diff --git a/.firebaserc b/.firebaserc deleted file mode 100644 index d97bb22ac..000000000 --- a/.firebaserc +++ /dev/null @@ -1,5 +0,0 @@ -{ - "projects": { - "default": "pomerium-21f57" - } -} diff --git a/.gitignore b/.gitignore index 7bfd26ef5..5215b7287 100644 --- a/.gitignore +++ b/.gitignore @@ -38,11 +38,6 @@ _testmain.go # Without this, the *.[568vq] above ignores this folder. !**/graphrbac/1.6 -# Ruby -website/vendor -website/build -website/tmp - .DS_Store .idea diff --git a/README.md b/README.md index 74055fc05..ec2c1fcb3 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,41 @@ -pomerium logo +pomerium logo [![pomerium chat](https://img.shields.io/badge/chat-on%20slack-blue.svg?style=flat&logo=slack)](http://slack.pomerium.io) -[![Travis CI](https://travis-ci.org/pomerium/pomerium.svg?branch=master)](https://travis-ci.org/pomerium/pomerium) [![Go Report Card](https://goreportcard.com/badge/github.com/pomerium/pomerium)](https://goreportcard.com/report/github.com/pomerium/pomerium) [![GoDoc](https://godoc.org/github.com/pomerium/pomerium?status.svg)][godocs] [![LICENSE](https://img.shields.io/github/license/pomerium/pomerium.svg)](https://github.com/pomerium/pomerium/blob/master/LICENSE) [![codecov](https://img.shields.io/codecov/c/github/pomerium/pomerium.svg?style=flat)](https://codecov.io/gh/pomerium/pomerium) +[![Travis CI](https://travis-ci.org/pomerium/pomerium.svg?branch=master)](https://travis-ci.org/pomerium/pomerium) [![Go Report Card](https://goreportcard.com/badge/github.com/pomerium/pomerium)](https://goreportcard.com/report/github.com/pomerium/pomerium) [![GoDoc](https://godoc.org/github.com/pomerium/pomerium?status.svg)][godocs] [![LICENSE](https://img.shields.io/github/license/pomerium/pomerium.svg)](https://github.com/pomerium/pomerium/blob/master/LICENSE) [![codecov](https://img.shields.io/codecov/c/github/pomerium/pomerium.svg?style=flat)](https://codecov.io/gh/pomerium/pomerium) ![Docker Pulls](https://img.shields.io/docker/pulls/pomerium/pomerium) -Pomerium is a tool for managing secure access to internal applications and resources. +Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked-in. Pomerium gateways both internal and external requests, and can be used in situations where you'd typically reach for a VPN. -Use Pomerium to: +Pomerium can be used to: -- provide a single-sign-on gateway to internal applications. -- enforce dynamic access policy based on **context**, **identity**, and **device state**. +- provide a **single-sign-on gateway** to internal applications. +- enforce **dynamic access policy** based on **context**, **identity**, and **device state**. - aggregate access logs and telemetry data. -- an alternative to a VPN. +- a **VPN alternative**. -Check out [awesome-zero-trust] to learn more about some of the problems Pomerium attempts to address. +## Architecture + +pomerium architecture diagram + +## Demo + +To make this a bit more concrete, see the following: + +1. An **unauthorized** user authenticating with their corporate single-sign-on provider (in this case Google) +2. The **unauthorized** user being blocked from a protected resource. +3. The **unauthorized** user signing out from their session. +4. An **authorized** user authenticating with their corporate single-sign-on provider. +5. Pomerium delegating and grating access to the requested resource. +6. The **authorized** user inspecting their user details including group membership. + + ## Docs -To get started with pomerium, check out our [quick start guide]. +For comprehensive docs, and tutorials see our [documentation]. -For comprehensive docs, and tutorials see our [documentation] and the [godocs]. - -[awesome-zero-trust]: https://github.com/pomerium/awesome-zero-trust -[documentation]: https://www.pomerium.io/docs/ +[documentation]: https://www.pomerium.io/ [go environment]: https://golang.org/doc/install [godocs]: https://godoc.org/github.com/pomerium/pomerium [quick start guide]: https://www.pomerium.io/guide/ diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js index 2329ce861..746fa827c 100644 --- a/docs/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -1,7 +1,8 @@ // .vuepress/config.js module.exports = { title: "Pomerium", - description: "An open source identity-aware access proxy.", + description: + "Pomerium is a beyond-corp inspired, zero trust, open source identity-aware access proxy.", plugins: { sitemap: { hostname: "https://www.pomerium.io" @@ -10,58 +11,99 @@ module.exports = { ga: "UA-129872447-2" } }, - extend: "@vuepress/theme-default", + markdown: { + externalLinkSymbol: false + }, themeConfig: { - repo: "pomerium/pomerium", + logo: "/logo-long-civez.png", editLinks: true, docsDir: "docs", editLinkText: "Edit this page on GitHub", lastUpdated: "Last Updated", nav: [ { text: "Documentation", link: "/docs/" }, - { text: "Quick Start", link: "/guide/" }, - { text: "Config Reference", link: "/reference/" }, - { - text: "Versions", - items: [ - { text: "v0.0.5", link: "https://v0-0-5.docs.pomerium.io/" }, - { text: "v0.0.4", link: "https://v0-0-4.docs.pomerium.io/" } - ] - } + { text: "Community", link: "/community/" } + + // { + // text: "Versions", + // items: [ + // { text: "v0.1.0", link: "https://v0-1-0.docs.pomerium.io/" }, + // { text: "v0.0.5", link: "https://v0-0-5.docs.pomerium.io/" }, + // { text: "v0.0.4", link: "https://v0-0-4.docs.pomerium.io/" } + // ] + // } ], + sidebar: { - "/guide/": guideSidebar("Quick Start"), - "/docs/": docsSidebar("Documentation") + "/docs/": [ + { + title: "", + type: "group", + collapsable: false, + sidebarDepth: 0, + children: ["", "background", "releases", "upgrading", "CHANGELOG"] + }, + { + title: "Quick Start", + collapsable: false, + path: "/docs/quick-start/", + type: "group", + sidebarDepth: 0, + children: [ + "quick-start/", + "quick-start/binary", + "quick-start/helm", + "quick-start/kubernetes", + "quick-start/synology" + ] + }, + { + title: "Identity Providers", + collapsable: false, + path: "/docs/identity-providers/", + type: "group", + sidebarDepth: 0, + children: [ + "identity-providers/", + "identity-providers/azure", + "identity-providers/gitlab", + "identity-providers/google", + "identity-providers/okta", + "identity-providers/one-login" + ] + }, + { + title: "Reference", + collapsable: true, + path: "/docs/reference/", + type: "group", + collapsable: false, + sidebarDepth: 1, + children: [ + "reference/certificates", + "reference/impersonation", + "reference/signed-headers", + "reference/examples", + "reference/reference" + ] + } + ], + "/community/": [ + { + title: "Community", + type: "group", + + collapsable: false, + sidebarDepth: 1, + children: [ + "", + "contributing", + "developers-guide", + "code-of-conduct", + "security" + ] + } + ] } } }; - -function guideSidebar(title) { - return [ - { - title, - collapsable: false, - children: ["", "binary", "from-source", "helm", "kubernetes", "synology"] - } - ]; -} - -function docsSidebar(title) { - return [ - { - title, - collapsable: false, - children: [ - "", - "identity-providers", - "signed-headers", - "certificates", - "examples", - "impersonation", - "programmatic-access", - "upgrading", - "contributing" - ] - } - ]; -} diff --git a/docs/.vuepress/override.styl b/docs/.vuepress/override.styl deleted file mode 100644 index 79735ded2..000000000 --- a/docs/.vuepress/override.styl +++ /dev/null @@ -1,4 +0,0 @@ -$accentColor = #6c63ff -$textColor = #2c3e50 -$borderColor = #eaecef -$codeBgColor = #282c34 \ No newline at end of file diff --git a/docs/.vuepress/public/account.svg b/docs/.vuepress/public/account.svg new file mode 100644 index 000000000..555dcc538 --- /dev/null +++ b/docs/.vuepress/public/account.svg @@ -0,0 +1 @@ +account \ No newline at end of file diff --git a/docs/.vuepress/public/easier-to-manage.svg b/docs/.vuepress/public/easier-to-manage.svg new file mode 100644 index 000000000..382ca813e --- /dev/null +++ b/docs/.vuepress/public/easier-to-manage.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/docs/.vuepress/public/favicon.ico b/docs/.vuepress/public/favicon.ico new file mode 100644 index 000000000..50a7612c0 Binary files /dev/null and b/docs/.vuepress/public/favicon.ico differ diff --git a/docs/.vuepress/public/logo-long-civez.png b/docs/.vuepress/public/logo-long-civez.png new file mode 100644 index 000000000..4d1c2a853 Binary files /dev/null and b/docs/.vuepress/public/logo-long-civez.png differ diff --git a/docs/.vuepress/public/logo-long-white-civez.png b/docs/.vuepress/public/logo-long-white-civez.png new file mode 100644 index 000000000..5b9c72af7 Binary files /dev/null and b/docs/.vuepress/public/logo-long-white-civez.png differ diff --git a/docs/.vuepress/public/logo-long-white.svg b/docs/.vuepress/public/logo-long-white.svg index e76e287b9..9b8efeb2e 100644 --- a/docs/.vuepress/public/logo-long-white.svg +++ b/docs/.vuepress/public/logo-long-white.svg @@ -1 +1 @@ -logo-long-white \ No newline at end of file + \ No newline at end of file diff --git a/docs/.vuepress/public/logo-long.svg b/docs/.vuepress/public/logo-long.svg index 4b9916dc6..3a6de5697 100644 --- a/docs/.vuepress/public/logo-long.svg +++ b/docs/.vuepress/public/logo-long.svg @@ -1 +1 @@ -logo-long \ No newline at end of file + \ No newline at end of file diff --git a/docs/.vuepress/public/logo-no-text.svg b/docs/.vuepress/public/logo-no-text.svg index 528a33564..ffd841103 100644 --- a/docs/.vuepress/public/logo-no-text.svg +++ b/docs/.vuepress/public/logo-no-text.svg @@ -1 +1 @@ -logo-no-text \ No newline at end of file + \ No newline at end of file diff --git a/docs/.vuepress/public/logo-only.png b/docs/.vuepress/public/logo-only.png index f6965796c..17a7cdd6f 100644 Binary files a/docs/.vuepress/public/logo-only.png and b/docs/.vuepress/public/logo-only.png differ diff --git a/docs/.vuepress/public/logo-stacked.svg b/docs/.vuepress/public/logo-stacked.svg index 41d399be9..9e8cd00de 100644 --- a/docs/.vuepress/public/logo-stacked.svg +++ b/docs/.vuepress/public/logo-stacked.svg @@ -1 +1 @@ -logo-stacked \ No newline at end of file + \ No newline at end of file diff --git a/docs/.vuepress/public/logo-white.png b/docs/.vuepress/public/logo-white.png new file mode 100644 index 000000000..42fde25dd Binary files /dev/null and b/docs/.vuepress/public/logo-white.png differ diff --git a/docs/.vuepress/public/logo.svg b/docs/.vuepress/public/logo.svg index f3a549e94..ac3a4a6fc 100644 --- a/docs/.vuepress/public/logo.svg +++ b/docs/.vuepress/public/logo.svg @@ -1 +1 @@ -logo \ No newline at end of file + \ No newline at end of file diff --git a/docs/.vuepress/public/pomerium-diagram.svg b/docs/.vuepress/public/pomerium-diagram.svg new file mode 100644 index 000000000..cca32d6f9 --- /dev/null +++ b/docs/.vuepress/public/pomerium-diagram.svg @@ -0,0 +1,2 @@ + +
Pomerium 
Identity-aware Access Proxy
[Not supported by viewer]
Firewall
[Not supported by viewer]
Proxy
[Not supported by viewer]
Authenticate
[Not supported by viewer]
Authorize
[Not supported by viewer]
Prometheus
[Not supported by viewer]
Internal web app
[Not supported by viewer]
Web app
[Not supported by viewer]
Remote Users
Remote Users<br>
On-premise Users
On-premise Users<br> \ No newline at end of file diff --git a/docs/.vuepress/public/pomerium-in-action-800-600.mp4 b/docs/.vuepress/public/pomerium-in-action-800-600.mp4 new file mode 100644 index 000000000..2042ca7e1 Binary files /dev/null and b/docs/.vuepress/public/pomerium-in-action-800-600.mp4 differ diff --git a/docs/.vuepress/public/remote.svg b/docs/.vuepress/public/remote.svg new file mode 100644 index 000000000..70717310e --- /dev/null +++ b/docs/.vuepress/public/remote.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/docs/.vuepress/public/secure-server.svg b/docs/.vuepress/public/secure-server.svg new file mode 100644 index 000000000..a59520606 --- /dev/null +++ b/docs/.vuepress/public/secure-server.svg @@ -0,0 +1 @@ +secure server \ No newline at end of file diff --git a/docs/.vuepress/public/security-in-depth.svg b/docs/.vuepress/public/security-in-depth.svg new file mode 100644 index 000000000..4d9d27ae8 --- /dev/null +++ b/docs/.vuepress/public/security-in-depth.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/docs/.vuepress/styles/palette.styl b/docs/.vuepress/styles/palette.styl deleted file mode 100644 index cf07438e6..000000000 --- a/docs/.vuepress/styles/palette.styl +++ /dev/null @@ -1,16 +0,0 @@ -// colors -$accentColor = #6E43E8 -$textColor = #24292e -$borderColor = #e8e8fb -$codeBgColor = #282c34 -$arrowBgColor = #ccc - -// layout -// $navbarHeight = 3.6rem -// $sidebarWidth = 20rem -// $contentWidth = 740px - -// // responsive breakpoints -// $MQNarrow = 959px -// $MQMobile = 719px -// $MQMobileNarrow = 419px diff --git a/docs/.vuepress/theme/components/AlgoliaSearchBox.vue b/docs/.vuepress/theme/components/AlgoliaSearchBox.vue new file mode 100644 index 000000000..a7a6c0985 --- /dev/null +++ b/docs/.vuepress/theme/components/AlgoliaSearchBox.vue @@ -0,0 +1,158 @@ + + + + + diff --git a/docs/.vuepress/theme/components/DropdownLink.vue b/docs/.vuepress/theme/components/DropdownLink.vue new file mode 100644 index 000000000..0d360830e --- /dev/null +++ b/docs/.vuepress/theme/components/DropdownLink.vue @@ -0,0 +1,179 @@ + + + + + diff --git a/docs/.vuepress/theme/components/DropdownTransition.vue b/docs/.vuepress/theme/components/DropdownTransition.vue new file mode 100644 index 000000000..8c711a155 --- /dev/null +++ b/docs/.vuepress/theme/components/DropdownTransition.vue @@ -0,0 +1,33 @@ + + + + + diff --git a/docs/.vuepress/theme/components/Home.vue b/docs/.vuepress/theme/components/Home.vue new file mode 100644 index 000000000..6d6792a8d --- /dev/null +++ b/docs/.vuepress/theme/components/Home.vue @@ -0,0 +1,330 @@ + + + + + diff --git a/docs/.vuepress/theme/components/NavLink.vue b/docs/.vuepress/theme/components/NavLink.vue new file mode 100644 index 000000000..033182291 --- /dev/null +++ b/docs/.vuepress/theme/components/NavLink.vue @@ -0,0 +1,46 @@ + + + diff --git a/docs/.vuepress/theme/components/NavLinks.vue b/docs/.vuepress/theme/components/NavLinks.vue new file mode 100644 index 000000000..52faeb7bf --- /dev/null +++ b/docs/.vuepress/theme/components/NavLinks.vue @@ -0,0 +1,150 @@ + + + + + diff --git a/docs/.vuepress/theme/components/Navbar.vue b/docs/.vuepress/theme/components/Navbar.vue new file mode 100644 index 000000000..f606d04ac --- /dev/null +++ b/docs/.vuepress/theme/components/Navbar.vue @@ -0,0 +1,142 @@ + + + + + diff --git a/docs/.vuepress/theme/components/Page.vue b/docs/.vuepress/theme/components/Page.vue new file mode 100644 index 000000000..dc7f23fba --- /dev/null +++ b/docs/.vuepress/theme/components/Page.vue @@ -0,0 +1,241 @@ + + + + + diff --git a/docs/.vuepress/theme/components/Sidebar.vue b/docs/.vuepress/theme/components/Sidebar.vue new file mode 100644 index 000000000..deed78c0e --- /dev/null +++ b/docs/.vuepress/theme/components/Sidebar.vue @@ -0,0 +1,92 @@ + + + + + diff --git a/docs/.vuepress/theme/components/SidebarButton.vue b/docs/.vuepress/theme/components/SidebarButton.vue new file mode 100644 index 000000000..a43ad2172 --- /dev/null +++ b/docs/.vuepress/theme/components/SidebarButton.vue @@ -0,0 +1,42 @@ + + + diff --git a/docs/.vuepress/theme/components/SidebarGroup.vue b/docs/.vuepress/theme/components/SidebarGroup.vue new file mode 100644 index 000000000..f38e734b6 --- /dev/null +++ b/docs/.vuepress/theme/components/SidebarGroup.vue @@ -0,0 +1,136 @@ + + + + + diff --git a/docs/.vuepress/theme/components/SidebarLink.vue b/docs/.vuepress/theme/components/SidebarLink.vue new file mode 100644 index 000000000..ad28e5fd9 --- /dev/null +++ b/docs/.vuepress/theme/components/SidebarLink.vue @@ -0,0 +1,153 @@ + + + diff --git a/docs/.vuepress/theme/components/SidebarLinks.vue b/docs/.vuepress/theme/components/SidebarLinks.vue new file mode 100644 index 000000000..f805aa771 --- /dev/null +++ b/docs/.vuepress/theme/components/SidebarLinks.vue @@ -0,0 +1,79 @@ + + + diff --git a/docs/.vuepress/theme/global-components/Badge.vue b/docs/.vuepress/theme/global-components/Badge.vue new file mode 100644 index 000000000..f56ae3eda --- /dev/null +++ b/docs/.vuepress/theme/global-components/Badge.vue @@ -0,0 +1,57 @@ + + + diff --git a/docs/.vuepress/theme/index.js b/docs/.vuepress/theme/index.js new file mode 100644 index 000000000..bd1ad342d --- /dev/null +++ b/docs/.vuepress/theme/index.js @@ -0,0 +1,52 @@ +const path = require("path"); + +// Theme API. +module.exports = (options, ctx) => ({ + alias() { + const { themeConfig, siteConfig } = ctx; + // resolve algolia + const isAlgoliaSearch = + themeConfig.algolia || + Object.keys((siteConfig.locales && themeConfig.locales) || {}).some( + base => themeConfig.locales[base].algolia + ); + return { + "@AlgoliaSearchBox": isAlgoliaSearch + ? path.resolve(__dirname, "components/AlgoliaSearchBox.vue") + : path.resolve(__dirname, "noopModule.js") + }; + }, + + plugins: [ + ["@vuepress/active-header-links", options.activeHeaderLinks], + "@vuepress/search", + "@vuepress/plugin-nprogress", + [ + "container", + { + type: "tip", + defaultTitle: { + "/zh/": "提示" + } + } + ], + [ + "container", + { + type: "warning", + defaultTitle: { + "/zh/": "注意" + } + } + ], + [ + "container", + { + type: "danger", + defaultTitle: { + "/zh/": "警告" + } + } + ] + ] +}); diff --git a/docs/.vuepress/theme/layouts/404.vue b/docs/.vuepress/theme/layouts/404.vue new file mode 100644 index 000000000..b91e468d9 --- /dev/null +++ b/docs/.vuepress/theme/layouts/404.vue @@ -0,0 +1,27 @@ + + + + \ No newline at end of file diff --git a/docs/.vuepress/theme/layouts/Layout.vue b/docs/.vuepress/theme/layouts/Layout.vue new file mode 100644 index 000000000..49530c982 --- /dev/null +++ b/docs/.vuepress/theme/layouts/Layout.vue @@ -0,0 +1,121 @@ + + + diff --git a/docs/.vuepress/theme/noopModule.js b/docs/.vuepress/theme/noopModule.js new file mode 100644 index 000000000..b1c6ea436 --- /dev/null +++ b/docs/.vuepress/theme/noopModule.js @@ -0,0 +1 @@ +export default {} diff --git a/docs/.vuepress/theme/package.json b/docs/.vuepress/theme/package.json new file mode 100644 index 000000000..6a79dd95e --- /dev/null +++ b/docs/.vuepress/theme/package.json @@ -0,0 +1,41 @@ +{ + "name": "@vuepress/theme-default", + "version": "1.0.2", + "description": "Default theme for VuePress", + "main": "index.js", + "publishConfig": { + "access": "public" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/vuejs/vuepress.git", + "directory": "packages/@vuepress/theme-default" + }, + "keywords": [ + "documentation", + "vue", + "vuepress", + "generator" + ], + "author": "Evan You", + "maintainers": [ + { + "name": "ULIVZ", + "email": "chl814@foxmail.com" + } + ], + "license": "MIT", + "bugs": { + "url": "https://github.com/vuejs/vuepress/issues" + }, + "homepage": "https://github.com/vuejs/vuepress/packages/@vuepress/theme-default#readme", + "dependencies": { + "@vuepress/plugin-active-header-links": "^1.0.2", + "@vuepress/plugin-nprogress": "^1.0.2", + "@vuepress/plugin-search": "^1.0.2", + "docsearch.js": "^2.5.2", + "stylus": "^0.54.5", + "stylus-loader": "^3.0.2", + "vuepress-plugin-container": "^2.0.0" + } +} diff --git a/docs/.vuepress/theme/styles/arrow.styl b/docs/.vuepress/theme/styles/arrow.styl new file mode 100644 index 000000000..20bffc0dc --- /dev/null +++ b/docs/.vuepress/theme/styles/arrow.styl @@ -0,0 +1,22 @@ +@require './config' + +.arrow + display inline-block + width 0 + height 0 + &.up + border-left 4px solid transparent + border-right 4px solid transparent + border-bottom 6px solid $arrowBgColor + &.down + border-left 4px solid transparent + border-right 4px solid transparent + border-top 6px solid $arrowBgColor + &.right + border-top 4px solid transparent + border-bottom 4px solid transparent + border-left 6px solid $arrowBgColor + &.left + border-top 4px solid transparent + border-bottom 4px solid transparent + border-right 6px solid $arrowBgColor diff --git a/docs/.vuepress/theme/styles/code.styl b/docs/.vuepress/theme/styles/code.styl new file mode 100644 index 000000000..31aa97ddb --- /dev/null +++ b/docs/.vuepress/theme/styles/code.styl @@ -0,0 +1,140 @@ +{$contentClass} + code + color lighten($textColor, 20%) + padding 0.25rem 0.5rem + margin 0 + font-size 0.85em + background-color rgba(27,31,35,0.05) + border-radius 3px + .token + &.deleted + color #EC5975 + &.inserted + color $accentColor + +{$contentClass} + pre, pre[class*="language-"] + line-height 1.4 + padding 1.25rem 1.5rem + margin 0.85rem 0 + background-color $codeBgColor + border-radius 6px + overflow auto + code + color #fff + padding 0 + background-color transparent + border-radius 0 + +div[class*="language-"] + position relative + background-color $codeBgColor + border-radius 6px + .highlight-lines + user-select none + padding-top 1.3rem + position absolute + top 0 + left 0 + width 100% + line-height 1.4 + .highlighted + background-color rgba(0, 0, 0, 66%) + pre, pre[class*="language-"] + background transparent + position relative + z-index 1 + &::before + position absolute + z-index 3 + top 0.8em + right 1em + font-size 0.75rem + color rgba(255, 255, 255, 0.4) + &:not(.line-numbers-mode) + .line-numbers-wrapper + display none + &.line-numbers-mode + .highlight-lines .highlighted + position relative + &:before + content ' ' + position absolute + z-index 3 + left 0 + top 0 + display block + width $lineNumbersWrapperWidth + height 100% + background-color rgba(0, 0, 0, 66%) + pre + padding-left $lineNumbersWrapperWidth + 1 rem + vertical-align middle + .line-numbers-wrapper + position absolute + top 0 + width $lineNumbersWrapperWidth + text-align center + color rgba(255, 255, 255, 0.3) + padding 1.25rem 0 + line-height 1.4 + br + user-select none + .line-number + position relative + z-index 4 + user-select none + font-size 0.85em + &::after + content '' + position absolute + z-index 2 + top 0 + left 0 + width $lineNumbersWrapperWidth + height 100% + border-radius 6px 0 0 6px + border-right 1px solid rgba(0, 0, 0, 66%) + background-color $codeBgColor + + +for lang in $codeLang + div{'[class~="language-' + lang + '"]'} + &:before + content ('' + lang) + +div[class~="language-javascript"] + &:before + content "js" + +div[class~="language-typescript"] + &:before + content "ts" + +div[class~="language-markup"] + &:before + content "html" + +div[class~="language-markdown"] + &:before + content "md" + +div[class~="language-json"]:before + content "json" + +div[class~="language-ruby"]:before + content "rb" + +div[class~="language-python"]:before + content "py" + +div[class~="language-bash"]:before + content "sh" + +div[class~="language-sh"]:before + content "sh" + +div[class~="language-php"]:before + content "php" + +@import '~prismjs/themes/prism-tomorrow.css' diff --git a/docs/.vuepress/theme/styles/config.styl b/docs/.vuepress/theme/styles/config.styl new file mode 100644 index 000000000..9e403210f --- /dev/null +++ b/docs/.vuepress/theme/styles/config.styl @@ -0,0 +1 @@ +$contentClass = '.theme-default-content' diff --git a/docs/.vuepress/theme/styles/custom-blocks.styl b/docs/.vuepress/theme/styles/custom-blocks.styl new file mode 100644 index 000000000..276b9bbdb --- /dev/null +++ b/docs/.vuepress/theme/styles/custom-blocks.styl @@ -0,0 +1,31 @@ +.custom-block + .custom-block-title + font-weight 600 + margin-bottom -0.4rem + &.tip, &.warning, &.danger + padding .1rem 1.5rem + border-left-width .5rem + border-left-style solid + margin 1rem 0 + &.tip + background-color #f3f5f7 + border-color #42b983 + &.warning + background-color rgba(255,229,100,.3) + border-color darken(#ffe564, 35%) + color darken(#ffe564, 70%) + .custom-block-title + color darken(#ffe564, 50%) + a + color $textColor + &.danger + background-color #ffe6e6 + border-color darken(red, 20%) + color darken(red, 70%) + .custom-block-title + color darken(red, 40%) + a + color $textColor + + + \ No newline at end of file diff --git a/docs/.vuepress/theme/styles/index.styl b/docs/.vuepress/theme/styles/index.styl new file mode 100644 index 000000000..316359f43 --- /dev/null +++ b/docs/.vuepress/theme/styles/index.styl @@ -0,0 +1,201 @@ +@require './config' +@require './code' +@require './custom-blocks' +@require './arrow' +@require './wrapper' +@require './toc' + +html, body + padding 0 + margin 0 + background-color #fff + +body + font-family -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif + -webkit-font-smoothing antialiased + -moz-osx-font-smoothing grayscale + font-size $fontSize + color $textColor + +.page + padding-left $sidebarWidth + +.navbar + position fixed + z-index 20 + top 0 + left 0 + right 0 + height $navbarHeight + background-color $navbar-background + box-sizing border-box + border-bottom 1px solid $accentColor + +.sidebar-mask + position fixed + z-index 9 + top 0 + left 0 + width 100vw + height 100vh + display none + +.sidebar + font-size 16px + background-color $sidebarColor + width $sidebarWidth + position fixed + z-index 10 + margin 0 + top $navbarHeight + left 0 + bottom 0 + box-sizing border-box + border-right 1px solid $borderColor + overflow-y auto + +{$contentClass}:not(.custom) + @extend $wrapper + > *:first-child + margin-top $navbarHeight + + a:hover + text-decoration underline + + p.demo + padding 1rem 1.5rem + border 1px solid #ddd + border-radius 4px + + img + max-width 100% + +{$contentClass}.custom + padding 0 + margin 0 + + img + max-width 100% + +a + font-weight 500 + color $accentColor + text-decoration none + +p a code + font-weight 400 + color $accentColor + +kbd + background #eee + border solid 0.15rem #ddd + border-bottom solid 0.25rem #ddd + border-radius 0.15rem + padding 0 0.15em + +blockquote + font-size 1rem + color #999; + border-left .2rem solid #dfe2e5 + margin 1rem 0 + padding .25rem 0 .25rem 1rem + + & > p + margin 0 + +ul, ol + padding-left 1.2em + +strong + font-weight 600 + +h1, h2, h3, h4, h5, h6 + font-weight 600 + line-height 1.25 + + {$contentClass}:not(.custom) > & + margin-top (0.5rem - $navbarHeight) + padding-top ($navbarHeight + 1rem) + margin-bottom 0 + + &:first-child + margin-top -1.5rem + margin-bottom 1rem + + + p, + pre, + .custom-block + margin-top 2rem + + &:hover .header-anchor + opacity: 1 + +h1 + font-size 2.2rem + +h2 + font-size 1.65rem + padding-bottom .3rem + border-bottom 1px solid $borderColor + +h3 + font-size 1.35rem + +a.header-anchor + font-size 0.85em + float left + margin-left -0.87em + padding-right 0.23em + margin-top 0.125em + opacity 0 + + &:hover + text-decoration none + +code, kbd, .line-number + font-family source-code-pro, Menlo, Monaco, Consolas, "Courier New", monospace + +p, ul, ol + line-height 1.7 + +hr + border 0 + border-top 1px solid $borderColor + +table + border-collapse collapse + margin 1rem 0 + display: block + overflow-x: auto + +tr + border-top 1px solid #dfe2e5 + + &:nth-child(2n) + background-color #f6f8fa + +th, td + border 1px solid #dfe2e5 + padding .6em 1em + +.theme-container + &.sidebar-open + .sidebar-mask + display: block + + &.no-navbar + {$contentClass}:not(.custom) > h1, h2, h3, h4, h5, h6 + margin-top 1.5rem + padding-top 0 + + .sidebar + top 0 + + +@media (min-width: ($MQMobile + 1px)) + .theme-container.no-sidebar + .sidebar + display none + + .page + padding-left 0 + +@require 'mobile.styl' diff --git a/docs/.vuepress/theme/styles/mobile.styl b/docs/.vuepress/theme/styles/mobile.styl new file mode 100644 index 000000000..f5bd32739 --- /dev/null +++ b/docs/.vuepress/theme/styles/mobile.styl @@ -0,0 +1,37 @@ +@require './config' + +$mobileSidebarWidth = $sidebarWidth * 0.82 + +// narrow desktop / iPad +@media (max-width: $MQNarrow) + .sidebar + font-size 15px + width $mobileSidebarWidth + .page + padding-left $mobileSidebarWidth + +// wide mobile +@media (max-width: $MQMobile) + .sidebar + top 0 + padding-top $navbarHeight + transform translateX(-100%) + transition transform .2s ease + .page + padding-left 0 + .theme-container + &.sidebar-open + .sidebar + transform translateX(0) + &.no-navbar + .sidebar + padding-top: 0 + +// narrow mobile +@media (max-width: $MQMobileNarrow) + h1 + font-size 1.9rem + {$contentClass} + div[class*="language-"] + margin 0.85rem -1.5rem + border-radius 0 diff --git a/docs/.vuepress/theme/styles/palette.styl b/docs/.vuepress/theme/styles/palette.styl new file mode 100644 index 000000000..b1bd6b726 --- /dev/null +++ b/docs/.vuepress/theme/styles/palette.styl @@ -0,0 +1,32 @@ +// colors +$mainColor= #6E43E8 + + +$sidebarColor=#FAFAFC +$accentColor = #6E43E8 +$textColor =rgb(51, 51, 51) +$headerColor=rgb(17, 17, 17) +$borderColor = #e8e8fb +$codeBgColor = #282c34 +$arrowBgColor = #ccc +$navbar-background = #6E43E8; +$navbar-text-color = #ffffff; +$section-color=#f7f7f7; +$fontSize = 16px + +// layout +$navbarHeight = 5.2rem +$navbar-vertical-padding = 1.4rem; +$navbar-horizontal-padding = 1.4rem; + +$sidebarWidth = 16rem +$contentWidth = 960px + +// // responsive breakpoints +$MQNarrow = 959px +$MQMobile = 719px +$MQMobileNarrow = 419px + +.icon.outbound + display none !important + \ No newline at end of file diff --git a/docs/.vuepress/theme/styles/toc.styl b/docs/.vuepress/theme/styles/toc.styl new file mode 100644 index 000000000..d3e71069b --- /dev/null +++ b/docs/.vuepress/theme/styles/toc.styl @@ -0,0 +1,3 @@ +.table-of-contents + .badge + vertical-align middle diff --git a/docs/.vuepress/theme/styles/wrapper.styl b/docs/.vuepress/theme/styles/wrapper.styl new file mode 100644 index 000000000..a99262c71 --- /dev/null +++ b/docs/.vuepress/theme/styles/wrapper.styl @@ -0,0 +1,9 @@ +$wrapper + max-width $contentWidth + margin 0 auto + padding 2rem 2.5rem + @media (max-width: $MQNarrow) + padding 2rem + @media (max-width: $MQMobileNarrow) + padding 1.5rem + diff --git a/docs/.vuepress/theme/util/index.js b/docs/.vuepress/theme/util/index.js new file mode 100644 index 000000000..fbf9a7d63 --- /dev/null +++ b/docs/.vuepress/theme/util/index.js @@ -0,0 +1,247 @@ +export const hashRE = /#.*$/; +export const extRE = /\.(md|html)$/; +export const endingSlashRE = /\/$/; +export const outboundRE = /^(https?:|mailto:|tel:|[a-zA-Z]{4,}:)/; + +export function normalize(path) { + return decodeURI(path) + .replace(hashRE, "") + .replace(extRE, ""); +} + +export function getHash(path) { + const match = path.match(hashRE); + if (match) { + return match[0]; + } +} + +export function isExternal(path) { + return outboundRE.test(path); +} + +export function isMailto(path) { + return /^mailto:/.test(path); +} + +export function isTel(path) { + return /^tel:/.test(path); +} + +export function ensureExt(path) { + if (isExternal(path)) { + return path; + } + const hashMatch = path.match(hashRE); + const hash = hashMatch ? hashMatch[0] : ""; + const normalized = normalize(path); + + if (endingSlashRE.test(normalized)) { + return path; + } + return normalized + ".html" + hash; +} + +export function isActive(route, path) { + const routeHash = route.hash; + const linkHash = getHash(path); + if (linkHash && routeHash !