3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-05 04:13:11 +02:00
Code Issues Projects Releases Packages Wiki Activity

nginx: fix docs (#1691)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
bobby 2020-12-15 13:25:46 -08:00 committed by GitHub
parent 931c87d85c
commit d3c697d3e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 51 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/reference/readme.md
View file

@ -181,7 +181,7 @@ Secret used to encrypt and sign session cookies. You can generate a random key w
- Environmental Variable: `COOKIE_DOMAIN` - Environmental Variable: `COOKIE_DOMAIN`
- Config File Key: `cookie_domain` - Config File Key: `cookie_domain`
- Type: `string` - Type: `string`
- Example: `corp.beyondperimeter.com` - Example: `localhost.pomerium.io`
- Optional - Optional
The scope of session cookies issued by Pomerium. The scope of session cookies issued by Pomerium.
@ -244,18 +244,18 @@ For example, if `true`
``` ```
10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124 10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124
10:37AM INF proxy: new route from=httpbin.corp.beyondperimeter.com to=https://httpbin.org 10:37AM INF proxy: new route from=httpbin.localhost.pomerium.io to=https://httpbin.org
10:37AM INF proxy: new route from=ssl.corp.beyondperimeter.com to=http://neverssl.com 10:37AM INF proxy: new route from=ssl.localhost.pomerium.io to=http://neverssl.com
10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.corp.beyondperimeter.com:443 10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.localhost.pomerium.io:443
``` ```
If `false` If `false`
``` ```
{"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"} {"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"}
{"level":"info","from":"httpbin.corp.beyondperimeter.com","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","from":"httpbin.localhost.pomerium.io","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","from":"ssl.corp.beyondperimeter.com","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","from":"ssl.localhost.pomerium.io","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","OverrideCertificateName":"","addr":"auth.corp.beyondperimeter.com:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"} {"level":"info","OverrideCertificateName":"","addr":"auth.localhost.pomerium.io:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"}
``` ```

14
docs/reference/settings.yaml
View file

@ -219,7 +219,7 @@ settings:
- Environmental Variable: `COOKIE_DOMAIN` - Environmental Variable: `COOKIE_DOMAIN`
- Config File Key: `cookie_domain` - Config File Key: `cookie_domain`
- Type: `string` - Type: `string`
- Example: `corp.beyondperimeter.com` - Example: `localhost.pomerium.io`
- Optional - Optional
doc: | doc: |
The scope of session cookies issued by Pomerium. The scope of session cookies issued by Pomerium.
@ -290,18 +290,18 @@ settings:
``` ```
10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124 10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124
10:37AM INF proxy: new route from=httpbin.corp.beyondperimeter.com to=https://httpbin.org 10:37AM INF proxy: new route from=httpbin.localhost.pomerium.io to=https://httpbin.org
10:37AM INF proxy: new route from=ssl.corp.beyondperimeter.com to=http://neverssl.com 10:37AM INF proxy: new route from=ssl.localhost.pomerium.io to=http://neverssl.com
10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.corp.beyondperimeter.com:443 10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.localhost.pomerium.io:443
``` ```
If `false` If `false`
``` ```
{"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"} {"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"}
{"level":"info","from":"httpbin.corp.beyondperimeter.com","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","from":"httpbin.localhost.pomerium.io","to":"https://httpbin.org","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","from":"ssl.corp.beyondperimeter.com","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"} {"level":"info","from":"ssl.localhost.pomerium.io","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","OverrideCertificateName":"","addr":"auth.corp.beyondperimeter.com:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"} {"level":"info","OverrideCertificateName":"","addr":"auth.localhost.pomerium.io:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"}
``` ```
shortdoc: | shortdoc: |
Debug enables colored, human-readable logs to be streamed to standard out. Debug enables colored, human-readable logs to be streamed to standard out.

