diff --git a/VERSION b/VERSION index 48080b4cf..e07d136c7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.5.0 \ No newline at end of file +v0.6.0 \ No newline at end of file diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js index f19ecf924..55db3fb4e 100644 --- a/docs/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -28,10 +28,11 @@ module.exports = { { text: "Enterprise", link: "/enterprise/" }, { - text: "🚧Dev", // current tagged version + text: "v0.6.x", // current tagged version ariaLabel: "Version menu", items: [ { text: "🚧Dev", link: "https://master.docs.pomerium.io/docs" }, + { text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" }, { text: "v0.5.x", link: "https://0-5-0.docs.pomerium.io/docs" }, { text: "v0.4.x", link: "https://0-4-0.docs.pomerium.io/docs" }, { text: "v0.3.x", link: "https://0-3-0.docs.pomerium.io/docs" }, diff --git a/docs/configuration/examples/config/config.example.env b/docs/configuration/examples/config/config.example.env index 0f0be2bfe..154a46a9f 100644 --- a/docs/configuration/examples/config/config.example.env +++ b/docs/configuration/examples/config/config.example.env @@ -11,6 +11,7 @@ export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com # AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode, # otherwise it should be set to a "behind-the-ingress" routable url # export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local +# export CACHE_SERVICE_URL=https://pomerium-cache-service.default.svc.cluster.local # Certificates can be loaded as files or base64 encoded bytes. # See : https://www.pomerium.io/docs/reference/certificates diff --git a/docs/configuration/examples/config/config.example.yaml b/docs/configuration/examples/config/config.example.yaml index 52cc9d492..85638bc0b 100644 --- a/docs/configuration/examples/config/config.example.yaml +++ b/docs/configuration/examples/config/config.example.yaml @@ -9,6 +9,7 @@ authenticate_service_url: https://authenticate.corp.beyondperimeter.com # authorize service url will default to localhost in all-in-one mode, otherwise # it should be set to a "behind-the-ingress" routable url # authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local +# cache_service_url: https://pomerium-cache-service.default.svc.cluster.local # Certificates can be loaded as files or base64 encoded bytes. # certificate_file: "./cert.pem" # optional, defaults to `./cert.pem` diff --git a/docs/configuration/examples/docker/basic.docker-compose.yml b/docs/configuration/examples/docker/basic.docker-compose.yml index a72df9ac1..06745d465 100644 --- a/docs/configuration/examples/docker/basic.docker-compose.yml +++ b/docs/configuration/examples/docker/basic.docker-compose.yml @@ -1,7 +1,7 @@ version: "3" services: pomerium: - image: pomerium/pomerium:v0.5.0 + image: pomerium/pomerium:latest environment: # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64` - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI= diff --git a/docs/configuration/examples/docker/nginx.docker-compose.yml b/docs/configuration/examples/docker/nginx.docker-compose.yml index 5b50b471e..598960381 100644 --- a/docs/configuration/examples/docker/nginx.docker-compose.yml +++ b/docs/configuration/examples/docker/nginx.docker-compose.yml @@ -12,7 +12,7 @@ services: - /var/run/docker.sock:/tmp/docker.sock:ro pomerium-authenticate: - image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source + image: pomerium/pomerium:latest # or `build: .` to build from source restart: always environment: - SERVICES=authenticate @@ -31,6 +31,7 @@ services: - VIRTUAL_PROTO=http - VIRTUAL_HOST=authenticate.corp.beyondperimeter.com - VIRTUAL_PORT=443 + - CACHE_SERVICE_URL=http://pomerium-cache:443 volumes: - ../config/config.example.yaml:/pomerium/config.yaml:ro @@ -38,7 +39,7 @@ services: - 443 pomerium-proxy: - image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source + image: pomerium/pomerium:latest # or `build: .` to build from source restart: always environment: - SERVICES=proxy @@ -60,7 +61,7 @@ services: - 443 pomerium-authorize: - image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source + image: pomerium/pomerium:latest # or `build: .` to build from source restart: always environment: - SERVICES=authorize @@ -75,6 +76,21 @@ services: expose: - 443 + pomerium-cache: + image: pomerium/pomerium:latest # or `build: .