org
- from: https://verify.localhost.pomerium.io
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
pass_identity_headers: true

6
examples/config/policy.example.yaml
View file

@ -8,14 +8,14 @@
# Proxied routes and per-route policies are defined in a policy block
# NOTA BENE: You must uncomment the below 'policy' key if you are loading policy as a file.
# policy:
- from: https://httpbin.localhost.pomerium.io
- from: https://verify.localhost.pomerium.io
to: http://localhost:8000
allowed_domains:
- pomerium.io
cors_allow_preflight: true
timeout: 30s
- from: https://external-httpbin.localhost.pomerium.io
to: https://httpbin.org
- from: https://external-verify.localhost.pomerium.io
to: https://verify.pomerium.com
allowed_domains:
- gmail.com
- from: https://weirdlyssl.localhost.pomerium.io

6
examples/docker/autocert.docker-compose.yml
View file

@ -11,8 +11,8 @@ services:
ports:
- 443:443
# https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin
httpbin:
image: kennethreitz/httpbin:latest
# https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify
verify:
image: pomerium/verify:latest
expose:
- 80

6
examples/docker/basic.docker-compose.yml
View file

@ -14,8 +14,8 @@ services:
ports:
- 443:443
# https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin
httpbin:
image: kennethreitz/httpbin:latest
# https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify
verify:
image: pomerium/verify:latest
expose:
- 80

6
examples/docker/nginx.docker-compose.yml
View file

@ -91,9 +91,9 @@ services:
expose:
- 443
# https://httpbin.corp.beyondperimeter.com
httpbin:
image: kennethreitz/httpbin:latest
# https://verify.corp.beyondperimeter.com
verify:
image: pomerium/verify:latest
expose:
- 80
# https://hello.corp.beyondperimeter.com

2
examples/kubernetes/kubernetes-config.yaml
View file

@ -18,7 +18,7 @@ idp_client_secret: "REPLACE_ME"
idp_service_account: YOUR_SERVICE_ACCOUNT
policy:
- from: https://httpbin.localhost.pomerium.io
- from: https://verify.localhost.pomerium.io
to: http://httpbin.default.svc.cluster.local:8000
allowed_domains:
- gmail.com