13
examples/config/config.example.yaml
View file

@ -5,7 +5,7 @@
# service: "all" # optional, default is all # service: "all" # optional, default is all
# log_level: info # optional, default is debug # log_level: info # optional, default is debug
authenticate_service_url: https://authenticate.corp.beyondperimeter.com authenticate_service_url: https://authenticate.localhost.pomerium.io
# authorize service url will default to localhost in all-in-one mode, otherwise # authorize service url will default to localhost in all-in-one mode, otherwise
# it should be set to a "behind-the-ingress" routable url # it should be set to a "behind-the-ingress" routable url
# authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local # authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
@ -75,17 +75,22 @@ authenticate_service_url: https://authenticate.corp.beyondperimeter.com
# Proxied routes and per-route policies are defined in a policy block # Proxied routes and per-route policies are defined in a policy block
policy: policy:
- from: https://httpbin.corp.beyondperimeter.com - from: https://httpbin.localhost.pomerium.io
to: http://httpbin to: http://httpbin
allowed_domains: allowed_domains:
- pomerium.io - pomerium.io
cors_allow_preflight: true cors_allow_preflight: true
timeout: 30s timeout: 30s
- from: https://external-httpbin.corp.beyondperimeter.com pass_identity_headers: true
- from: https://external-httpbin.localhost.pomerium.io
to: https://httpbin.org to: https://httpbin.org
allowed_domains: allowed_domains:
- gmail.com - gmail.com
- from: https://hello.corp.beyondperimeter.com pass_identity_headers: true
- from: https://hello.localhost.pomerium.io
to: http://hello:8080 to: http://hello:8080
allowed_groups: allowed_groups:
- admins@pomerium.io - admins@pomerium.io
pass_identity_headers: true

1
examples/config/config.minimal.yaml
View file

@ -23,3 +23,4 @@ policy:
to: https://httpbin.org to: https://httpbin.org
allowed_users: allowed_users:
- bdd@pomerium.io - bdd@pomerium.io
pass_identity_headers: true

8
examples/config/policy.example.yaml
View file

@ -8,24 +8,24 @@
# Proxied routes and per-route policies are defined in a policy block # Proxied routes and per-route policies are defined in a policy block
# NOTA BENE: You must uncomment the below 'policy' key if you are loading policy as a file. # NOTA BENE: You must uncomment the below 'policy' key if you are loading policy as a file.
# policy: # policy:
- from: https://httpbin.corp.beyondperimeter.com - from: https://httpbin.localhost.pomerium.io
to: http://localhost:8000 to: http://localhost:8000
allowed_domains: allowed_domains:
- pomerium.io - pomerium.io
cors_allow_preflight: true cors_allow_preflight: true
timeout: 30s timeout: 30s
- from: https://external-httpbin.corp.beyondperimeter.com - from: https://external-httpbin.localhost.pomerium.io
to: https://httpbin.org to: https://httpbin.org
allowed_domains: allowed_domains:
- gmail.com - gmail.com
- from: https://weirdlyssl.corp.beyondperimeter.com - from: https://weirdlyssl.localhost.pomerium.io
to: http://neverssl.com to: http://neverssl.com
allowed_users: allowed_users:
- bdd@pomerium.io - bdd@pomerium.io
allowed_groups: allowed_groups:
- admins - admins
- developers - developers
- from: https://hello.corp.beyondperimeter.com - from: https://hello.localhost.pomerium.io
to: http://localhost:8080 to: http://localhost:8080
allowed_groups: allowed_groups:
- admins@pomerium.io - admins@pomerium.io