` to build from source + restart: always + environment: + - SERVICES=cache + - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= + - GRPC_INSECURE=TRUE + - GRPC_ADDRESS=:443 + volumes: + # Retrieve non-secret config keys from the config file : https://www.pomerium.io/docs/reference/reference/ + # See `config.example.yaml` and modify to fit your needs. + - ../config/config.example.yaml:/pomerium/config.yaml:ro + expose: + - 443 + # https://httpbin.corp.beyondperimeter.com httpbin: image: kennethreitz/httpbin:latest diff --git a/docs/configuration/examples/kubernetes/kubernetes-config.yaml b/docs/configuration/examples/kubernetes/kubernetes-config.yaml index 7865f520f..c6a66f7a1 100644 --- a/docs/configuration/examples/kubernetes/kubernetes-config.yaml +++ b/docs/configuration/examples/kubernetes/kubernetes-config.yaml @@ -1,9 +1,10 @@ # Main configuration flags : https://www.pomerium.io/docs/reference/reference/ -address: ":80" insecure_server: true +grpc_insecure: true authenticate_service_url: https://authenticate.corp.beyondperimeter.com authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local +cache_service_url: https://pomerium-cache-service.default.svc.cluster.local override_certificate_name: "*.corp.beyondperimeter.com" diff --git a/docs/configuration/examples/kubernetes/kubernetes_gke.sh b/docs/configuration/examples/kubernetes/kubernetes_gke.sh index af380ebbf..b346eb47b 100755 --- a/docs/configuration/examples/kubernetes/kubernetes_gke.sh +++ b/docs/configuration/examples/kubernetes/kubernetes_gke.sh @@ -5,10 +5,10 @@ # NOTE! You must change the identity provider client secret setting in your config file! echo "=> creating cluster" -gcloud container clusters create pomerium --num-nodes 2 +gcloud container clusters create pomerium --num-nodes 3 --region us-west2 echo "=> get cluster credentials so we can use kubctl locally" -gcloud container clusters get-credentials pomerium +gcloud container clusters get-credentials pomerium --region us-west2 echo "=> create config from kubernetes-config.yaml which we will mount" kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml" @@ -32,6 +32,7 @@ echo "=> deploy pomerium proxy, authorize, and authenticate" kubectl apply -f pomerium-proxy.yml kubectl apply -f pomerium-authenticate.yml kubectl apply -f pomerium-authorize.yml +kubectl apply -f pomerium-cache.yml echo "=> deploy our test app, httpbin" kubectl apply -f httpbin.yml diff --git a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml index 6494c7b51..82b168e0e 100644 --- a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml +++ b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml @@ -4,8 +4,8 @@ metadata: name: pomerium-authenticate-service spec: ports: - - port: 80 - name: http + - port: 443 + name: https selector: app: pomerium-authenticate type: NodePort @@ -27,13 +27,13 @@ spec: app: pomerium-authenticate spec: containers: - - image: pomerium/pomerium:v0.5.0 + - image: pomerium/pomerium:master name: pomerium-authenticate args: - --config=/etc/pomerium/config.yaml ports: - - containerPort: 80 - name: http + - containerPort: 443 + name: https protocol: TCP env: - name: SERVICES @@ -51,12 +51,12 @@ spec: readinessProbe: httpGet: path: /ping - port: 80 + port: 443 scheme: HTTP livenessProbe: httpGet: path: /ping - port: 80 + port: 443 scheme: HTTP initialDelaySeconds: 5 timeoutSeconds: 1 diff --git a/docs/configuration/examples/kubernetes/pomerium-authorize.yml b/docs/configuration/examples/kubernetes/pomerium-authorize.yml index 66bc847d6..f64f89725 100644 --- a/docs/configuration/examples/kubernetes/pomerium-authorize.yml +++ b/docs/configuration/examples/kubernetes/pomerium-authorize.yml @@ -4,7 +4,7 @@ metadata: name: pomerium-authorize-service spec: ports: - - port: 80 + - port: 443 name: grpc selector: app: pomerium-authorize @@ -27,12 +27,12 @@ spec: app: pomerium-authorize spec: containers: - - image: pomerium/pomerium:v0.5.0 + - image: pomerium/pomerium:master name: pomerium-authorize args: - --config=/etc/pomerium/config.yaml ports: - - containerPort: 80 + - containerPort: 443 name: grpc protocol: TCP env: @@ -45,12 +45,12 @@ spec: key: shared-secret readinessProbe: tcpSocket: - port: 80 + port: 443 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: tcpSocket: - port: 80 + port: 443 initialDelaySeconds: 15 periodSeconds: 20 diff --git a/docs/configuration/examples/kubernetes/pomerium-cache.yml b/docs/configuration/examples/kubernetes/pomerium-cache.yml new file mode 100644 index 000000000..0ad0e8317 --- /dev/null +++ b/docs/configuration/examples/kubernetes/pomerium-cache.yml @@ -0,0 +1,64 @@ +apiVersion: v1 +kind: Service +metadata: + name: pomerium-cache-service +spec: + clusterIP: None # cache is a headless service! + ports: + - port: 443 + name: grpc + selector: + app: pomerium-cache + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium-cache + labels: + app: pomerium-cache +spec: + replicas: 1 + selector: + matchLabels: + app: pomerium-cache + template: + metadata: + labels: + app: pomerium-cache + spec: + containers: + - image: pomerium/pomerium:master + name: pomerium-cache + args: + - --config=/etc/pomerium/config.yaml + ports: + - containerPort: 443 + name: grpc + protocol: TCP + env: + - name: SERVICES + value: cache + - name: SHARED_SECRET + valueFrom: + secretKeyRef: + name: shared-secret + key: shared-secret + readinessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 15 + periodSeconds: 20 + + volumeMounts: + - mountPath: /etc/pomerium/ + name: config + volumes: + - name: config + configMap: + name: config diff --git a/docs/configuration/examples/kubernetes/pomerium-proxy.yml b/docs/configuration/examples/kubernetes/pomerium-proxy.yml index