== linkHash) { + return false; + } + const routePath = normalize(route.path); + const pagePath = normalize(path); + return routePath === pagePath; +} + +export function resolvePage(pages, rawPath, base) { + if (isExternal(rawPath)) { + return { + type: "external", + path: rawPath + }; + } + if (base) { + rawPath = resolvePath(rawPath, base); + } + const path = normalize(rawPath); + for (let i = 0; i < pages.length; i++) { + if (normalize(pages[i].regularPath) === path) { + return Object.assign({}, pages[i], { + type: "page", + path: ensureExt(pages[i].path) + }); + } + } + console.error( + `[vuepress] No matching page found for sidebar item "${rawPath}"` + ); + return {}; +} + +function resolvePath(relative, base, append) { + const firstChar = relative.charAt(0); + if (firstChar === "/") { + return relative; + } + + if (firstChar === "?" || firstChar === "#") { + return base + relative; + } + + const stack = base.split("/"); + + // remove trailing segment if: + // - not appending + // - appending to trailing slash (last segment is empty) + if (!append || !stack[stack.length - 1]) { + stack.pop(); + } + + // resolve relative path + const segments = relative.replace(/^\//, "").split("/"); + for (let i = 0; i < segments.length; i++) { + const segment = segments[i]; + if (segment === "..") { + stack.pop(); + } else if (segment !== ".") { + stack.push(segment); + } + } + + // ensure leading slash + if (stack[0] !== "") { + stack.unshift(""); + } + + return stack.join("/"); +} + +/** + * @param { Page } page + * @param { string } regularPath + * @param { SiteData } site + * @param { string } localePath + * @returns { SidebarGroup } + */ +export function resolveSidebarItems(page, regularPath, site, localePath) { + const { pages, themeConfig } = site; + + const localeConfig = + localePath && themeConfig.locales + ? themeConfig.locales[localePath] || themeConfig + : themeConfig; + + const pageSidebarConfig = + page.frontmatter.sidebar || localeConfig.sidebar || themeConfig.sidebar; + if (pageSidebarConfig === "auto") { + return resolveHeaders(page); + } + + const sidebarConfig = localeConfig.sidebar || themeConfig.sidebar; + if (!sidebarConfig) { + return []; + } else { + const { base, config } = resolveMatchingConfig(regularPath, sidebarConfig); + return config ? config.map(item => resolveItem(item, pages, base)) : []; + } +} + +/** + * @param { Page } page + * @returns { SidebarGroup } + */ +function resolveHeaders(page) { + const headers = groupHeaders(page.headers || []); + return [ + { + type: "group", + collapsable: false, + title: page.title, + path: null, + children: headers.map(h => ({ + type: "auto", + title: h.title, + basePath: page.path, + path: page.path + "#" + h.slug, + children: h.children || [] + })) + } + ]; +} + +export function groupHeaders(headers) { + // group h3s under h2 + headers = headers.map(h => Object.assign({}, h)); + let lastH2; + headers.forEach(h => { + if (h.level === 2) { + lastH2 = h; + } else if (lastH2) { + (lastH2.children || (lastH2.children = [])).push(h); + } + }); + return headers.filter(h => h.level === 2); +} + +export function resolveNavLinkItem(linkItem) { + return Object.assign(linkItem, { + type: linkItem.items && linkItem.items.length ? "links" : "link" + }); +} + +/** + * @param { Route } route + * @param { Array | Array | [link: string]: SidebarConfig } config + * @returns { base: string, config: SidebarConfig } + */ +export function resolveMatchingConfig(regularPath, config) { + if (Array.isArray(config)) { + return { + base: "/", + config: config + }; + } + for (const base in config) { + if (ensureEndingSlash(regularPath).indexOf(encodeURI(base)) === 0) { + return { + base, + config: config[base] + }; + } + } + return {}; +} + +function ensureEndingSlash(path) { + return /(\.html|\/)$/.test(path) ? path : path + "/"; +} + +function resolveItem(item, pages, base, groupDepth = 1) { + if (typeof item === "string") { + return resolvePage(pages, item, base); + } else if (Array.isArray(item)) { + return Object.assign(resolvePage(pages, item[0], base), { + title: item[1] + }); + } else { + if (groupDepth > 3) { + console.error("[vuepress] detected a too deep nested sidebar group."); + } + const children = item.children || []; + if (children.length === 0 && item.path) { + return Object.assign(resolvePage(pages, item.path, base), { + title: item.title + }); + } + return { + type: "group", + path: item.path, + title: item.title, + sidebarDepth: item.sidebarDepth, + children: children.map(child => + resolveItem(child, pages, base, groupDepth + 1) + ), + collapsable: item.collapsable !== false + }; + } +} diff --git a/CODE_OF_CONDUCT.md b/docs/community/code-of-conduct.md similarity index 99% rename from CODE_OF_CONDUCT.md rename to docs/community/code-of-conduct.md index bb9acaa93..2635e8e9f 100644 --- a/CODE_OF_CONDUCT.md +++ b/docs/community/code-of-conduct.md @@ -1,3 +1,7 @@ +--- +title: Code of Conduct +--- + # Contributor Covenant Code of Conduct ## Our Pledge diff --git a/docs/community/contributing.md b/docs/community/contributing.md new file mode 100644 index 000000000..b6337e8a2 --- /dev/null +++ b/docs/community/contributing.md @@ -0,0 +1,43 @@ +--- +title: Contributing +description: >- + This document describes how you can find issues to work on, setup Pomerium + locally for development, and get help when you are stuck. +--- + +# Contributing + +You can have a direct impact on the project by helping with its code or documentation. To contribute to Pomerium, open a [pull request](https://github.com/pomerium/pomerium/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.** + +## Code + +We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions--even if it seems small or insignificant. Please don't take it personally. :wink: If your change is on the right track, we can guide you to make it mergable. + +Here are some of the expectations we have of contributors: + +- If your change is more than just a minor alteration, **open an issue to propose your change first.** This way we can avoid confusion, coordinate what everyone is working on, and ensure that changes are in-line with the project's goals and the best interests of its users. If there's already an issue about it, comment on the existing issue to claim it. + +- **Keep pull requests small.** Smaller PRs are more likely to be merged because they are easier to review! We might ask you to break up large PRs into smaller ones. [An example of what we DON'T do.](https://twitter.com/iamdevloper/status/397664295875805184) + +- **Keep related commits together in a PR.** We do want pull requests to be small, but you should also keep multiple related commits in the same PR if they rely on each other. + +- **Write tests.** Tests are essential! Written properly, they ensure your change works, and that other changes in the future won't break your change. CI checks should pass. + +- **Benchmarks should be included for optimizations.** Optimizations sometimes make code harder to read or have changes that are less than obvious. They should be proven with benchmarks or profiling. + +- **[Squash](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) insignificant commits.** Every commit should be significant. Commits which merely rewrite a comment or fix a typo can be combined into another commit that has more substance. Interactive rebase can do this, or a simpler way is `git reset --soft ` then `git commit -s`. + +- **Own your contributions.** Pomerium is a growing project, and it's much better when individual contributors help maintain their change after it is merged. + +- **Use comments properly.** We expect good godoc comments for package-level functions, types, and values. Comments are also useful whenever the purpose for a line of code is not obvious. + +- **Recommended reading** + + - [CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) for an idea of what we look for in good, clean Go code + - [Linus Torvalds describes a good commit message](https://gist.github.com/matthewhudson/1475276) + - [Best Practices for Maintainers](https://opensource.guide/best-practices/) + - [Shrinking Code Review](https://alexgaynor.net/2015/dec/29/shrinking-code-review/) + +## Documentation + +Pomerium's documentation is available at . If you would like to make a fix to the docs, please submit an issue here describing the change to make. diff --git a/docs/community/developers-guide.md b/docs/community/developers-guide.md new file mode 100644 index 000000000..5589ffac3 --- /dev/null +++ b/docs/community/developers-guide.md @@ -0,0 +1,145 @@ +# Development Guide + +The following guide assumes you do _not_ want to expose your development server to the public internet and instead want to do everything, with the exception of identity provider callbacks, locally. + +If you are comfortable with a public development configuration, see the Synology quick-start which covers how to set up your network, domain, and retrieve wild-card certificates from LetsEncrypt, the only difference being you would route traffic to your local development machine instead of the docker image. + +## Build From Source + +The following quick-start guide covers how to retrieve and build Pomerium from its source-code as well as how to run Pomerium using a minimal but complete configuration. One of the benefits of compiling from source is that Go supports building static binaries for a [wide array of architectures and operating systems](https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63) -- some of which may not yet be supported by Pomerium's official images or binaries. + +### Prerequisites + +- [git](https://git-scm.com/) +- [go](https://golang.org/doc/install) programming language +- A configured [identity provider] +- A [wild-card TLS certificate] + +### Download + +Retrieve the latest copy of pomerium's source code by cloning the repository. + +```bash +git clone https://github.com/pomerium/pomerium.git $HOME/pomerium +``` + +### Make + +Build pomerium from source in a single step using make. + +```bash +cd $HOME/pomerium +make +``` + +[Make] will run all the tests, some code linters, then build the binary. If all is good, you should now have a freshly built pomerium binary for your architecture and operating system in the `pomerium/bin` directory. + +### Configure + +Pomerium supports setting [configuration variables] using both environmental variables and using a configuration file. + +### Configuration file + +Create a config file (`config.yaml`). This file will be use to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example: + +<<< @/docs/docs/reference/examples/config/config.minimal.yaml + +### Environmental Variables + +As mentioned above, Pomerium supports mixing and matching where configuration details are set. For example, we can specify our secret values and domains certificates as [environmental configuration variables]. + +<<< @/docs/docs/reference/examples/config/config.minimal.env + +### Run + +Finally, source the the configuration `env` file and run pomerium specifying the configuration file `config.yaml`. + +```bash +source ./env +./bin/pomerium -config config.yaml +``` + +### Navigate + +Browse to `external-httpbin.your.domain.example`. Connections between you and [httpbin] will now be proxied and managed by Pomerium. + +## Domains + +Publicly resolvable domains are central in how pomerium works. For local development, we'll have to do some additional configuration to mock that public workflow on our local machine. + +### Pick an identity provider friendly domain name + +Though typically you would want to use one of the TLDs specified by [RFC-2606](http://tools.ietf.org/html/rfc2606) for testing, unfortunately, google explicitly does not support oauth calls to test domains. As such, it's recommended to use a domain you control using a wildcard-subdomain that you know will not be used. + +If you do not control a domain, you can use `*.localhost.pomerium.io` which I've established for this use Plus, if you _do_ have internet access, this domain already has a [public A record](https://en.wikipedia.org/wiki/List_of_DNS_record_types) pointing to localhost. + +### Wildcard domain resolution with `dnsmasq` + +If you are on a plane (for example), you may not be able to access public DNS. Unfortunately, `/etc/hosts` does not support wildcard domains and would require you specifying a new entry for each pomerium managed route. The workaround is to use [dnsmasq](https://en.wikipedia.org/wiki/Dnsmasq) locally which _does_ support local resolution of wildcard domains. + +### OSX + +1. Install `brew update && brew install dnsmasq` +2. Edit `/usr/local/etc/dnsmasq.conf` to tell dnsmasq to resolve your test domains. + +```bash +echo 'address=/.localhost.pomerium.io/127.0.0.1' > $(brew --prefix)/etc/dnsmasq.conf +``` + +```bash +sudo mkdir -pv /etc/resolver +sudo bash -c 'echo "nameserver 127.0.0.1" > /etc/resolver/localhost.pomerium.io' +``` + +1. Restart `dnsmasq` + +```bash +sudo brew services restart dnsmasq +``` + +1. Tell OSX to use `127.0.0.1` as a the primary DNS resolver (followed by whatever public DNS you are using). ![osx dns resolution](./img/local-development-osx-dns.png) + +### Locally trusted wildcard certificates + +In production, we'd use a public certificate authority such as LetsEncrypt. For local development, enter [mkcert](https://mkcert.dev/) which is a "simple zero-config tool to make locally trusted development certificates with any names you'd like." + +1. Install `mkcert`. + +```bash +go get -u github.com/FiloSottile/mkcert +``` + +1. Bootstrap `mkcert`'s root certificate into your operating system's trust store. + +```bash +mkcert -install +``` + +1. Create your wildcard domain. + +```bash +mkcert "*.localhost.pomerium.io" +``` + +1. Viola! Now you can use locally trusted certificates with pomerium! + +| Setting | Certificate file location | +| ---------------------------- | ------------------------------------------- | +| `certificate_file` | `./_wildcard.localhost.pomerium.io-key.pem` | +| `certificate_key_file` | `./_wildcard.localhost.pomerium.io.pem` | +| `certificate_authority_file` | `$(mkcert -CAROOT)/rootCA.pem` | + +See also: + +- [Set up a local test domain with dnsmasq](https://github.com/aviddiviner/til/blob/master/devops/set-up-a-local-test-domain-with-dnsmasq.md) +- [USE DNSMASQ INSTEAD OF /ETC/HOSTS](https://www.stevenrombauts.be/2018/01/use-dnsmasq-instead-of-etc-hosts/) +- [How to setup wildcard dev domains with dnsmasq on a mac](https://hedichaibi.com/how-to-setup-wildcard-dev-domains-with-dnsmasq-on-a-mac/) +- [mkcert](https://github.com/FiloSottile/mkcert) is a simple tool for making locally-trusted development certificates + +[configuration variables]: ../reference/readme.md +[download]: https://github.com/pomerium/pomerium/releases +[environmental configuration variables]: https://12factor.net/config +[httpbin]: https://httpbin.org/ +[identity provider]: ../identity-providers/readme.md +[make]: https://en.wikipedia.org/wiki/Make_(software) +[wild-card tls certificate]: ../reference/certificates.md diff --git a/docs/guide/from-source.md b/docs/community/from-source.md similarity index 89% rename from docs/guide/from-source.md rename to docs/community/from-source.md index 3f1b6d3b6..65db2d36b 100644 --- a/docs/guide/from-source.md +++ b/docs/community/from-source.md @@ -44,13 +44,13 @@ Pomerium supports setting [configuration