6
examples/kubernetes/kubernetes-config.yaml
View file

@ -4,11 +4,11 @@ grpc_insecure: true
address: ":80" address: ":80"
grpc_address: ":80" grpc_address: ":80"
authenticate_service_url: https://authenticate.corp.beyondperimeter.com authenticate_service_url: https://authenticate.localhost.pomerium.io
authorize_service_url: http://pomerium-authorize-service.default.svc.cluster.local authorize_service_url: http://pomerium-authorize-service.default.svc.cluster.local
databroker_service_url: http://pomerium-cache-service.default.svc.cluster.local databroker_service_url: http://pomerium-cache-service.default.svc.cluster.local
override_certificate_name: "*.corp.beyondperimeter.com" override_certificate_name: "*.localhost.pomerium.io"
idp_provider: google idp_provider: google
idp_client_id: REPLACE_ME.apps.googleusercontent.com idp_client_id: REPLACE_ME.apps.googleusercontent.com
@ -18,7 +18,7 @@ idp_client_secret: "REPLACE_ME"
idp_service_account: YOUR_SERVICE_ACCOUNT idp_service_account: YOUR_SERVICE_ACCOUNT
policy: policy:
- from: https://httpbin.corp.beyondperimeter.com - from: https://httpbin.localhost.pomerium.io
to: http://httpbin.default.svc.cluster.local:8000 to: http://httpbin.default.svc.cluster.local:8000
allowed_domains: allowed_domains:
- gmail.com - gmail.com

6
examples/kubernetes/values.yaml
View file

@ -5,7 +5,7 @@ authenticate:
clientSecret: YOUR_SECRET clientSecret: YOUR_SECRET
# Required for group data # Required for group data
# https://www.pomerium.com/configuration/#identity-provider-service-account # https://www.pomerium.com/configuration/#identity-provider-service-account
serviceAccount: YOUR_SERVICE_ACCOUNT serviceAccount: YOUR_SERVICE_ACCOUNT
service: service:
annotations: annotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}' cloud.google.com/app-protocols: '{"https":"HTTPS"}'
@ -20,11 +20,11 @@ service:
config: config:
policy: policy:
- from: https://hello.corp.beyondperimeter.com - from: https://hello.localhost.pomerium.io
to: http://nginx.default.svc.cluster.local:80 to: http://nginx.default.svc.cluster.local:80
allowed_domains: allowed_domains:
- gmail.com - gmail.com
ingress: ingress:
annotations: annotations:
kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.allow-http: "false"

1
examples/nginx/config.yaml
View file

@ -19,3 +19,4 @@ policy:
allowed_domains: allowed_domains:
- pomerium.com - pomerium.com
- gmail.com - gmail.com
pass_identity_headers: true

4
examples/nginx/docker-compose.yaml
View file

@ -1,6 +1,10 @@
version: "3" version: "3"
services: services:
nginx: nginx:
# to emulate nginx-ingress behavior, use openresty which comes with 'escaped_request_uri'
# pre-compiled. Also uncomment lines marked `uncomment to emulate nginx-ingress behavior`
# in the nginx `.conf` configuration files.
# image: openresty/openresty
image: nginx image: nginx
restart: unless-stopped restart: unless-stopped
ports: ports:

11
examples/nginx/httpbin.conf
View file

@ -38,15 +38,22 @@ server {
# Pass the extracted client certificate to the auth provider # Pass the extracted client certificate to the auth provider
set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri; set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri;
# uncomment to emulate nginx-ingress behavior
# set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri;
proxy_pass $target; proxy_pass $target;
} }
location @authredirect { location @authredirect {
internal; internal;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
# uncomment to emulate nginx-ingress behavior
# return 302 https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri;
return 302 return 302
https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri; https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri;
} }
location / { location / {

3
examples/nginx/proxy.conf
View file

@ -19,7 +19,8 @@ proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ""; proxy_set_header Connection "";
set_escape_uri $escaped_request_uri $request_uri; # uncomment to emulate nginx-ingress
# set_escape_uri $escaped_request_uri $request_uri;
# proxy_set_header X-Request-ID $req_id; # proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

2
examples/traefik/config.yaml
View file

@ -14,10 +14,10 @@ forward_auth_url: http://pomerium
authenticate_service_url: https://authenticate.localhost.pomerium.io authenticate_service_url: https://authenticate.localhost.pomerium.io
jwt_claims_headers: email,groups,user jwt_claims_headers: email,groups,user
policy: policy:
- from: https://httpbin.localhost.pomerium.io - from: https://httpbin.localhost.pomerium.io
to: https://httpbin to: https://httpbin
allowed_domains: allowed_domains:
- pomerium.io - pomerium.io
- gmail.com - gmail.com
pass_identity_headers: true