b99883793..67345ef84 100644 --- a/docs/configuration/examples/kubernetes/pomerium-proxy.yml +++ b/docs/configuration/examples/kubernetes/pomerium-proxy.yml @@ -4,10 +4,10 @@ metadata: name: pomerium-proxy-service spec: ports: - - port: 80 + - port: 443 protocol: TCP - name: http - targetPort: http + name: https + targetPort: https selector: app: pomerium-proxy type: NodePort @@ -29,13 +29,13 @@ spec: app: pomerium-proxy spec: containers: - - image: pomerium/pomerium:v0.5.0 + - image: pomerium/pomerium:master name: pomerium-proxy args: - --config=/etc/pomerium/config.yaml ports: - - containerPort: 80 - name: http + - containerPort: 443 + name: https protocol: TCP env: - name: SERVICES @@ -53,12 +53,12 @@ spec: readinessProbe: httpGet: path: /ping - port: 80 + port: 443 scheme: HTTP livenessProbe: httpGet: path: /ping - port: 80 + port: 443 scheme: HTTP initialDelaySeconds: 10 timeoutSeconds: 1 diff --git a/docs/configuration/readme.md b/docs/configuration/readme.md index 1becde1db..63e9dc55e 100644 --- a/docs/configuration/readme.md +++ b/docs/configuration/readme.md @@ -30,7 +30,7 @@ These are configuration variables shared by all services, in all service modes. - Config File Key: `services` - Type: `string` - Default: `all` -- Options: `all` `authenticate` `authorize` or `proxy` +- Options: `all` `authenticate` `authorize` `cache` or `proxy` Service mode sets the pomerium service(s) to run. If testing, you may want to set to `all` and run pomerium in "all-in-one mode." In production, you'll likely want to spin up several instances of each service mode for high availability. @@ -43,7 +43,7 @@ Service mode sets the pomerium service(s) to run. If testing, you may want to se - Default: `:443` - Required -Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used. +Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used. Note, in all-in-one deployments, gRPC traffic will be served on loopback on port `:5443`. ### Administrators @@ -541,7 +541,7 @@ If your load balancer does not support gRPC pass-through you'll need to set this - Environmental Variable: `OVERRIDE_CERTIFICATE_NAME` - Config File Key: `override_certificate_name` - Type: `int` -- Optional (but typically required if Authenticate Internal Service Address is set) +- Optional - Example: `*.corp.example.com` if wild card or `authenticate.corp.example.com`/`authorize.corp.example.com` Secure service communication can fail if the external certificate does not match the internally routed service hostname/[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). This setting allows you to override that value. @@ -608,6 +608,64 @@ Refresh cooldown is the minimum amount of time between allowed manually refreshe Default Upstream Timeout is the default timeout applied to a proxied route when no `timeout` key is specified by the policy. +## Cache Service + +The cache service is used for storing user session data. + +### Cache Store + +- Environmental Variable: `CACHE_STORE` +- Config File Key: `cache_store` +- Type: `string` +- Default: `autocache` +- Options: `autocache` `bolt` or `redis`. Other contributions are welcome. + +CacheStore is the name of session cache backend to use. + +### Autocache + +[Autocache](https://github.com/pomerium/autocache) is the default session store. Autocache is based off of distributed version of [memecached](https://memcached.org/), called [groupcache](https://github.com/golang/groupcache) made by Google and used by many organizations like Twitter and Vimeo in production. Autocache is suitable for both small deployments, where it acts as a embedded cache, or larger scale, distributed installs. + +When deployed in a distributed fashion, autocache uses [gossip](https://github.com/hashicorp/memberlist) based membership to manage its peers. + +Autocache does not require any additional settings but does require that the cache url setting returns name records that correspond to a [list of peers](https://kubernetes.io/docs/concepts/services-networking/service/#headless-services). + +### [Redis](https://redis.io/) + +Redis, when used as a [LRU cache](https://redis.io/topics/lru-cache), functions in a very similar way to autocache. Redis store support allows you to leverage existing infrastructure, and to persist session data if that is a requirement. + +#### Redis Address + +- Environmental Variable: `CACHE_STORE_ADDRESS` +- Config File Key: `cache_store_address` +- Type: `string` +- Example: `localhost:6379` + +CacheStoreAddr specifies the host and port on which the cache store should connect to redis. + +#### Redis Password + +- Environmental Variable: `CACHE_STORE_PASSWORD` +- Config File Key: `cache_store_password` +- Type: `string` + +CacheStoreAddr is the password used to connect to redis. + +### [Bolt](https://godoc.org/go.etcd.io/bbolt/) + +Bolt is a simple, lightweight, low level key value store and is the underlying storage mechanism in projects like [etcd](https://etcd.io/). Bolt persists data to a file, and has no built in eviction mechanism. + +Bolt is