variables] using both environmental var Create a config file (`config.yaml`). This file will be use to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example: -<<< @/docs/docs/examples/config/config.minimal.yaml +<<< @/docs/docs/reference/examples/config/config.minimal.yaml ### Environmental Variables As mentioned above, Pomerium supports mixing and matching where configuration details are set. For example, we can specify our secret values and domains certificates as [environmental configuration variables]. -<<< @/docs/docs/examples/config/config.minimal.env +<<< @/docs/docs/reference/examples/config/config.minimal.env ## Run @@ -65,10 +65,10 @@ source ./env Browse to `external-httpbin.your.domain.example`. Connections between you and [httpbin] will now be proxied and managed by Pomerium. -[configuration variables]: ../reference/readme.md +[configuration variables]: ../reference/reference.md [download]: https://github.com/pomerium/pomerium/releases [environmental configuration variables]: https://12factor.net/config [httpbin]: https://httpbin.org/ -[identity provider]: ../docs/identity-providers.md +[identity provider]: ../docs/identity-providers/ [make]: https://en.wikipedia.org/wiki/Make_(software) -[wild-card tls certificate]: ../docs/certificates.md +[wild-card tls certificate]: ../reference/certificates.md diff --git a/docs/docs/local-development/local-development-osx-dns.png b/docs/community/img/local-development-osx-dns.png similarity index 100% rename from docs/docs/local-development/local-development-osx-dns.png rename to docs/community/img/local-development-osx-dns.png diff --git a/docs/community/readme.md b/docs/community/readme.md new file mode 100644 index 000000000..c5c2cb517 --- /dev/null +++ b/docs/community/readme.md @@ -0,0 +1,24 @@ +--- +title: Overview +description: >- + This document describes how you can find issues to work on, setup Pomerium + locally for development, and get help when you are stuck. +--- + +# Get help + +If you have a question about using Pomerium, [join our slack channel](http://slack.pomerium.io/)! There will be more people there who can help you than just the Pomerium developers who follow our issue tracker. Issues are not the place for usage questions. + +# Report bugs + +Like every software, Pomerium has its flaws. If you find one, [search the issues](https://github.com/pomerium/pomerium/issues) to see if it has already been reported. If not, [open a new issue](https://github.com/pomerium/pomerium/issues/new) and describe the bug, and somebody will look into it! + +Please follow the issue template so we have all the needed information. We need to be able to repeat the bug using your instructions. Please simplify the issue as much as possible. The more detailed and specific you are, the faster we will be able to help you! + +We suggest reading [How to Report Bugs Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html). + +# Suggest features + +First, [search to see if your feature has already been requested](https://github.com/pomerium/pomerium/issues). If it has, you can add a :+1: reaction to vote for it. If your feature idea is new, open an issue to request the feature. You don't have to follow the bug template for feature requests. Please describe your idea thoroughly so that we know how to implement it! Really vague requests may not be helpful or actionable and without clarification will have to be closed. + +While we really do value your requests and implement many of them, not all features are a good fit for Pomerium. But if a feature is not in the best interest of the Pomerium project or its users in general, we may politely decline to implement it into Pomerium core. diff --git a/docs/community/security.md b/docs/community/security.md new file mode 100644 index 000000000..1b13636c0 --- /dev/null +++ b/docs/community/security.md @@ -0,0 +1,61 @@ +# Security + +We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. + +If you would like to report a vulnerability, or have any security concerns, please e-mail info@pomerium.io or reach out on [keybase](https://keybase.io/bdesimone). + +Though we accept PGP-encrypted email, please only use it for critical security reports. + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: GPGTools - https://gpgtools.org +xsFNBFuDBCsBEADmvRj1ooWDgyisMiyUvOIFq2l52r2gD2bo6I9RyZUFCm5CO0Ye +rk4POVtG/NPwbvd4dSmA7ePQLWNoMx4bN42B4EUJgqh+U82NKu0qU4eVeew4x+w1 +bNmsqa0ZdoSMqONofFoD/ImepOVkZx56LPIJ7hb4/JlYnpPFlphfj06bf8JEqcGI +WgvJcZdXhSS2RDkSfC34EXps6w9aWmgDZKWz56YRcTVPzGJuGw1mfJLL1F9NQq/g +nzW82j+Z9bjVdeVLuEH3QBuKoviyVoIjIJvSCtb92151PMsvRTFpeTbp45Lep+xc +RVGEKhXPW7AA9n3Q57Y0cxWKgSE0agnsjpzUOTMbwl3VyxuwWyxuP2JpGGXXiX9y +4uE27FOb2u8N8WbTVueTKNs2QgqukKcg0XX7b2UpWX4OkhD/U5Nbh3jAvZ9COoK5 +TIb/NgJqnMo/ReKFRA8IgXIoKeGn/WJJCe6nPAo+6c+glam9xekHbdH/9PQ5eSOf +lMfzgNXd2OOLYK98KQpRqWIdMqWlt3Ufik+cbsfCnaK9rK4ktiYZdiDHK+Lp7V71 +Ng45o/sHnnSjvYKlhBn5EcdpVXw6IKrUW9OUD7l/sga+xa0MMmUF4C2VxYJ+n6Qg +bRZaREvKLbhsqycmq4p+oBpSjyWgP4CRPHkG03PYNFA1/cg7sFUUekmehQARAQAB +zShCb2JieSBEZVNpbW9uZSA8Ym9iYnlkZXNpbW9uZUBnbWFpbC5jb20+wsF4BBMB +CAAsBQJbgwQrCRCu5M8S/obQfgIbAwUJHhM4AAIZAQQLBwkDBRUICgIDBBYAAQIA +AHd0EABezUgLsjeCLDK3JG4VkJkvDAZNKLtzEjZ2pdexWjzREgYvu42d3QNM3fKI +kW6TTb7C08BsiijGaUqtZUCyqH/dN24jw5a4nKKbnqylDUr2XCpWwKVbsF4t+BXR +jADJeRLP+cMbHhLb8CindOo2ZRrzMp912454sCGKw3c27P5NTKJcO9WGArQ39MEl +C2MqIQREdBrkfQsXK7rz26SSqlyrNl7NQDmKRMZLciaibgEP4rfycqierqcDZiTP +2xxTckB4tV3K5ki3s5NV+cYnq38efmUxygnU8wlzbcv9MukvAOLLLKEiSxBzgpZb +ddr8QC/ljmvzGm2qKQFCjBaV4wtk1n6xZ8AjjpP8irxFQwwCxwNEIwx6vt3NQNxm +qL8KXVn617mOc6iS9BvZVzcBzXUh8geIDt7Chqil8kUuPiCpVpY63z+phLHcAen/ +NHFJ3OE/CbUcBsw0xDfKF+NWp7hQjbk5lV1ueXV2FTJ/SISEvuJ64CELzCPzGwwE +7Gb0zwOeIMBAJMrPEt+YByu0dxa9vjcgOLeaRzuADtRvJCl3UjoXDC8Vdii1ywBM +wkZcvfW51MOiiKFadZsYjzgBFIJ9rybXyxx8kfzTMpcmGLa7v2zp1+ANZm4Wwb8Z +zJgU+MLlbjJcXIqbdhjC7cgL/1YitXWw1ELDP4F8taV4aWK62M7BTQRbgwQrARAA +pza3CTXb5GUKeBM8YB1Wv5MIauL/bfpCZo3ujhJaN87XtRBQXMfDyznCThz5vraZ +HWpvLQcsaJoMPbC7UbUl2l9yiCCd0y4/b2czzpA1P4rTa6FrSWl4xFi+WLlPiCls +m7xEizBU0PcqsDEGX61o+S2Iiay2jjpOGlDNs3z6gyyGNvjjRd2aRjAACGqqOH75 +J+6a4dwISUQ9zP+JkWsmgSZw10PhS4LemXUN2XyIMbJdWKbej8vPjyFXgwjKkBT5 +/RCgNGeE+hji/p22DhTIsCOMzVW6nch9B6uXMtpbqtily+hqYkhT9Ke6fInniafN +N8DuFH7YIixbWx9+kg8kRKAknMuqWS/u2d6QZD8lI6uUDO4/EuCaek/oCmJ8aQ+x +kQNMYRbnVlDQ+/WYepnF6nsQgsDELcAJAkNMXm0jnfcfCtZNuh79H6b1yvrPTkB0 +2uawLA0NvdVKpv9ZPZy7RLoytVspYUA+T0khcSozzBcjyE9jvd7bic+biIeXyYe2 +Zu3KevuvsiLEvifhjAg0FbML/GOYZbayxpe1IWiqzRsq/UX+2E8PJV2NuqbFOj8U +93Jgol+Ag8JAsmnFrJCtKs5diDOS/wd+hljZyuWcWQCaahsFoKMV1ayoVbOJ1XWU +3PAh30enHcGeIg6sV32xhYBO7mTnX51VybRRMAtd4hMAEQEAAcLBdQQYAQgAKQUC +W4MEKwkQruTPEv6G0H4CGwwFCR4TOAAECwcJAwUVCAoCAwQWAAECAACNdxAA3s5s +mvlKZrm5dfBqzCNDQtJtqqFkcOBCNhMKsJKn81YKsvT0yHsj6rfO5hL2uu6NKjkR +K1Dn9IAR2wBt0pJy2bJo9HGfqAxb0JaC6Rgu/MoEYTcRbGUl3N6ywBAUFJ31Ou5F +chzDrJJ37kLjTTHxkW8UXlVZWRs+jVwTTjWL96UXVxYdndeAAxLgceRy0h2h00xF +PoVsjEpoek+yaHhmLWC3wSZ0jveGcB0pT9BI7D/9FZVHQ0DPzlYaXT6eZSLv+5BE +dr+Gv4iwJ0DLF6tHl7bEm1O2iS3PyU59Fu5GOV2R6b/NRW+pYUwZhFz3zQ7GkUJE +V+XBOMUFq5VduuzXZKSmlqr4SSx9SvcDiH7eRjNTX4Hzb+VcWKS/bvSS0efwz5AW +Q9zObT1B/c889rPoiTIDXI4qOhzPmeva89QceRo04QXzi8fujRJoAmqdzW8uiiKO +Edk1J5rzMkfEHMVf1l8z390qNy3VAk++mqQe8ZS2W7/ulNzNt3Gwx54rdOEe5pIl +2QSGEwZgg6zX7C94xlqnxp84axNQghWJfBolMcp0q/yDFjbnRzd2vLUhtzEAosd4 +VDw98WyFTbRTTN8ElRptLUsa73raYpKRXN17vB517spEghyT1oyCdHYgaqvRkU7b +ZDRB+exOyJJypi2cSaarxiI2gaMT2wp+dChnQ4k= +=LGUI +-----END PGP PUBLIC KEY BLOCK----- +``` diff --git a/CHANGELOG.md b/docs/docs/CHANGELOG.md similarity index 97% rename from CHANGELOG.md rename to docs/docs/CHANGELOG.md index 1da3fc04b..9b0257ea2 100644 --- a/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -1,4 +1,4 @@ -# Pomerium Changelog +# Changelog ## v0.2.0 @@ -25,6 +25,10 @@ - Improved HTTP metrics implementation internals - The HTTP method label is now `http_method`, and HTTP status label is now `http_status` +### FIXED + +- Fixed potential race condition when signing requests. [GH-240] + ### Changed - GRPC version upgraded to v1.22 [GH-219] @@ -116,8 +120,8 @@ ### DOCUMENTATION -- Added [synology tutorial](https://www.pomerium.io/guide/synology.html). [GH-96] -- Added [certificates documentation](https://www.pomerium.io/docs/certificates.html). [GH-79] +- Added [synology tutorial]. [GH-96] +- Added [certificates documentation]. [GH-79] ## v0.0.3 @@ -154,3 +158,6 @@ ### FIXED - `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. [GH-58] + +[synology tutorial]: ./quick-start/synology.md +[certificates documentation]: ../reference/certificates.md diff --git a/docs/docs/background.md b/docs/docs/background.md new file mode 100644 index 000000000..624ce938d --- /dev/null +++ b/docs/docs/background.md @@ -0,0 +1,86 @@ +--- +title: Background +lang: en-US +meta: + - name: keywords + content: pomerium identity-access-proxy beyondcorp zero-trust reverse-proxy ztn +--- + +# Background + +## History + +For years, security was synonymous with network security. Firewalls, network segmentation, and VPNs reigned the day. Broadly speaking, that network focused security posture is what people mean today when they talk about the perimeter security model. So-called "impenetrable fortress" security worked well for a period of time when you could reasonably expect your network perimeter to correspond to an actual physical perimeters, users, devices, and servers. But as teams, applications, workloads, and users became more ephemeral and distributed, the shortcomings of perimeter based security have become more apparent in terms of both operational costs and security breaches. + +> Most networks [have] big castle walls, hard crunchy outer shell, and soft gooey centers... +> +> [Rob Joyce](https://en.wikipedia.org/wiki/Rob_Joyce) [Chief of Tailored Access Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations), [National Security Agency @ ENIGMA 2016](https://www.youtube.com/watch?v=bDJb8WOJYdA&feature=youtu.be&t=1627) + +There's no such thing as perfect security. Many recent high-profile breaches have demonstrated just how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many possible breaches were perimeter security played a role, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by [hacking the HVAC system](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/) which was connected to the internal corporate network and then moved laterally to exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military. Google did a bottom up review of their security posture following [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora). The resulting actions from that review would be released as a [series of white papers](https://ai.google/research/pubs/pub43231) called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security. + +> In reality, there's never one front door; there are many front doors...[and] ... we're not securing a single castle. We're starting to think about securing many different interconnected castles. +> +> [Armon Dadgar, Cofounder of HashiCorp @ PagerDuty Nov 2018](https://www.hashicorp.com/resources/how-zero-trust-networking) + +The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of microservices, and cloud computing where service communication requirements are constantly in flux. In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure the appropriate audience, however, in practice, operators usually choose between a very precise boundary that is high-touch, time-consuming to mange, and error prone, and that of a more lax boundary that may entail more risk but is less time consuming to update and manage and less prone to break. + +### Gaps in the perimeter + +Perimeter based security suffers from the following shortcomings: + +- Perimeter security largely ignores the insider threat. Given that thirty percent of all breaches are from internal actors, this is a pretty big omission. +- If the last few years have proved anything it is that the impenetrable fortress theory fails in practice even for the most sophisticated of security organizations. +- Network segmentation is a time-consuming, and difficult to get exactly right mechanism for ensuring secure communication. +- Even just defining what the network perimeter is is an increasingly difficult proposition in a remote-work, BYOD, multi-cloud world. Most organizations are a heterogeneous mix of clouds, servers, devices, and organizational units. +- VPNs are often misused and exacerbate the issue it by opening yet another door into your network organization. + +### Zero-trust, behind the gates + +[Zero-trust](https://ldapwiki.com/wiki/Zero%20Trust) instead attempts to mitigate these shortcomings by adopting the following principles: + +- Trust flows from identity, device-state, and context; not network location. +- Treat both internal and external networks as completely untrusted. Mutually authenticated encryption is used instead of network segmentation. +- Act like you are already breached, because you probably are, and an attacker could be anyone, and anywhere on your network. +- Every device, user, and application's communication should be authenticated, authorized, and encrypted. Access policy should be dynamic, and built from multiple sources. + +To be clear, perimeter security is not defunct, nor is zero-trust security a panacea or a single product. Many of the ideas and principles of perimeter security are still relevant and are part of a holistic, and wide-ranging security policy. After all, we still want our castles to have high walls. + +### Where Pomerium Fits + +So to put all this back in context, before zero-trust tools like Pomerium existed, access to internal applications were gated by whether a user was on the corporate network or not. Trust flowed and was anchored to the security of the perimeter. For all the reasons discussed above, this has turned to be a lacking security model. In contrast, Pomerium adopts the zero-trust stance and uses identity, device-state, and context compared against a single-source of rich authorization policy as the basis for delegating access to an internal resource. All Pomerium communication is mutually authenticated and encrypted, there is no trust belied to internal vs external network. + +## Further reading + +Pomerium was inspired by the security model originally articulated by [John Kindervag](http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf) in 2010, and by Google in 2011 as a result of the [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) breach. What follows is a curated list of books, papers, posts, and videos that covers the topic in more depth. + +### Books + +- ⭐[Zero Trust Networks](http://shop.oreilly.com/product/0636920052265.do) by Gilman and Barth +- [Site Reliability Engineering: How Google Runs Production Systems](https://www.amazon.com/Site-Reliability-Engineering-Production-Systems/dp/149192912X) + +### Papers + +- Forrester [Build Security Into Your Network's DNA: The Zero Trust Network Architecture](http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf) +- ⭐️Google BeyondCorp 1 [An overview: "A New Approach to Enterprise Security"](https://research.google.com/pubs/pub43231.html) +- Google BeyondCorp 2 [How Google did it: "Design to Deployment at Google"](https://research.google.com/pubs/pub44860.html) +- ⭐️Google BeyondCorp 3 [Google's front-end infrastructure: "The Access Proxy"](https://research.google.com/pubs/pub45728.html) +- Google BeyondCorp 4 [Migrating to BeyondCorp: Maintaining Productivity While Improving Security](https://research.google.com/pubs/pub46134.html) +- Google BeyondCorp 5 [The human element: "The User Experience"](https://research.google.com/pubs/pub46366.html) +- Google BeyondCorp 6 [Secure your endpoints: "Building a Healthy Fleet"](https://ai.google/research/pubs/pub47356) + +### Posts + +- Google [Securing your business and securing your fleet the BeyondCorp way](https://cloud.google.com/blog/products/identity-security/securing-your-business-and-securing-your-fleet-the-beyondcorp-way) +- Google [Preparing for a BeyondCorp world: Understanding your device inventory](https://cloud.google.com/blog/products/identity-security/preparing-beyondcorp-world-understanding-your-device-inventory) +- Google [How BeyondCorp can help businesses be more productive](https://www.blog.google/products/google-cloud/how-beyondcorp-can-help-businesses-be-more-productive/) +- Google [How to use BeyondCorp to ditch your VPN, improve security and go to the cloud](https://www.blog.google/products/google-cloud/how-use-beyondcorp-ditch-your-vpn-improve-security-and-go-cloud/) +- Wall Street Journal [Google Moves Its Corporate Applications to the Internet](https://blogs.wsj.com/cio/2015/05/11/google-moves-its-corporate-applications-to-the-internet/) + +### Videos + +- [USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers](https://youtu.be/bDJb8WOJYdA?