4
examples/mutual-tls/README.md
View file

@ -25,8 +25,8 @@ policy:
tls_client_cert_file: "/Users/bdd/examples/mutual-tls/out/pomerium.crt"
tls_client_key_file: "/Users/bdd/examples/mutual-tls/out/pomerium.key"
- from: https://httpbin.corp.domain.example
to: https://httpbin.org
- from: https://verify.corp.domain.example
to: https://verify.pomerium.com
allow_public_unauthenticated_access: true
```

4
examples/mutual-tls/example.config.yaml
View file

@ -19,6 +19,6 @@ policy:
# pomerium.key
tls_client_key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBNjdLanFtUVlHcTBNVnRBQ1ZwZUNtWG1pbmxRYkRQR0xtc1pBVUV3dWVIUW5ydDNXCnR2cERPbTZBbGFKTVVuVytIdTU1ampva2FsS2VWalRLbWdZR2JxVXpWRG9NYlBEYUhla2x0ZEJUTUdsT1VGc1AKNFVKU0RyTzR6ZE4rem80MjhUWDJQbkcyRkNkVktHeTRQRThpbEhiV0xjcjg3MVlqVjUxZnc4Q0xEWDlQWkpOdQo4NjFDRjdWOWlFSm02c1NmUWxtbmhOOGozK1d6VmJQUU55MVdzUjdpOWU5ajYzRXFLdDIyUTlPWEwrV0FjS3NrCm9JU21DTlZSVUFqVThZUlZjZ1FKQit6UTM0QVFQbHowT3A1Ty9RTi9NZWRqYUY4d0xTK2l2L3p2aVM4Y3FQYngKbzZzTHE2Rk5UbHRrL1FreGVDZUtLVFFlLzNrUFl2UUFkbmw2NVFJREFRQUJBb0lCQVFEQVQ0eXN2V2pSY3pxcgpKcU9SeGFPQTJEY3dXazJML1JXOFhtQWhaRmRTWHV2MkNQbGxhTU1yelBmTG41WUlmaHQzSDNzODZnSEdZc3pnClo4aWJiYWtYNUdFQ0t5N3lRSDZuZ3hFS3pRVGpiampBNWR3S0h0UFhQUnJmamQ1Y2FMczVpcDcxaWxCWEYxU3IKWERIaXUycnFtaC9kVTArWGRMLzNmK2VnVDl6bFQ5YzRyUm84dnZueWNYejFyMnVhRVZ2VExsWHVsb2NpeEVrcgoySjlTMmxveWFUb2tFTnNlMDNpSVdaWnpNNElZcVowOGJOeG9IWCszQXVlWExIUStzRkRKMlhaVVdLSkZHMHUyClp3R2w3YlZpRTFQNXdiQUdtZzJDeDVCN1MrdGQyUEpSV3Frb2VxY3F2RVdCc3RFL1FEcDFpVThCOHpiQXd0Y3IKZHc5TXZ6Q2hBb0dCQVBObzRWMjF6MGp6MWdEb2tlTVN5d3JnL2E4RkJSM2R2Y0xZbWV5VXkybmd3eHVucnFsdwo2U2IrOWdrOGovcXEvc3VQSDhVdzNqSHNKYXdGSnNvTkVqNCt2b1ZSM3UrbE5sTEw5b21rMXBoU0dNdVp0b3huCm5nbUxVbkJUMGI1M3BURkJ5WGsveE5CbElreWdBNlg5T2MreW5na3RqNlRyVnMxUERTdnVJY0s1QW9HQkFQZmoKcEUzR2F6cVFSemx6TjRvTHZmQWJBdktCZ1lPaFNnemxsK0ZLZkhzYWJGNkdudFd1dWVhY1FIWFpYZTA1c2tLcApXN2xYQ3dqQU1iUXI3QmdlazcrOSszZElwL1RnYmZCYnN3Syt6Vng3Z2doeWMrdytXRWExaHByWTZ6YXdxdkFaCkhRU2lMUEd1UGp5WXBQa1E2ZFdEczNmWHJGZ1dlTmd4SkhTZkdaT05Bb0dCQUt5WTF3MUM2U3Y2c3VuTC8vNTcKQ2Z5NTAwaXlqNUZBOWRqZkRDNWt4K1JZMnlDV0ExVGsybjZyVmJ6dzg4czBTeDMrYS9IQW1CM2dMRXBSRU5NKwo5NHVwcENFWEQ3VHdlcGUxUnlrTStKbmp4TzlDSE41c2J2U25sUnBQWlMvZzJRTVhlZ3grK2trbkhXNG1ITkFyCndqMlRrMXBBczFXbkJ0TG9WaGVyY01jSkFvR0JBSTYwSGdJb0Y5SysvRUcyY21LbUg5SDV1dGlnZFU2eHEwK0IKWE0zMWMzUHE0amdJaDZlN3pvbFRxa2d0dWtTMjBraE45dC9ibkI2TmhnK1N1WGVwSXFWZldVUnlMejVwZE9ESgo2V1BMTTYzcDdCR3cwY3RPbU1NYi9VRm5Yd0U4OHlzRlNnOUF6VjdVVUQvU0lDYkI5ZHRVMWh4SHJJK0pZRWdWCkFrZWd6N2lCQW9HQkFJRncrQVFJZUIwM01UL0lCbGswNENQTDJEak0rNDhoVGRRdjgwMDBIQU9mUWJrMEVZUDEKQ2FLR3RDbTg2MXpBZjBzcS81REtZQ0l6OS9HUzNYRk00Qm1rRk9nY1NXVENPNmZmTGdLM3FmQzN4WDJudlpIOQpYZGNKTDQrZndhY0x4c2JJKzhhUWNOVHRtb3pkUjEzQnNmUmIrSGpUL2o3dkdrYlFnSkhCT0syegotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
- from: https://httpbin.corp.domain.example
to: https://httpbin.org
- from: https://verify.corp.domain.example
to: https://verify.pomerium.com
allow_public_unauthenticated_access: true

2
examples/nginx/README.md
View file

@ -12,6 +12,6 @@ Run this demo locally on your docker-compose capable workstation, or replace `lo
- Update `config.yaml` for your e-mail address, if not using gmail/google.
- Replace secrets in `config.yaml`.
- Run `docker-compose up` from this directory.
- Navigate to `https://httpbin.localhost.pomerium.io`
- Navigate to `https://verify.localhost.pomerium.io`
- ???
- Profit

2
examples/nginx/config.yaml
View file