suitable for all-in-one deployments that do not require concurrent / distributed writes. + +#### Bolt Path + +- Environmental Variable: `CACHE_STORE_PATH` +- Config File Key: `cache_store_path` +- Type: `string` +- Example: `/etc/bolt.db` + +CacheStorePath is the path to save bolt's database file. + ## Policy - Environmental Variable: `POLICY` diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 98f25eb27..ec355d2d4 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -1,19 +1,46 @@ # Changelog -## vUnreleased +## v0.6.0 -### New +## New -### Changed +- authenticate: support backend refresh @desimone [GH-438] +- cache: add cache service @desimone [GH-457] -- Added yaml tags to all options struct fields - - [GH-394](https://github.com/pomerium/pomerium/pull/394) - - [GH-397](https://github.com/pomerium/pomerium/pull/397) -- Improved config validation for `shared_secret` [GH-427](https://github.com/pomerium/pomerium/pull/427) +## Changed -### Fixed +- authorize: consolidate gRPC packages @desimone [GH-443] +- config: added yaml tags to all options struct fields @travisgroth [GH-394],[gh-397] +- config: improved config validation for `shared_secret` @travisgroth [GH-427] +- config: Remove CookieRefresh [GH-428] @u5surf [GH-436] +- config: validate that `shared_key` does not contain whitespace @travisgroth [GH-427] +- httputil : wrap handlers for additional context @desimone [GH-413] -- Fixed regression preventing policy reload [GH-396](https://github.com/pomerium/pomerium/pull/396) +## Fixed + +- proxy: fix unauthorized redirect loop for forward auth @desimone [GH-448] +- proxy: fixed regression preventing policy reload [GH-396](https://github.com/pomerium/pomerium/pull/396) + +## Documentation + +- add cookie settings @danderson [GH-429] +- fix typo in forward auth nginx example @travisgroth [GH-445] +- improved sentence flow and other stuff @Rio [GH-422] +- rename fwdauth to be forwardauth @desimone [GH-447] + +## Dependency + +- chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate [GH-452] +- chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate [GH-458] +- chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate [GH-431] +- chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate [GH-414] +- chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate [GH-415] +- chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate [GH-453] +- chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate [GH-433] +- chore(deps): update module google/go-cmp to v0.4.0 @renovate [GH-454] +- chore(deps): update module spf13/viper to v1.6.1 @renovate [GH-423] +- chore(deps): update module spf13/viper to v1.6.2 @renovate [GH-459] +- chore(deps): update module square/go-jose to v2.4.1 @renovate [GH-435] ## v0.5.0 diff --git a/docs/docs/background.md b/docs/docs/background.md index 22369003e..46fdc538d 100644 --- a/docs/docs/background.md +++ b/docs/docs/background.md @@ -16,17 +16,19 @@ For years, security was synonymous with network security. Firewalls, network seg > > [Rob Joyce](https://en.wikipedia.org/wiki/Rob_Joyce) [Chief of Tailored Access Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations), [National Security Agency @ ENIGMA 2016](https://www.youtube.com/watch?v=bDJb8WOJYdA&feature=youtu.be&t=1627) -There's no such thing as perfect security. Many recent high-profile breaches have demonstrated just how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many possible breaches were perimeter security played a role, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by [hacking the HVAC system](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/) which was connected to the internal corporate network and then moved laterally to exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military. Google did a bottom up review of their security posture following [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora). The resulting actions from that review would be released as a [series of white papers](https://ai.google/research/pubs/pub43231) called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security. +There's no such thing as perfect security. Many recent high-profile breaches have demonstrated just how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many possible breaches that epitomize the shortcomings of perimeter security, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by [hacking the HVAC system](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/) which was connected to the internal corporate network from which hackers were then able to move laterally and exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military known as [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora). After which, Google did a bottom up review of their security posture. The resulting actions from that review would be released as a [series of white papers](https://ai.google/research/pubs/pub43231) called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security. > In reality, there's never one front door; there are many front doors...