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) +- [What, Why, and How of Zero Trust Networking](https://youtu.be/eDVHIfVSdIo?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Armon Dadgar, Hashicorp +- [O'Reilly Security 2017 NYC Beyondcorp: Beyond Fortress Security](https://youtu.be/oAvDASLehpY?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Neal Muller, Google +- [Be Ready for BeyondCorp: enterprise identity, perimeters and your application](https://youtu.be/5UiWAlwok1s?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Jason Kent +- ⭐️ [OAuth 2.0 and OpenID Connect (in plain English) + ](https://www.youtube.com/watch?v=996OiexHze0) by Nate Barbettini diff --git a/docs/docs/certificates/certificate-domain-challenge.png b/docs/docs/certificates/certificate-domain-challenge.png deleted file mode 100644 index e8185f896..000000000 Binary files a/docs/docs/certificates/certificate-domain-challenge.png and /dev/null differ diff --git a/docs/docs/certificates/certificate-wildcard-domain.png b/docs/docs/certificates/certificate-wildcard-domain.png deleted file mode 100644 index 64eaaa839..000000000 Binary files a/docs/docs/certificates/certificate-wildcard-domain.png and /dev/null differ diff --git a/docs/docs/certificates/certificates-ssl-report.png b/docs/docs/certificates/certificates-ssl-report.png deleted file mode 100644 index 7b838bdb9..000000000 Binary files a/docs/docs/certificates/certificates-ssl-report.png and /dev/null differ diff --git a/docs/docs/certificates/certificates-valid-secure-certificate.png b/docs/docs/certificates/certificates-valid-secure-certificate.png deleted file mode 100644 index 0fc816b95..000000000 Binary files a/docs/docs/certificates/certificates-valid-secure-certificate.png and /dev/null differ diff --git a/docs/docs/contributing.md b/docs/docs/contributing.md deleted file mode 100644 index b58f062f7..000000000 --- a/docs/docs/contributing.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: Contributing -description: >- - This document describes how you can find issues to work on, setup Pomerium - locally for development, and get help when you are stuck. ---- - -# Contributing to Pomerium - -Thanks for your interest in contributing to Pomerium! We welcome all contributions, from new features to documentation updates. This document describes how you can find issues to work on, setup Pomerium locally for development, and get help when you are stuck. - -## Contributing code - -You can have a direct impact on the project by helping with its code. To contribute code to Pomerium, open a [pull request](https://github.com/pomerium/pomerium/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.** - -We hold contributions to a high standard for quality :bowtie:, so don't be surprised if we ask for revisions--even if it seems small or insignificant. Please don't take it personally. :wink: If your change is on the right track, we can guide you to make it mergable. - -Here are some of the expectations we have of contributors: - -- If your change is more than just a minor alteration, **open an issue to propose your change first.** This way we can avoid confusion, coordinate what everyone is working on, and ensure that changes are in-line with the project's goals and the best interests of its users. If there's already an issue about it, comment on the existing issue to claim it. - -- **Keep pull requests small.** Smaller PRs are more likely to be merged because they are easier to review! We might ask you to break up large PRs into smaller ones. [An example of what we DON'T do.](https://twitter.com/iamdevloper/status/397664295875805184) - -- **Keep related commits together in a PR.** We do want pull requests to be small, but you should also keep multiple related commits in the same PR if they rely on each other. - -- **Write tests.** Tests are essential! Written properly, they ensure your change works, and that other changes in the future won't break your change. CI checks should pass. - -- **Benchmarks should be included for optimizations.** Optimizations sometimes make code harder to read or have changes that are less than obvious. They should be proven with benchmarks or profiling. - -- **[Squash](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) insignificant commits.** Every commit should be significant. Commits which merely rewrite a comment or fix a typo can be combined into another commit that has more substance. Interactive rebase can do this, or a simpler way is `git reset --soft ` then `git commit -s`. - -- **Own your contributions.** Pomerium is a growing project, and it's much better when individual contributors help maintain their change after it is merged. - -- **Use comments properly.** We expect good godoc comments for package-level functions, types, and values. Comments are also useful whenever the purpose for a line of code is not obvious. - -- **Recommended reading** - - - [CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments) for an idea of what we look for in good, clean Go code - - [Linus Torvalds describes a good commit message](https://gist.github.com/matthewhudson/1475276) - - [Best Practices for Maintainers](https://opensource.guide/best-practices/) - - [Shrinking Code Review](https://alexgaynor.net/2015/dec/29/shrinking-code-review/) - -## Getting help using Pomerium - -If you have a question about using Pomerium, [join our slack channel](http://slack.pomerium.io/)! There will be more people there who can help you than just the Pomerium developers who follow our issue tracker. Issues are not the place for usage questions. - -## Reporting bugs - -Like every software, Pomerium has its flaws. If you find one, [search the issues](https://github.com/pomerium/pomerium/issues) to see if it has already been reported. If not, [open a new issue](https://github.com/pomerium/pomerium/issues/new) and describe the bug, and somebody will look into it! (This repository is only for Pomerium, not plugins.) - -**You can help stop bugs in their tracks!** Speed up the patch by identifying the bug in the code. This can sometimes be done by adding `fmt.Println()` statements (or similar) in relevant code paths to narrow down where the problem may be. It's a good way to [introduce yourself to the Go language](https://tour.golang.org), too. - -Please follow the issue template so we have all the needed information. We need to be able to repeat the bug using your instructions. Please simplify the issue as much as possible. The burden is on you to convince us that it is actually a bug in Pomerium. This is easiest to do when you write clear, concise instructions so we can reproduce the behavior (even if it seems obvious). The more detailed and specific you are, the faster we will be able to help you! - -We suggest reading [How to Report Bugs Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html). - -Please be kind. :smile: Remember that Pomerium comes at no cost to you, and you're getting free support when we fix your issues. If we helped you, please consider helping someone else! - -## Suggesting features - -First, [search to see if your feature has already been requested](https://github.com/pomerium/pomerium/issues). If it has, you can add a :+1: reaction to vote for it. If your feature idea is new, open an issue to request the feature. You don't have to follow the bug template for feature requests. Please describe your idea thoroughly so that we know how to implement it! Really vague requests may not be helpful or actionable and without clarification will have to be closed. - -While we really do value your requests and implement many of them, not all features are a good fit for Pomerium. But if a feature is not in the best interest of the Pomerium project or its users in general, we may politely decline to implement it into Pomerium core. - -## Improving documentation - -Pomeriums's documentation is available at . If you would like to make a fix to the docs, please submit an issue here describing the change to make. - -## Responsible Disclosure - -We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. - -If you would like to report a vulnerability, or have any security concerns, please e-mail info@pomerium.io or reach out to me on [keybase](https://keybase.io/bdesimone) . - -## Developers Guide - -The following guide assumes you do _not_ want to expose your development server to the public internet and instead want to do everything, with the exception of identity provider callbacks, locally. - -If you are comfortable with a public development configuration, see the Synology quick-start which covers how to set up your network, domain, and retrieve wild-card certificates from LetsEncrypt, the only difference being you would route traffic to your local development machine instead of the docker image. - -### Domains - -Publicly resolvable domains are central in how pomerium works. For local development, we'll have to do some additional configuration to mock that public workflow on our local machine. - -### Pick an identity provider friendly domain name - -Though typically you would want to use one of the TLDs specified by [RFC-2606](http://tools.ietf.org/html/rfc2606) for testing, unfortunately, google explicitly does not support oauth calls to test domains. As such, it's recommended to use a domain you control using a wildcard-subdomain that you know will not be used. - -If you do not control a domain, you can use `*.localhost.pomerium.io` which I've established for this use Plus, if you _do_ have internet access, this domain already has a [public A record](https://en.wikipedia.org/wiki/List_of_DNS_record_types) pointing to localhost. - -### Wildcard domain resolution with `dnsmasq` - -If you are on a plane (for example), you may not be able to access public DNS. Unfortunately, `/etc/hosts` does not support wildcard domains and would require you specifying a new entry for each pomerium managed route. The workaround is to use [dnsmasq](https://en.wikipedia.org/wiki/Dnsmasq) locally which _does_ support local resolution of wildcard domains. - -#### OSX - -1. Install `brew update && brew install dnsmasq` -2. Edit `/usr/local/etc/dnsmasq.conf` to tell dnsmasq to resolve your test domains. - - ```bash - echo 'address=/.localhost.pomerium.io/127.0.0.1' > $(brew --prefix)/etc/dnsmasq.conf - ``` - - ```bash - sudo mkdir -pv /etc/resolver - sudo bash -c 'echo "nameserver 127.0.0.1" > /etc/resolver/localhost.pomerium.io' - ``` - -3. Restart `dnsmasq` - - ```bash - sudo brew services restart dnsmasq - ``` - -4. Tell OSX to use `127.0.0.1` as a the primary DNS resolver (followed by whatever public DNS you are using). ![osx dns resolution](./local-development/local-development-osx-dns.png) - -### Locally trusted wildcard certificates - -In production, we'd use a public certificate authority such as LetsEncrypt. For local development, enter [mkcert](https://mkcert.dev/) which is a "simple zero-config tool to make locally trusted development certificates with any names you'd like." - -1. Install `mkcert`. - - ```bash - go get -u github.com/FiloSottile/mkcert - ``` - -2. Bootstrap `mkcert`'s root certificate into your operating system's trust store. - - ```bash - mkcert -install - ``` - -3. Create your wildcard domain. - - ```bash - mkcert "*.localhost.pomerium.io" - ``` - -4. Viola! Now you can use locally trusted certificates with pomerium! - -Setting | Certificate file location ----------------------------- | ------------------------------------------- -`certificate_file` | `./_wildcard.localhost.pomerium.io-key.pem` | -`certificate_key_file` | `./_wildcard.localhost.pomerium.io.pem` | -`certificate_authority_file` | `$(mkcert -CAROOT)/rootCA.pem` | - -See also: - -- [Set up a local test domain with dnsmasq](https://github.com/aviddiviner/til/blob/master/devops/set-up-a-local-test-domain-with-dnsmasq.md) -- [USE DNSMASQ INSTEAD OF /ETC/HOSTS](https://www.stevenrombauts.be/2018/01/use-dnsmasq-instead-of-etc-hosts/) -- [How to setup wildcard dev domains with dnsmasq on a mac](https://hedichaibi.com/how-to-setup-wildcard-dev-domains-with-dnsmasq-on-a-mac/) -- [mkcert](https://github.com/FiloSottile/mkcert) is a simple tool for making locally-trusted development certificates diff --git a/docs/docs/gitlab/gitlab-create-application.png b/docs/docs/gitlab/gitlab-create-application.png deleted file mode 100644 index 6cc10b0bf..000000000 Binary files a/docs/docs/gitlab/gitlab-create-application.png and /dev/null differ diff --git a/docs/docs/gitlab/gitlab-credentials.png b/docs/docs/gitlab/gitlab-credentials.png deleted file mode 100644 index 3563ce513..000000000 Binary files a/docs/docs/gitlab/gitlab-credentials.png and /dev/null differ diff --git a/docs/docs/gitlab/gitlab-verify-access.png b/docs/docs/gitlab/gitlab-verify-access.png deleted file mode 100644 index e5fcce891..000000000 Binary files a/docs/docs/gitlab/gitlab-verify-access.png and /dev/null differ diff --git a/docs/docs/google-cloud-exploitation620x466.jpg b/docs/docs/google-cloud-exploitation620x466.jpg deleted file mode 100644 index 80267cd7b..000000000 Binary files a/docs/docs/google-cloud-exploitation620x466.jpg and /dev/null differ diff --git a/docs/docs/google/google-create-client-id-config.png b/docs/docs/google/google-create-client-id-config.png deleted file mode 100644 index 87ef6da31..000000000 Binary files a/docs/docs/google/google-create-client-id-config.png and /dev/null differ diff --git a/docs/docs/google/google-create-new-credentials.png b/docs/docs/google/google-create-new-credentials.png deleted file mode 100644 index bf67de1ea..000000000 Binary files a/docs/docs/google/google-create-new-credentials.png and /dev/null differ diff --git a/docs/docs/google/google-create-sa.png b/docs/docs/google/google-create-sa.png deleted file mode 100644 index b8338cbc2..000000000 Binary files a/docs/docs/google/google-create-sa.png and /dev/null differ diff --git a/docs/docs/google/google-credentials.png b/docs/docs/google/google-credentials.png deleted file mode 100644 index 6e3a95d01..000000000 Binary files a/docs/docs/google/google-credentials.png