@ -14,7 +14,7 @@ forward_auth_url: http://fwdauth.localhost.pomerium.io
authenticate_service_url: https://authenticate.localhost.pomerium.io
policy:
- from: https://httpbin.localhost.pomerium.io
- from: https://verify.localhost.pomerium.io
to: https://httpbin
allowed_domains:
- pomerium.com

6
examples/nginx/docker-compose.yaml
View file

@ -11,14 +11,14 @@ services:
- "80:80"
- "443:443"
volumes:
- ./httpbin.conf:/etc/nginx/conf.d/httpbin.conf
- ./verify.conf:/etc/nginx/conf.d/verify.conf
- ./pomerium.conf:/etc/nginx/conf.d/pomerium.conf
- ./_wildcard.localhost.pomerium.io.pem:/etc/nginx/nginx.pem
- ./_wildcard.localhost.pomerium.io-key.pem:/etc/nginx/nginx-key.pem
- ./proxy.conf:/etc/nginx/proxy.conf
httpbin:
image: kennethreitz/httpbin:latest
verify:
image: pomerium/verify
expose:
- 80
pomerium:

4
examples/nginx/httpbin.conf → examples/nginx/verify.conf
View file

@ -3,7 +3,7 @@ server {
listen 80;
listen 443 ssl http2;
server_name httpbin.localhost.pomerium.io;
server_name verify.localhost.pomerium.io;
ssl_certificate /etc/nginx/nginx.pem;
ssl_certificate_key /etc/nginx/nginx-key.pem;
@ -57,7 +57,7 @@ server {
}
location / {
proxy_pass http://httpbin;
proxy_pass http://verify;
include /etc/nginx/proxy.conf;
# If we get a 401, respond with a named location

2
examples/traefik/README.md
View file

@ -12,6 +12,6 @@ Run this demo locally on your docker-compose capable workstation, or replace `lo
- Update `config.yaml` for your e-mail address, if not using gmail/google.
- Replace secrets in `config.yaml`.
- Run `docker-compose up` from this directory.
- Navigate to `https://httpbin.localhost.pomerium.io`
- Navigate to `https://verify.localhost.pomerium.io`
- ???
- Profit

2
examples/traefik/config.yaml
View file

@ -15,7 +15,7 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io
jwt_claims_headers: email,groups,user
policy:
- from: https://httpbin.localhost.pomerium.io
- from: https://verify.localhost.pomerium.io
to: https://httpbin
allowed_domains:
- pomerium.io

12
examples/traefik/docker-compose.yaml
View file

@ -18,18 +18,18 @@ services:
volumes:
- /var/run/docker.sock:/var/run/docker.sock
httpbin:
image: kennethreitz/httpbin:latest
verify:
image: pomerium/verify:latest
labels:
- "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=X-Pomerium-Claim-Email,X-Pomerium-Claim-User,X-Pomerium-Claim-Groups,X-Pomerium-Jwt-Assertion"
- "traefik.http.middlewares.pomerium.forwardauth.address=http://pomerium/"
- "traefik.http.middlewares.pomerium.forwardauth.trustForwardHeader=true"
- "traefik.http.routers.httpbin.middlewares=pomerium@docker"
- "traefik.http.routers.verify.middlewares=pomerium@docker"
- "traefik.enable=true"
- "traefik.http.routers.httpbin.rule=Host(`httpbin.localhost.pomerium.io`)"
- "traefik.http.routers.httpbin.entrypoints=websecure"
- "traefik.http.routers.httpbin.tls=true"
- "traefik.http.routers.verify.rule=Host(`verify.localhost.pomerium.io`)"
- "traefik.http.routers.verify.entrypoints=websecure"
- "traefik.http.routers.verify.tls=true"
pomerium:
image: pomerium/pomerium:latest

2
scripts/programmatic_access.py
View file

@ -14,7 +14,7 @@ done = False
parser = argparse.ArgumentParser()
parser.add_argument("--login", action="store_true")
parser.add_argument(
"--dst", default="https://httpbin.example.com/headers",
"--dst", default="https://verify.example.com/json",
)
parser.add_argument("--server", default="localhost", type=str)
parser.add_argument("--port", default=8000, type=int)