[and] ... we're not securing a single castle. We're starting to think about securing many different interconnected castles. > > [Armon Dadgar, Cofounder of HashiCorp @ PagerDuty Nov 2018](https://www.hashicorp.com/resources/how-zero-trust-networking) -The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of microservices, and cloud computing where service communication requirements are constantly in flux. In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure the appropriate audience. However, in practice, operators usually choose between two sides. A very precise boundary that is high-touch, time-consuming to manage, and error prone. Or that of a more lax boundary that may entail more risk but is less time consuming to update, manage and less prone to break. +The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of microservices, and cloud computing where service communication requirements are constantly in flux. + +In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure appropriate access controls. However, in practice, operators are usually pulled in the direction of one of two extremes. That is, either a very precise boundary that is high-touch, time-consuming to manage, and error prone. Or that of a more lax boundary that may entail more risk but is less time consuming to update, manage and less prone to break. ### Gaps in the perimeter -Perimeter based security suffers from the following shortcomings: +In summary, perimeter based security suffers from the following shortcomings: - Perimeter security largely ignores the insider threat. - The "impenetrable fortress" model fails in practice even for the most sophisticated of security organizations. @@ -34,14 +36,15 @@ Perimeter based security suffers from the following shortcomings: - Even just defining what the network perimeter is is an increasingly difficult proposition in a remote-work, BYOD, multi-cloud world. Most organizations are a heterogeneous mix of clouds, servers, devices, and organizational units. - VPNs are often misused and exacerbate the issue by opening yet another door into your network organization. -### Zero-trust, behind the gates +### Zero-trust, security behind the gates [Zero-trust](https://ldapwiki.com/wiki/Zero%20Trust) instead attempts to mitigate these shortcomings by adopting the following principles: - Trust flows from identity, device-state, and context; not network location. - Treat both internal and external networks as completely untrusted. Mutually authenticated encryption is used instead of network segmentation. - Act like you are already breached, because you probably are. An attacker could be anyone, and anywhere on your network. -- Every device, user, and application's communication should be authenticated, authorized, and encrypted. Access policy should be dynamic, and built from multiple sources. +- Every device, user, and application's communication should be authenticated, authorized, and encrypted. +- Access policy should be dynamic, and built from multiple sources. To be clear, perimeter security is not defunct, nor is zero-trust security a panacea or a single product. Many of the ideas and principles of perimeter security are still relevant and are part of a holistic, and wide-ranging security policy. After all, we still want our castles to have high walls. diff --git a/docs/docs/community/img/contributing-edit-this-page.png b/docs/docs/community/img/contributing-edit-this-page.png index 62ad2b57c..579a0e2fa 100644 Binary files a/docs/docs/community/img/contributing-edit-this-page.png and b/docs/docs/community/img/contributing-edit-this-page.png differ diff --git a/docs/docs/identity-providers/img/cognito-app-client-create.png b/docs/docs/identity-providers/img/cognito-app-client-create.png index cf07fa313..52738dd8f 100644 Binary files a/docs/docs/identity-providers/img/cognito-app-client-create.png and b/docs/docs/identity-providers/img/cognito-app-client-create.png differ diff --git a/docs/docs/identity-providers/img/cognito-app-client-details.png b/docs/docs/identity-providers/img/cognito-app-client-details.png index a9d1b0f1f..dc1f6f735 100644 Binary files a/docs/docs/identity-providers/img/cognito-app-client-details.png and b/docs/docs/identity-providers/img/cognito-app-client-details.png differ diff --git a/docs/docs/identity-providers/img/cognito-app-client-settings.png b/docs/docs/identity-providers/img/cognito-app-client-settings.png index fd1c5e97b..0f58b7e0c 100644 Binary files a/docs/docs/identity-providers/img/cognito-app-client-settings.png and b/docs/docs/identity-providers/img/cognito-app-client-settings.png differ diff --git a/docs/docs/identity-providers/img/cognito-create-pool.png b/docs/docs/identity-providers/img/cognito-create-pool.png index f077c1380..bc031d87c 100644 Binary files a/docs/docs/identity-providers/img/cognito-create-pool.png and b/docs/docs/identity-providers/img/cognito-create-pool.png differ diff --git a/docs/docs/identity-providers/img/cognito-domain-name.png