and /dev/null differ diff --git a/docs/docs/google/google-gsuite-add-scopes.png b/docs/docs/google/google-gsuite-add-scopes.png deleted file mode 100644 index 0d81b6a1b..000000000 Binary files a/docs/docs/google/google-gsuite-add-scopes.png and /dev/null differ diff --git a/docs/docs/google/google-oauth-client-info.png b/docs/docs/google/google-oauth-client-info.png deleted file mode 100644 index d63993e99..000000000 Binary files a/docs/docs/google/google-oauth-client-info.png and /dev/null differ diff --git a/docs/docs/identity-providers.md b/docs/docs/identity-providers.md deleted file mode 100644 index b61c2708a..000000000 --- a/docs/docs/identity-providers.md +++ /dev/null @@ -1,364 +0,0 @@ ---- -title: Identity Providers -description: >- - This article describes how to connect Pomerium to third-party identity - providers / single-sign-on services. You will need to generate keys, copy - these into your Pomerium settings, and enable the connection. ---- - -# Identity Provider Configuration - -This article describes how to configure Pomerium to use a third-party identity service for single-sign-on. - -There are a few configuration steps required for identity provider integration. Most providers support [OpenID Connect] which provides a standardized identity and authentication interface. - -In this guide we'll cover how to do the following for each identity provider: - -1. Set a **Redirect URL** pointing back to Pomerium. That is, `https://${AUTHENTICATE_SERVICE_URL}/oauth2/callback` -2. Generate a **[Client ID]** and **[Client Secret]**. -3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys. - -## Azure Active Directory - -If you plan on allowing users to log in using a Microsoft Azure Active Directory account, either from your company or from external directories, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can [signup](https://azure.microsoft.com/en-us/free) for free. - -You can access the Azure management portal from your Microsoft service, or visit and sign in to Azure using the global administrator account used to create the Office 365 organization. - -::: tip - -There is no way to create an application that integrates with Microsoft Azure AD without having **your own** Microsoft Azure AD instance. - -::: - -If you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To find your Office 365 account's Azure AD instance: - -1. [Sign in](https://portal.office.com) to Office 365. -2. Navigate to the [Office 365 Admin Center](https://portal.office.com/adminportal/home#/homepage). -3. Open the **Admin centers** menu drawer located in the left menu. -4. Click on **Azure AD**. - -This will bring you to the admin center of the Azure AD instance backing your Office 365 account. - -### Create a new application - -Login to Microsoft Azure and choose **Azure Active Directory** from the sidebar. - -![Select Active Directory](./microsoft/azure-dashboard.png) - -Then under **MANAGE**, select **App registrations**. - -![Select App registrations](./microsoft/azure-app-registrations.png) - -Then click on the **+ ADD** button to add a new application. - -Enter a name for the application, select **Web app/API** as the **Application Type**, and for **Sign-on URL** enter your application URL. - -![Create application form](./microsoft/azure-create-application.png) - -Next you will need to create a key which will be used as the **[Client Secret]** in Pomerium's configuration settings. Click on **Keys** from the **Settings** menu. - -Enter a name for the key and choose the desired duration. - -::: tip - -If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day in order to ensure users don't experience a service interruption. - -::: - -Click on **Save** and the key will be displayed. **Make sure to copy the value of this key before leaving this screen**, otherwise you may need to create a new key. This value is used as the **[Client Secret]**. - -![Creating a Key](./microsoft/azure-create-key.png) - -Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://authenticate.corp.beyondperimeter.com/oauth2/callback`. - -![Add Reply URL](./microsoft/azure-redirect-url.png) - -Next, in order to retrieve group information from Active Directory, we need to enable the necessary permissions for the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/auth-v2-service#azure-ad-endpoint-considerations). - -On the **App registrations** page, click **API permissions**. Click the **Add a permission** button and select **Microsoft Graph API**, select **Delegated permissions**. Under the **Directory** row, select the checkbox for **Group.Read.All**. - -![Azure add group membership claims](./microsoft/azure-api-settings.png) - -You can also optionally select **grant admin consent for all users** which will suppress the permission screen on first login for users. - -The final, and most unique step to Azure AD provider, is to take note of your specific endpoint. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. - -![Application dashboard](./microsoft/azure-application-dashbaord.png) - -Click on **Endpoints** - -![Endpoint details](./microsoft/azure-endpoints.png) - -The **OpenID Connect Metadata Document** value will form the basis for Pomerium's **Provider URL** setting. - -For example if the **Azure OpenID Connect** url is: - -```bash -https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0/.well-known/openid-configuration` -``` - -**Pomerium Identity Provider URL** would be - -```bash -https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0 -``` - -### Configure Pomerium - -Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like: - -```bash -# Azure -IDP_PROVIDER="azure" -IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0" -IDP_CLIENT_ID="REPLACE-ME" -IDP_CLIENT_SECRET="REPLACE-ME" -``` - -## Gitlab - -:::warning - -Support was removed in v0.0.3 because Gitlab does not provide callers with a user email, under any scope, to a caller unless that user has selected her email to be public. Pomerium support is blocked until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed. - -::: - -Log in to your Gitlab account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials). - -Navigate to **User Settings** then **Applications** using the left-hand menu. - -On the **Applications** page, add a new application by setting the following parameters: - -Field | Description ------------- | -------------------------------------------------------------------------- -Name | The name of your web app -Redirect URI | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`) -Scopes | **Must** select **read_user** and **openid** - -![Create New Credentials](./gitlab/gitlab-create-application.png) - -1.Click **Save Application** to proceed. - -Your [Client ID] and [Client Secret] will be displayed: - -![Gitlab OAuth Client ID and Secret](./gitlab/gitlab-credentials.png) - -Set [Client ID] and [Client Secret] in Pomerium's settings. Your [environmental variables] should look something like this. - -```bash -IDP_PROVIDER="gitlab" -# NOTE!!! Provider url is optional, but should be set if you are running an on-premise instance -# defaults to : https://gitlab.com, a local copy would look something like `http://gitlab.corp.beyondperimeter.com` -IDP_PROVIDER_URL="https://gitlab.com" -IDP_CLIENT_ID="yyyy" -IDP_CLIENT_SECRET="xxxxxx" -``` - -When a user first uses Pomerium to login, they will be presented with an authorization screen similar to the following. - -![gitlab access authorization screen](./gitlab/gitlab-verify-access.png) - -## Google - -Log in to your Google account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials). Navigate to **Credentials** using the left-hand menu. - -![API Manager Credentials](./google/google-credentials.png) - -On the **Credentials** page, click **Create credentials** and choose **OAuth [Client ID]**. - -![Create New Credentials](./google/google-create-new-credentials.png) - -If you don't currently have an OAuth consent page configured, google will not allow you to create credentials until this is completed, and you will likely see **this** banner on the page. - -![OAuth Consent Banner](./google/google-consent-banner.png) - -Click the button on the banner to go to the consent screen configuration. If all you are configuring is pomerium, you only need to fill in "Application Name" with your desired moniker, and "Authorized Domains" with the domain that pomerium will be calling google from. Afterwards, return to the credential creation page. - -![OAuth Consent Configuration](./google/google-oauth-consent.png) - -On the **Create [Client ID]** page, select **Web application**. In the new fields that display, set the following parameters: - -Field | Description ------------------------- | -------------------------------------------------------------------------- -Name | The name of your web app -Authorized redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`) - -![Web App Credentials Configuration](./google/google-create-client-id-config.png) - -Click **Create** to proceed. The [Client ID] and [Client Secret] settings will be displayed for later configuration with Pomerium. - -![OAuth Client ID and Secret](./google/google-oauth-client-info.png) - -In order to have Pomerium validate group membership, we'll also need to configure a [service account](https://console.cloud.google.com/iam-admin/serviceaccounts) with [G-suite domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) enabled. - -1. Open the [Service accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) page. -2. If prompted, select a project. -3. Click **Create service** account. In the Create service account window, type a name for the service account, and select Furnish a new private key and Enable Google Apps Domain-wide Delegation. -4. Then click **Save**. - -![Google create service account](./google/google-create-sa.png) - -Then, you'll need to manually open an editor and add an `impersonate_user` field to the downloaded public/private key file. In this case, we'd be impersonating the admin account `user@pomerium.io`. - -::: warning - -[Google requires](https://stackoverflow.com/questions/48585700/is-it-possible-to-call-apis-from-service-account-without-acting-on-behalf-of-a-u/48601364#48601364) that service accounts act on behalf of another user. You MUST add the `impersonate_user` field to your json key file. - -::: - -```json -{ - "type": "service_account", - "client_id": "109818058799274859509", - ... - "impersonate_user": "user@pomerium.io" - ... -} -``` - -The base64 encoded contents of this public/private key pair json file will used for the value of the `IDP_SERVICE_ACCOUNT` configuration setting. - -Next we'll delegate G-suite group membership access to the service account we just created . - -1. Go to your G Suite domain's [Admin console](http://admin.google.com/). -2. Select **Security** from the list of controls. If you don't see Security listed, select More controls 1\. from the gray bar at the bottom of the page, then select Security from the list of controls. -3. Select **Advanced settings** from the list of options. -4. Select **Manage API client** access in the Authentication section. -5. In the **Client name** field enter the service account's **Client ID**. - * (Be sure this is the client id of the service account, and not the oauth client id) -6. In the **One or More API Scopes** field enter the following list of scopes: `https://www.googleapis.com/auth/admin.directory.group.readonly` `https://www.googleapis.com/auth/admin.directory.user.readonly` -7. Click the **Authorize** button. - -![Google create service account](./google/google-gsuite-add-scopes.png) - -Your [environmental variables] should look something like this. - -```bash -IDP_PROVIDER="google" -IDP_PROVIDER_URL="https://accounts.google.com" -IDP_CLIENT_ID="yyyy.apps.googleusercontent.com" -IDP_CLIENT_SECRET="xxxxxx" -IDP_SERVICE_ACCOUNT="zzzz" # output of `cat service-account-key.json | base64` -``` - -## Okta - -[Log in to your Okta account](https://login.okta.com) and head to your Okta dashboard. Select **Applications** on the top menu. On the Applications page, click the **Add Application** button to create a new app. - -![Okta Applications Dashboard](./okta/okta-app-dashboard.png) - -On the **Create New Application** page, select the **Web** for your application. - -![Okta Create Application Select Platform](./okta/okta-create-app-platform.png) - -Next, provide the following information for your application settings: - -Field | Description ----------------------------- | --------------------------------------------------------------------------- -Name | The name of your application. -Base URIs (optional) | The domain(s) of your application. -Login redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`). -Group assignments (optional) | The user groups that can sign in to this application. -Grant type allowed | **You must enable Refresh Token.** - -![Okta Create Application Settings](./okta/okta-create-app-settings.png) - -Click **Done** to proceed. You'll be taken to the **General** page of your app. - -Go to the **General** page of your app and scroll down to the **Client Credentials** section. This section contains the **[Client ID]** and **[Client Secret]** to be used in the next step. - -![Okta Client ID and Secret](./okta/okta-client-id-and-secret.png) - -Next, we'll configure Okta to pass along a custom OpenID Connect claim to establish group membership. To do so, click the **API** menu item, and select **Authorization Servers**. - -![Okta authorization servers](./okta/okta-authorization-servers.png) - -Select your desired authorization server and navigate to the **claims tab**. Click **Add Claim** and configure the group claim for **ID Token** as follows. - -![Okta configure group claim](./okta/okta-configure-groups-claim.png) - -Field | Value ---------------------- | --------------------- -Name | groups -Include in token type | **ID Token**, Always. -Value Type | Groups -Filter | Matches regex `.*` -Include in | Any scope - -Add an another, almost identical, claim but this time for **Access Token**. - -Field | Value ---------------------- | ------------------------- -Name | groups -Include in token type | **Access Token**, Always. -Value Type | Groups -Filter | Matches regex `.