b/docs/docs/identity-providers/img/cognito-domain-name.png index f0d9e7e1b..d0049f25d 100644 Binary files a/docs/docs/identity-providers/img/cognito-domain-name.png and b/docs/docs/identity-providers/img/cognito-domain-name.png differ diff --git a/docs/docs/identity-providers/img/cognito-pool-settings.png b/docs/docs/identity-providers/img/cognito-pool-settings.png index fd3846efd..8ae09e7e6 100644 Binary files a/docs/docs/identity-providers/img/cognito-pool-settings.png and b/docs/docs/identity-providers/img/cognito-pool-settings.png differ diff --git a/docs/docs/identity-providers/img/cognito-pools.png b/docs/docs/identity-providers/img/cognito-pools.png index bc6a78c9c..efefc5543 100644 Binary files a/docs/docs/identity-providers/img/cognito-pools.png and b/docs/docs/identity-providers/img/cognito-pools.png differ diff --git a/docs/docs/identity-providers/img/cognito-service.png b/docs/docs/identity-providers/img/cognito-service.png index cac3c913f..5b294adaf 100644 Binary files a/docs/docs/identity-providers/img/cognito-service.png and b/docs/docs/identity-providers/img/cognito-service.png differ diff --git a/docs/docs/identity-providers/img/cognito-side-menu.png b/docs/docs/identity-providers/img/cognito-side-menu.png index 2ef63ab78..6b414eb74 100644 Binary files a/docs/docs/identity-providers/img/cognito-side-menu.png and b/docs/docs/identity-providers/img/cognito-side-menu.png differ diff --git a/docs/docs/identity-providers/img/cognito-user-pool-name.png b/docs/docs/identity-providers/img/cognito-user-pool-name.png index 0e855b771..0b1a8f3ea 100644 Binary files a/docs/docs/identity-providers/img/cognito-user-pool-name.png and b/docs/docs/identity-providers/img/cognito-user-pool-name.png differ diff --git a/docs/docs/identity-providers/img/google-consent-banner.png b/docs/docs/identity-providers/img/google-consent-banner.png index 6e6eca50e..f67dc5b39 100644 Binary files a/docs/docs/identity-providers/img/google-consent-banner.png and b/docs/docs/identity-providers/img/google-consent-banner.png differ diff --git a/docs/docs/identity-providers/img/google-create-sa.png b/docs/docs/identity-providers/img/google-create-sa.png index 9c47f9200..21728b753 100644 Binary files a/docs/docs/identity-providers/img/google-create-sa.png and b/docs/docs/identity-providers/img/google-create-sa.png differ diff --git a/docs/docs/identity-providers/img/google-oauth-consent.png b/docs/docs/identity-providers/img/google-oauth-consent.png index 02800c480..f2bf46219 100644 Binary files a/docs/docs/identity-providers/img/google-oauth-consent.png and b/docs/docs/identity-providers/img/google-oauth-consent.png differ diff --git a/docs/docs/identity-providers/img/okta-api-token.png b/docs/docs/identity-providers/img/okta-api-token.png index 2e3da4487..3fb42906d 100644 Binary files a/docs/docs/identity-providers/img/okta-api-token.png and b/docs/docs/identity-providers/img/okta-api-token.png differ diff --git a/docs/docs/identity-providers/img/one-login-add-app.png b/docs/docs/identity-providers/img/one-login-add-app.png index 621557ebe..77e454c86 100644 Binary files a/docs/docs/identity-providers/img/one-login-add-app.png and b/docs/docs/identity-providers/img/one-login-add-app.png differ diff --git a/docs/docs/identity-providers/img/one-login-callback-url.png b/docs/docs/identity-providers/img/one-login-callback-url.png index ba25e20b1..6b28383b9 100644 Binary files a/docs/docs/identity-providers/img/one-login-callback-url.png and b/docs/docs/identity-providers/img/one-login-callback-url.png differ diff --git a/docs/docs/quick-start/helm.md b/docs/docs/quick-start/helm.md index 9b8e97ed0..b91babbbd 100644 --- a/docs/docs/quick-start/helm.md +++ b/docs/docs/quick-start/helm.md @@ -46,6 +46,10 @@ Run [./scripts/helm_gke.sh] which will: Open a browser and navigate to `httpbin.your.domain.example`. +You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details. + +![currently logged in user](./img/logged-in-as.png) + [./scripts/helm_gke.sh]: ../reference/examples.html#helm [./scripts/kubernetes_gke.sh]: ../reference/examples.html#google-kubernetes-engine [example kubernetes files]: ../reference/examples.html#google-kubernetes-engine diff --git a/docs/docs/quick-start/img/logged-in-as.png b/docs/docs/quick-start/img/logged-in-as.png new file mode 100644 index 000000000..7de800a74 Binary files /dev/null and b/docs/docs/quick-start/img/logged-in-as.png differ diff --git a/docs/docs/quick-start/img/synology-certifciate-assignment.png b/docs/docs/quick-start/img/synology-certifciate-assignment.png index 556d8fc06..89e9dbb25 100644 Binary files a/docs/docs/quick-start/img/synology-certifciate-assignment.png and b/docs/docs/quick-start/img/synology-certifciate-assignment.png differ diff --git a/docs/docs/quick-start/img/synology-docker-httpbin.png b/docs/docs/quick-start/img/synology-docker-httpbin.png index 5b02bb705..1ce83d317 100644 Binary files a/docs/docs/quick-start/img/synology-docker-httpbin.png and b/docs/docs/quick-start/img/synology-docker-httpbin.png differ diff --git a/docs/docs/quick-start/img/synology-docker-pomerium-alias.png b/docs/docs/quick-start/img/synology-docker-pomerium-alias.png index 63652578f..278ae1d69 100644 Binary files a/docs/docs/quick-start/img/synology-docker-pomerium-alias.png and b/docs/docs/quick-start/img/synology-docker-pomerium-alias.png differ diff --git a/docs/docs/quick-start/img/synology-docker-pomerium-create-container.png b/docs/docs/quick-start/img/synology-docker-pomerium-create-container.png index 643c4a69e..a896d08d0 100644 Binary files a/docs/docs/quick-start/img/synology-docker-pomerium-create-container.png and b/docs/docs/quick-start/img/synology-docker-pomerium-create-container.png differ diff --git a/docs/docs/quick-start/img/synology-docker-pomerium-done.png b/docs/docs/quick-start/img/synology-docker-pomerium-done.png index 053b9f9dd..52a254ac0 100644 Binary files a/docs/docs/quick-start/img/synology-docker-pomerium-done.png and b/docs/docs/quick-start/img/synology-docker-pomerium-done.png differ diff --git a/docs/docs/quick-start/img/synology-docker-pomerium-package.png b/docs/docs/quick-start/img/synology-docker-pomerium-package.png index 6153bb314..9cf1546c6 100644 Binary files a/docs/docs/quick-start/img/synology-docker-pomerium-package.png and b/docs/docs/quick-start/img/synology-docker-pomerium-package.png differ diff --git a/docs/docs/quick-start/img/synology-docker-port-settings.png b/docs/docs/quick-start/img/synology-docker-port-settings.png index 11eec74f6..9215be2de 100644 Binary files a/docs/docs/quick-start/img/synology-docker-port-settings.png and b/docs/docs/quick-start/img/synology-docker-port-settings.png differ diff --git a/docs/docs/quick-start/img/synology-firewall-rules.png b/docs/docs/quick-start/img/synology-firewall-rules.png index facdc21ac..a66e7b23e 100644 Binary files a/docs/docs/quick-start/img/synology-firewall-rules.png and b/docs/docs/quick-start/img/synology-firewall-rules.png differ diff --git a/docs/docs/quick-start/img/synology-httpbin.png b/docs/docs/quick-start/img/synology-httpbin.png index b640f239c..63443f52b 100644 Binary files a/docs/docs/quick-start/img/synology-httpbin.png and b/docs/docs/quick-start/img/synology-httpbin.png differ diff --git a/docs/docs/quick-start/img/synology-reverse-proxy-rules.png b/docs/docs/quick-start/img/synology-reverse-proxy-rules.png index bb2083c3f..1a6410e64 100644 Binary files a/docs/docs/quick-start/img/synology-reverse-proxy-rules.png and b/docs/docs/quick-start/img/synology-reverse-proxy-rules.png differ diff --git a/docs/docs/quick-start/img/synology-reverse-proxy.png b/docs/docs/quick-start/img/synology-reverse-proxy.png index 1b13436b9..083c00be0 100644 Binary files a/docs/docs/quick-start/img/synology-reverse-proxy.png and b/docs/docs/quick-start/img/synology-reverse-proxy.png differ diff --git a/docs/docs/quick-start/img/synology-step-1-redirect.png b/docs/docs/quick-start/img/synology-step-1-redirect.png index 6af917140..83a0ef0ca 100644 Binary files a/docs/docs/quick-start/img/synology-step-1-redirect.png and b/docs/docs/quick-start/img/synology-step-1-redirect.png differ diff --git a/docs/docs/quick-start/img/synology-step-2-mfa.png b/docs/docs/quick-start/img/synology-step-2-mfa.png index 12f826fdb..7014a6b96 100644 Binary files a/docs/docs/quick-start/img/synology-step-2-mfa.png and b/docs/docs/quick-start/img/synology-step-2-mfa.png differ diff --git a/docs/docs/quick-start/img/synology-step-3-validate-header.png b/docs/docs/quick-start/img/synology-step-3-validate-header.png index 45d792fec..f888f0ae7 100644 Binary files a/docs/docs/quick-start/img/synology-step-3-validate-header.png and b/docs/docs/quick-start/img/synology-step-3-validate-header.png differ diff --git a/docs/docs/quick-start/img/synology-step-4-unauthorized.png b/docs/docs/quick-start/img/synology-step-4-unauthorized.png index 5c014118b..2ff3b8df8 100644 Binary files a/docs/docs/quick-start/img/synology-step-4-unauthorized.png and b/docs/docs/quick-start/img/synology-step-4-unauthorized.png differ diff --git a/docs/docs/quick-start/img/synology-step-4-unauthorized.png2 b/docs/docs/quick-start/img/synology-step-4-unauthorized.png2 new file mode 100644 index 000000000..b701a72c5 Binary files /dev/null and b/docs/docs/quick-start/img/synology-step-4-unauthorized.png2 differ diff --git a/docs/docs/quick-start/kubernetes.md b/docs/docs/quick-start/kubernetes.md index 12f71acc2..c7082d363 100644 --- a/docs/docs/quick-start/kubernetes.md +++ b/docs/docs/quick-start/kubernetes.md @@ -59,6 +59,10 @@ And if you check out Google's Kubernetes Engine dashboard you'll see something l Open a browser and navigate to `httpbin.your.domain.example`. +You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details. + +![currently logged in user](./img/logged-in-as.png) + [./kubernetes_gke.sh]: ../reference/examples#google-kubernetes-engine [example kubernetes files]: ../reference/examples#google-kubernetes-engine [identity provider]: ../identity-providers/readme.md diff --git a/docs/docs/quick-start/readme.md