*` -Include in | Any scope - -![Okta list group claims](./okta/okta-list-groups-claim.png) - -Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like this. - -```bash -IDP_PROVIDER="okta" -IDP_PROVIDER_URL="https://dev-108295-admin.oktapreview.com/" -IDP_CLIENT_ID="0oairksnr0C0fEJ7l0h7" -IDP_CLIENT_SECRET="xxxxxx" -``` - -## OneLogin - -Log in to your [OneLogin](https://www.onelogin.com/) account and head to the dashboard. - -Click **Apps** on the top menu. Select the **Add apps** menu item. - -![One Login Add a New App](./one-login/one-login-add-app.png) - -On the **Find Application** page, search for **openid**. Select **Openid Connect** by OneLogin, Inc. - -![One Login Add a New App](./one-login/one-login-add-open-id.png) - -On the App Configuration page, **name the app** and **select a logo**. Select **Save**. - -![One Login select logo](./one-login/one-login-select-logo.png) - -Next, set set the **Redirect URI's** setting to be Pomerium's redirect url `https://${AUTHENTICATE_SERVICE_URL}/oauth2/callback`. - -![One Login set callback url](./one-login/one-login-callback-url.png) - -Go to the **SSO** page. This section contains the **[Client ID]** and **[Client Secret]** you'll use to configure Pomerium. - -Set the application type to **Web** and the token endpoint to be **POST**. - -Under **Token Timeout settings** set **Refresh Token** to 60 minutes (or whatever value makes sense for your organization). Note, however, if you don't enable refresh tokens the user will be prompted to authenticate whenever the access token expires which can result in a poor user experience. - -![One Login SSO settings](./one-login/one-login-sso-settings.png) - -[OneLogin's OIDC implementation](https://developers.onelogin.com/openid-connect/scopes) supports the `groups` which can return either the user's group or role which can be used within pomerium to enforced group-based ACL policy. - -To return the user's Active Directory field, configure the group to return `member_of`. In the Default if no value field, select **User Roles** and Select **Semicolon Delimited** in the adjacent field. **Select Save** - -![OneLogin set role](./one-login/one-login-oidc-params.png) - -**Alternatively**, groups can return the _roles_ a user is assigned. In the Default if no value field, select **User Roles** and Select **Semicolon Delimited** in the adjacent field. **Select Save** - -![OneLogin set role](./one-login/one-login-oidc-groups-param.png) - -Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like this. - -```bash -IDP_PROVIDER="onelogin" -IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" -IDP_CLIENT_ID="9e613ce0-1622-0137-452d-0a93c31f8392142934" -IDP_CLIENT_SECRET="3e86ef0cc21b6dcf10c1d91e032568617d37e9fe1609ffd8042d3c25a560c36c" -``` - -After reloading Pomerium, you should be able to see any login events from your OneLogin events dashboard. - -![One Login Events Dashboard](./one-login/one-login-events.png) - -[client id]: ./config-reference.html#identity-provider-client-id -[client secret]: ./config-reference.html#identity-provider-client-secret -[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable -[oauth2]: https://oauth.net/2/ -[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/docs/identity-providers/azure.md b/docs/docs/identity-providers/azure.md new file mode 100644 index 000000000..77c891fb6 --- /dev/null +++ b/docs/docs/identity-providers/azure.md @@ -0,0 +1,111 @@ +--- +title: Azure AD +lang: en-US +sidebarDepth: 0 +meta: + - name: keywords + content: azure active-directory active directory ad microsoft +--- + +# Azure Active Directory + +If you plan on allowing users to log in using a Microsoft Azure Active Directory account, either from your company or from external directories, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can [signup](https://azure.microsoft.com/en-us/free) for free. + +You can access the Azure management portal from your Microsoft service, or visit and sign in to Azure using the global administrator account used to create the Office 365 organization. + +::: tip + +There is no way to create an application that integrates with Microsoft Azure AD without having **your own** Microsoft Azure AD instance. + +::: + +If you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To find your Office 365 account's Azure AD instance: + +1. [Sign in](https://portal.office.com) to Office 365. +2. Navigate to the [Office 365 Admin Center](https://portal.office.com/adminportal/home#/homepage). +3. Open the **Admin centers** menu drawer located in the left menu. +4. Click on **Azure AD**. + +This will bring you to the admin center of the Azure AD instance backing your Office 365 account. + +**Create a new application** + +Login to Microsoft Azure and choose **Azure Active Directory** from the sidebar. + +![Select Active Directory](./img/azure-dashboard.png) + +Then under **MANAGE**, select **App registrations**. + +![Select App registrations](./img/azure-app-registrations.png) + +Then click on the **+ ADD** button to add a new application. + +Enter a name for the application, select **Web app/API** as the **Application Type**, and for **Sign-on URL** enter your application URL. + +![Create application form](./img/azure-create-application.png) + +Next you will need to create a key which will be used as the **[Client Secret]** in Pomerium's configuration settings. Click on **Keys** from the **Settings** menu. + +Enter a name for the key and choose the desired duration. + +::: tip + +If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day in order to ensure users don't experience a service interruption. + +::: + +Click on **Save** and the key will be displayed. **Make sure to copy the value of this key before leaving this screen**, otherwise you may need to create a new key. This value is used as the **[Client Secret]**. + +![Creating a Key](./img/azure-create-key.png) + +Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://authenticate.corp.beyondperimeter.com/oauth2/callback`. + +![Add Reply URL](./img/azure-redirect-url.png) + +Next, in order to retrieve group information from Active Directory, we need to enable the necessary permissions for the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/auth-v2-service#azure-ad-endpoint-considerations). + +On the **App registrations** page, click **API permissions**. Click the **Add a permission** button and select **Microsoft Graph API**, select **Delegated permissions**. Under the **Directory** row, select the checkbox for **Group.Read.All**. + +![Azure add group membership claims](./img/azure-api-settings.png) + +You can also optionally select **grant admin consent for all users** which will suppress the permission screen on first login for users. + +The final, and most unique step to Azure AD provider, is to take note of your specific endpoint. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. + +![Application dashboard](./img/azure-application-dashbaord.png) + +Click on **Endpoints** + +![Endpoint details](./img/azure-endpoints.png) + +The **OpenID Connect Metadata Document** value will form the basis for Pomerium's **Provider URL** setting. + +For example if the **Azure OpenID Connect** url is: + +```bash +https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0/.well-known/openid-configuration` +``` + +**Pomerium Identity Provider URL** would be + +```bash +https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0 +``` + +**Configure Pomerium** + +Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like: + +```bash +# Azure +IDP_PROVIDER="azure" +IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0" +IDP_CLIENT_ID="REPLACE-ME" +IDP_CLIENT_SECRET="REPLACE-ME" +``` + +[client id]: ../reference/reference.md#identity-provider-client-id +[client secret]: ../reference/reference.md#identity-provider-client-secret +[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable +[oauth2]: https://oauth.net/2/ +[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/docs/identity-providers/gitlab.md b/docs/docs/identity-providers/gitlab.md new file mode 100644 index 000000000..e95876a58 --- /dev/null +++ b/docs/docs/identity-providers/gitlab.md @@ -0,0 +1,48 @@ +# Gitlab + +:::warning + +Support was removed in v0.0.3 because Gitlab does not provide callers with a user email, under any scope, to a caller unless that user has selected her email to be public. Pomerium support is blocked until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed. + +::: + +Log in to your Gitlab account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials). + +Navigate to **User Settings** then **Applications** using the left-hand menu. + +On the **Applications** page, add a new application by setting the following parameters: + +| Field | Description | +| ------------ | -------------------------------------------------------------------------- | +| Name | The name of your web app | +| Redirect URI | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`) | +| Scopes | **Must** select **read_user** and **openid** | + +![Create New Credentials](./img/gitlab-create-application.png) + +1.Click **Save Application** to proceed. + +Your [Client ID] and [Client Secret] will be displayed: + +![Gitlab OAuth Client ID and Secret](./img/gitlab-credentials.png) + +Set [Client ID] and [Client Secret] in Pomerium's settings. Your [environmental variables] should look something like this. + +```bash +IDP_PROVIDER="gitlab" +# NOTE!!! Provider url is optional, but should be set if you are running an on-premise instance +# defaults to : https://gitlab.com, a local copy would look something like `http://gitlab.corp.beyondperimeter.com` +IDP_PROVIDER_URL="https://gitlab.com" +IDP_CLIENT_ID="yyyy" +IDP_CLIENT_SECRET="xxxxxx" +``` + +When a user first uses Pomerium to login, they will be presented with an authorization screen similar to the following. + +![gitlab access authorization screen](./img/gitlab-verify-access.png) + +[client id]: ../reference/reference.md#identity-provider-client-id +[client secret]: ../reference/reference.md#identity-provider-client-secret +[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable +[oauth2]: https://oauth.net/2/ +[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/docs/identity-providers/google.md b/docs/docs/identity-providers/google.md new file mode 100644 index 000000000..ac01145ae --- /dev/null +++ b/docs/docs/identity-providers/google.md @@ -0,0 +1,87 @@ +# Google + +Log in to your Google account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials). Navigate to **Credentials** using the left-hand menu. + +![API Manager Credentials](./img/google-credentials.png) + +On the **Credentials** page, click **Create credentials** and choose **OAuth [Client ID]**. + +![Create New Credentials](./img/google-create-new-credentials.png) + +If you don't currently have an OAuth consent page configured, google will not allow you to create credentials until this is completed, and you will likely see **this** banner on the page. + +![OAuth Consent Banner](./img/google-consent-banner.png) + +Click the button on the banner to go to the consent screen configuration. If all you are configuring is pomerium, you only need to fill in "Application Name" with your desired moniker, and "Authorized Domains" with the domain that pomerium will be calling google from. Afterwards, return to the credential creation page. + +![OAuth Consent Configuration](./img/google-oauth-consent.png) + +On the **Create [Client ID]** page, select **Web application**. In the new fields that display, set the following parameters: + +| Field | Description | +| ------------------------ | -------------------------------------------------------------------------- | +| Name | The name of your web app | +| Authorized redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`) | + +![Web App Credentials Configuration](./img/google-create-client-id-config.png) + +Click **Create** to proceed. The [Client ID] and [Client Secret] settings will be displayed for later configuration with Pomerium. + +![OAuth Client ID and Secret](./img/google-oauth-client-info.png) + +In order to have Pomerium validate group membership, we'll also need to configure a [service account](https://console.cloud.google.com/iam-admin/serviceaccounts) with [G-suite domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) enabled. + +1. Open the [Service accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) page. +2. If prompted, select a project. +3. Click **Create service** account. In the Create service account window, type a name for the service account, and select Furnish a new private key and Enable Google Apps Domain-wide Delegation. +4. Then click **Save**. + +![Google create service account](./img/google-create-sa.png) + +Then, you'll need to manually open an editor and add an `impersonate_user` field to the downloaded public/private key file. In this case, we'd be impersonating the admin account `user@pomerium.io`. + +::: warning + +[Google requires](https://stackoverflow.com/questions/48585700/is-it-possible-to-call-apis-from-service-account-without-acting-on-behalf-of-a-u/48601364#48601364) that service accounts act on behalf of another user. You MUST add the `impersonate_user` field to your json key file. + +::: + +```json +{ + "type": "service_account", + "client_id": "109818058799274859509", + ... + "impersonate_user": "user@pomerium.io" + ... +} +``` + +The base64 encoded contents of this public/private key pair json file will used for the value of the `IDP_SERVICE_ACCOUNT` configuration setting. + +Next we'll delegate G-suite group membership access to the service account we just created . + +1. Go to your G Suite domain's [Admin console](http://admin.google.com/). +2. Select **Security** from the list of controls. If you don't see Security listed, select More controls 1\. from the gray bar at the bottom of the page, then select Security from the list of controls. +3. Select **Advanced settings** from the list of options. +4. Select **Manage API client** access in the Authentication section. +5. In the **Client name** field enter the service account's **Client ID**. +6. In the **One or More API Scopes** field enter the following list of scopes: `https://www.googleapis.com/auth/admin.directory.group.readonly` `https://www.googleapis.com/auth/admin.directory.user.readonly` +7. Click the **Authorize** button. + +![Google create service account](./img/google-gsuite-add-scopes.png) + +Your [environmental variables] should look something like this. + +```bash +IDP_PROVIDER="google" +IDP_PROVIDER_URL="https://accounts.google.com" +IDP_CLIENT_ID="yyyy.apps.googleusercontent.com" +IDP_CLIENT_SECRET="xxxxxx" +IDP_SERVICE_ACCOUNT="zzzz" # output of `cat service-account-key.json | base64` +``` + +[client id]: ../reference/reference.md#identity-provider-client-id +[client secret]: ../reference/reference.md#identity-provider-client-secret +[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable +[oauth2]: https://oauth.net/2/ +[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/docs/identity-providers/img/azure-add-groups-claim.png b/docs/docs/identity-providers/img/azure-add-groups-claim.png new file mode 100644 index 000000000..12273cbcf Binary files /dev/null and b/docs/docs/identity-providers/img/azure-add-groups-claim.png differ diff --git a/docs/docs/identity-providers/img/azure-api-settings.png b/docs/docs/identity-providers/img/azure-api-settings.png new file mode 100644 index 000000000..aa87705d8 Binary files /dev/null and b/docs/docs/identity-providers/img/azure-api-settings.png differ diff --git a/docs/docs/identity-providers/img/azure-app-registrations.png b/docs/docs/identity-providers/img/azure-app-registrations.png new file mode 100644 index 000000000..8dac99cc7 Binary files /dev/null and b/docs/docs/identity-providers/img/azure-app-registrations.png differ diff --git a/docs/docs/identity-providers/img/azure-application-dashbaord.png b/docs/docs/identity-providers/img/azure-application-dashbaord.png new file mode 100644 index 000000000..313485161 Binary files /dev/null and b/docs/docs/identity-providers/img/azure-application-dashbaord.png differ diff --git a/docs/docs/identity-providers/img/azure-create-application.png b/docs/docs/identity-providers/img/azure-create-application.png new file mode 100644 index 000000000..7a8909737 Binary files /dev/null and b/docs/docs/identity-providers/img/azure-create-application.png differ diff --git a/docs/docs/identity-providers/img/azure-create-key.png b/docs/docs/identity-providers/img/azure-create-key.png new file mode 100644 index 000000000..583e9138d