b/docs/docs/quick-start/readme.md index 5ee8e1f27..09ac392c6 100644 --- a/docs/docs/quick-start/readme.md +++ b/docs/docs/quick-start/readme.md @@ -48,6 +48,10 @@ Docker will automatically download the required [container images] for Pomerium You should now be able access to the routes (e.g. `https://httpbin.corp.yourdomain.example`) as specified in your policy file. +You can also navigate to the special pomerium endpoint `httpbin.corp.yourdomain.example/.pomerium/` to see your current user details. + +![currently logged in user](./img/logged-in-as.png) + [configuration file]: ../../configuration/readme.md [container images]: https://hub.docker.com/r/pomerium/pomerium [docker]: https://docs.docker.com/install/ diff --git a/docs/docs/quick-start/synology.md b/docs/docs/quick-start/synology.md index cd797e23c..d6510d4ea 100644 --- a/docs/docs/quick-start/synology.md +++ b/docs/docs/quick-start/synology.md @@ -206,6 +206,10 @@ If that user is authorized to see the httpbin service, you should be redirected ![Synology done](./img/synology-step-3-validate-header.png) +You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details. + +![currently logged in user](./img/logged-in-as.png) + And just to be safe, try logging in from another google account to see what happens. You should be greeted with a `403` unauthorized access page. ![Synology done](./img/synology-step-4-unauthorized.png) diff --git a/docs/docs/releases.md b/docs/docs/releases.md index 75b805172..c79386ac1 100644 --- a/docs/docs/releases.md +++ b/docs/docs/releases.md @@ -55,6 +55,7 @@ To see difference between releases, please refer to the changelog and upgrading For convenience, we maintain hosted documentation for each tagged release. The format for which is `https://{MAJOR}-{MINOR}-{PATCH}.docs.pomerium.io`. For example: - [github@master](https://master.docs.pomerium.io/) +- [v0.6.0](https://0-6-0.docs.pomerium.io/) - [v0.5.0](https://0-5-0.docs.pomerium.io/) - [v0.4.0](https://0-4-0.docs.pomerium.io/) - [v0.3.0](https://0-3-0.docs.pomerium.io/) diff --git a/docs/docs/upgrading.md b/docs/docs/upgrading.md index 47714cf71..501ccd423 100644 --- a/docs/docs/upgrading.md +++ b/docs/docs/upgrading.md @@ -7,6 +7,38 @@ description: >- # Upgrade Guide +## Since 0.5.0 + +### Breaking + +#### New cache service + +A back-end cache service was added to support session refreshing from [single-page-apps](https://en.wikipedia.org/wiki/Single-page_application). + +- For all-in-one deployments, _no changes are required_. The cache will be embedded in the binary. By default, autocache an in-memory LRU cache will be used to temporarily store user session data. If you wish to persist session data, it's also possible to use bolt or redis. +- For split-service deployments, you will need to deploy an additional service called cache. By default, pomerium will use autocache as a distributed, automatically managed cache. It is also possible to use redis as backend in this mode. + +For a concrete example of the required changes, consider the following changes for those running split service mode,: + +```diff +... + pomerium-authenticate: + environment: + - SERVICES=authenticate ++ - CACHE_SERVICE_URL=http://pomerium-cache:443 +... ++ pomerium-cache: ++ image: pomerium/pomerium ++ environment: ++ - SERVICES=cache ++ volumes: ++ - ../config/config.example.yaml:/pomerium/config.yaml:ro ++ expose: ++ - 443 +``` + +Please see the updated examples, and [cache service docs] as a reference and for the available cache stores. For more details as to why this was necessary, please see [PR438](https://github.com/pomerium/pomerium/pull/438) and [PR457](https://github.com/pomerium/pomerium/pull/457). + ## Since 0.4.0 ### Breaking @@ -187,5 +219,7 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p The configuration variable [Authenticate Internal Service URL] must now be a valid [URL](https://golang.org/pkg/net/url/#URL) type and contain both a hostname and valid `https` schema. -[policy]: ./configuration/readme.md#policy -[authenticate internal service url]: ./configuration/readme.md#authenticate-service-url +[policy]: ../configuration/readme.md#policy +[authenticate internal service url]: ../configuration/readme.md#authenticate-service-url +[cache service docs]: ../configuration/readme.md#cache-service +[split service example]: ../configuration/examples.md#distinct-services diff --git a/docs/recipes/kubernetes.md b/docs/recipes/kubernetes.md index decc12e0e..b5e12969d 100644 --- a/docs/recipes/kubernetes.md +++ b/docs/recipes/kubernetes.md @@ -360,6 +360,5 @@ Whichever option you choose to go with, πŸŽ‰πŸΎπŸŽŠ **congratulations** πŸŽ‰ [nginx]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ [securing your helm installation]: https://helm.sh/docs/using_helm/#securing-your-helm-installation [snap]: https://github.com/snapcrafters/helm -[tiller]: https://helm.sh/docs/install/#installing-tiller [with pomerium]: ../docs/reference/reference.html#forward-auth [your dashboard]: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login