Binary files /dev/null and b/docs/docs/identity-providers/img/azure-create-key.png differ diff --git a/docs/docs/identity-providers/img/azure-dashboard.png b/docs/docs/identity-providers/img/azure-dashboard.png new file mode 100644 index 000000000..8e09a9982 Binary files /dev/null and b/docs/docs/identity-providers/img/azure-dashboard.png differ diff --git a/docs/docs/identity-providers/img/azure-endpoints.png b/docs/docs/identity-providers/img/azure-endpoints.png new file mode 100644 index 000000000..1e16b83c4 Binary files /dev/null and b/docs/docs/identity-providers/img/azure-endpoints.png differ diff --git a/docs/docs/identity-providers/img/azure-redirect-url.png b/docs/docs/identity-providers/img/azure-redirect-url.png new file mode 100644 index 000000000..821206810 Binary files /dev/null and b/docs/docs/identity-providers/img/azure-redirect-url.png differ diff --git a/docs/docs/identity-providers/img/gitlab-create-application.png b/docs/docs/identity-providers/img/gitlab-create-application.png new file mode 100644 index 000000000..8fada9d73 Binary files /dev/null and b/docs/docs/identity-providers/img/gitlab-create-application.png differ diff --git a/docs/docs/identity-providers/img/gitlab-credentials.png b/docs/docs/identity-providers/img/gitlab-credentials.png new file mode 100644 index 000000000..b22a074da Binary files /dev/null and b/docs/docs/identity-providers/img/gitlab-credentials.png differ diff --git a/docs/docs/identity-providers/img/gitlab-verify-access.png b/docs/docs/identity-providers/img/gitlab-verify-access.png new file mode 100644 index 000000000..9791bab89 Binary files /dev/null and b/docs/docs/identity-providers/img/gitlab-verify-access.png differ diff --git a/docs/docs/google/google-consent-banner.png b/docs/docs/identity-providers/img/google-consent-banner.png similarity index 100% rename from docs/docs/google/google-consent-banner.png rename to docs/docs/identity-providers/img/google-consent-banner.png diff --git a/docs/docs/identity-providers/img/google-create-client-id-config.png b/docs/docs/identity-providers/img/google-create-client-id-config.png new file mode 100644 index 000000000..b3fb3b411 Binary files /dev/null and b/docs/docs/identity-providers/img/google-create-client-id-config.png differ diff --git a/docs/docs/identity-providers/img/google-create-new-credentials.png b/docs/docs/identity-providers/img/google-create-new-credentials.png new file mode 100644 index 000000000..b0d29192a Binary files /dev/null and b/docs/docs/identity-providers/img/google-create-new-credentials.png differ diff --git a/docs/docs/identity-providers/img/google-create-sa.png b/docs/docs/identity-providers/img/google-create-sa.png new file mode 100644 index 000000000..9c47f9200 Binary files /dev/null and b/docs/docs/identity-providers/img/google-create-sa.png differ diff --git a/docs/docs/identity-providers/img/google-credentials.png b/docs/docs/identity-providers/img/google-credentials.png new file mode 100644 index 000000000..a3c0d93d9 Binary files /dev/null and b/docs/docs/identity-providers/img/google-credentials.png differ diff --git a/docs/docs/identity-providers/img/google-gsuite-add-scopes.png b/docs/docs/identity-providers/img/google-gsuite-add-scopes.png new file mode 100644 index 000000000..2dc2f2acd Binary files /dev/null and b/docs/docs/identity-providers/img/google-gsuite-add-scopes.png differ diff --git a/docs/docs/identity-providers/img/google-oauth-client-info.png b/docs/docs/identity-providers/img/google-oauth-client-info.png new file mode 100644 index 000000000..3f74382bc Binary files /dev/null and b/docs/docs/identity-providers/img/google-oauth-client-info.png differ diff --git a/docs/docs/google/google-oauth-consent.png b/docs/docs/identity-providers/img/google-oauth-consent.png similarity index 100% rename from docs/docs/google/google-oauth-consent.png rename to docs/docs/identity-providers/img/google-oauth-consent.png diff --git a/docs/docs/identity-providers/img/okta-app-dashboard.png b/docs/docs/identity-providers/img/okta-app-dashboard.png new file mode 100644 index 000000000..8874e2ba5 Binary files /dev/null and b/docs/docs/identity-providers/img/okta-app-dashboard.png differ diff --git a/docs/docs/identity-providers/img/okta-authorization-servers.png b/docs/docs/identity-providers/img/okta-authorization-servers.png new file mode 100644 index 000000000..080cd4d84 Binary files /dev/null and b/docs/docs/identity-providers/img/okta-authorization-servers.png differ diff --git a/docs/docs/identity-providers/img/okta-client-id-and-secret.png b/docs/docs/identity-providers/img/okta-client-id-and-secret.png new file mode 100644 index 000000000..23544b333 Binary files /dev/null and b/docs/docs/identity-providers/img/okta-client-id-and-secret.png differ diff --git a/docs/docs/identity-providers/img/okta-configure-groups-claim.png b/docs/docs/identity-providers/img/okta-configure-groups-claim.png new file mode 100644 index 000000000..e23241fb7 Binary files /dev/null and b/docs/docs/identity-providers/img/okta-configure-groups-claim.png differ diff --git a/docs/docs/identity-providers/img/okta-create-app-platform.png b/docs/docs/identity-providers/img/okta-create-app-platform.png new file mode 100644 index 000000000..b56dd957e Binary files /dev/null and b/docs/docs/identity-providers/img/okta-create-app-platform.png differ diff --git a/docs/docs/identity-providers/img/okta-create-app-settings.png b/docs/docs/identity-providers/img/okta-create-app-settings.png new file mode 100644 index 000000000..235928f82 Binary files /dev/null and b/docs/docs/identity-providers/img/okta-create-app-settings.png differ diff --git a/docs/docs/identity-providers/img/okta-list-groups-claim.png b/docs/docs/identity-providers/img/okta-list-groups-claim.png new file mode 100644 index 000000000..eb081875c Binary files /dev/null and b/docs/docs/identity-providers/img/okta-list-groups-claim.png differ diff --git a/docs/docs/identity-providers/img/one-login-add-app.png b/docs/docs/identity-providers/img/one-login-add-app.png new file mode 100644 index 000000000..621557ebe Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-add-app.png differ diff --git a/docs/docs/identity-providers/img/one-login-add-open-id.png b/docs/docs/identity-providers/img/one-login-add-open-id.png new file mode 100644 index 000000000..5a592968f Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-add-open-id.png differ diff --git a/docs/docs/identity-providers/img/one-login-callback-url.png b/docs/docs/identity-providers/img/one-login-callback-url.png new file mode 100644 index 000000000..ba25e20b1 Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-callback-url.png differ diff --git a/docs/docs/identity-providers/img/one-login-events.png b/docs/docs/identity-providers/img/one-login-events.png new file mode 100644 index 000000000..464cde04f Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-events.png differ diff --git a/docs/docs/identity-providers/img/one-login-oidc-groups-param.png b/docs/docs/identity-providers/img/one-login-oidc-groups-param.png new file mode 100644 index 000000000..04f6c17d1 Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-oidc-groups-param.png differ diff --git a/docs/docs/identity-providers/img/one-login-oidc-params.png b/docs/docs/identity-providers/img/one-login-oidc-params.png new file mode 100644 index 000000000..ad9e8b6a1 Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-oidc-params.png differ diff --git a/docs/docs/identity-providers/img/one-login-select-logo.png b/docs/docs/identity-providers/img/one-login-select-logo.png new file mode 100644 index 000000000..77b381fd7 Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-select-logo.png differ diff --git a/docs/docs/identity-providers/img/one-login-sso-settings.png b/docs/docs/identity-providers/img/one-login-sso-settings.png new file mode 100644 index 000000000..062d4f766 Binary files /dev/null and b/docs/docs/identity-providers/img/one-login-sso-settings.png differ diff --git a/docs/docs/identity-providers/okta.md b/docs/docs/identity-providers/okta.md new file mode 100644 index 000000000..7ca722dac --- /dev/null +++ b/docs/docs/identity-providers/okta.md @@ -0,0 +1,70 @@ +# Okta + +[Log in to your Okta account](https://login.okta.com) and head to your Okta dashboard. Select **Applications** on the top menu. On the Applications page, click the **Add Application** button to create a new app. + +![Okta Applications Dashboard](./img/okta-app-dashboard.png) + +On the **Create New Application** page, select the **Web** for your application. + +![Okta Create Application Select Platform](./img/okta-create-app-platform.png) + +Next, provide the following information for your application settings: + +| Field | Description | +| ---------------------------- | --------------------------------------------------------------------------- | +| Name | The name of your application. | +| Base URIs (optional) | The domain(s) of your application. | +| Login redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`). | +| Group assignments (optional) | The user groups that can sign in to this application. | +| Grant type allowed | **You must enable Refresh Token.** | + +![Okta Create Application Settings](./img/okta-create-app-settings.png) + +Click **Done** to proceed. You'll be taken to the **General** page of your app. + +Go to the **General** page of your app and scroll down to the **Client Credentials** section. This section contains the **[Client ID]** and **[Client Secret]** to be used in the next step. + +![Okta Client ID and Secret](./img/okta-client-id-and-secret.png) + +Next, we'll configure Okta to pass along a custom OpenID Connect claim to establish group membership. To do so, click the **API** menu item, and select **Authorization Servers**. + +![Okta authorization servers](./img/okta-authorization-servers.png) + +Select your desired authorization server and navigate to the **claims tab**. Click **Add Claim** and configure the group claim for **ID Token** as follows. + +![Okta configure group claim](./img/okta-configure-groups-claim.png) + +| Field | Value | +| --------------------- | --------------------- | +| Name | groups | +| Include in token type | **ID Token**, Always. | +| Value Type | Groups | +| Filter | Matches regex `.*` | +| Include in | Any scope | + +Add an another, almost identical, claim but this time for **Access Token**. + +| Field | Value | +| --------------------- | ------------------------- | +| Name | groups | +| Include in token type | **Access Token**, Always. | +| Value Type | Groups | +| Filter | Matches regex `.*` | +| Include in | Any scope | + +![Okta list group claims](./img/okta-list-groups-claim.png) + +Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like this. + +```bash +IDP_PROVIDER="okta" +IDP_PROVIDER_URL="https://dev-108295-admin.oktapreview.com/" +IDP_CLIENT_ID="0oairksnr0C0fEJ7l0h7" +IDP_CLIENT_SECRET="xxxxxx" +``` + +[client id]: ../reference/reference.md#identity-provider-client-id +[client secret]: ../reference/reference.md#identity-provider-client-secret +[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable +[oauth2]: https://oauth.net/2/ +[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/docs/identity-providers/one-login.md b/docs/docs/identity-providers/one-login.md new file mode 100644 index 000000000..362024cfb --- /dev/null +++ b/docs/docs/identity-providers/one-login.md @@ -0,0 +1,56 @@ +# OneLogin + +Log in to your [OneLogin](https://www.onelogin.com/) account and head to the dashboard. + +Click **Apps** on the top menu. Select the **Add apps** menu item. + +![One Login Add a New App](./img/one-login-add-app.png) + +On the **Find Application** page, search for **openid**. Select **Openid Connect** by OneLogin, Inc. + +![One Login Add a New App](./img/one-login-add-open-id.png) + +On the App Configuration page, **name the app** and **select a logo**. Select **Save**. + +![One Login select logo](./img/one-login-select-logo.png) + +Next, set set the **Redirect URI's** setting to be Pomerium's redirect url `https://${AUTHENTICATE_SERVICE_URL}/oauth2/callback`. + +![One Login set callback url](./img/one-login-callback-url.png) + +Go to the **SSO** page. This section contains the **[Client ID]** and **[Client Secret]** you'll use to configure Pomerium. + +Set the application type to **Web** and the token endpoint to be **POST**. + +Under **Token Timeout settings** set **Refresh Token** to 60 minutes (or whatever value makes sense for your organization). Note, however, if you don't enable refresh tokens the user will be prompted to authenticate whenever the access token expires which can result in a poor user experience. + +![One Login SSO settings](./img/one-login-sso-settings.png) + +[OneLogin's OIDC implementation](https://developers.onelogin.com/openid-connect/scopes) supports the `groups` which can return either the user's group or role which can be used within pomerium to enforced group-based ACL policy. + +To return the user's Active Directory field, configure the group to return `member_of`. In the Default if no value field, select **User Roles** and Select **Semicolon Delimited** in the adjacent field. **Select Save** + +![OneLogin set role](./img/one-login-oidc-params.png) + +**Alternatively**, groups can return the _roles_ a user is assigned. In the Default if no value field, select **User Roles** and Select **Semicolon Delimited** in the adjacent field. **Select Save** + +![OneLogin set role](./img/one-login-oidc-groups-param.png) + +Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like this. + +```bash +IDP_PROVIDER="onelogin" +IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" +IDP_CLIENT_ID="9e613ce0-1622-0137-452d-0a93c31f8392142934" +IDP_CLIENT_SECRET="3e86ef0cc21b6dcf10c1d91e032568617d37e9fe1609ffd8042d3c25a560c36c" +``` + +After reloading Pomerium, you should be able to see any login events from your OneLogin events dashboard. + +![One Login Events Dashboard](./img/one-login-events.png) + +[client id]: ../reference/reference.md#identity-provider-client-id +[client secret]: ../reference/reference.md#identity-provider-client-secret +[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable +[oauth2]: https://oauth.net/2/ +[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/docs/identity-providers/readme.md b/docs/docs/identity-providers/readme.md new file mode 100644 index 000000000..e34d4bd57 --- /dev/null +++ b/docs/docs/identity-providers/readme.md @@ -0,0 +1,25 @@ +--- +title: Overview +description: >- + This article describes how to connect Pomerium to third-party identity + providers / single-sign-on services. You will need to generate keys, copy + these into your Pomerium settings, and enable the connection. +--- + +# Identity Provider Configuration + +This article describes how to configure Pomerium to use a third-party identity service for single-sign-on. + +There are a few configuration steps required for identity provider integration. Most providers support [OpenID Connect] which provides a standardized identity and authentication interface. + +In this guide we'll cover how to do the following for each identity provider: + +1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium. +2. Generate a **[Client ID]** and **[Client Secret]**. +3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys. + +[client id]: ../reference/reference.md#identity-provider-client-id +[client secret]: ../reference/reference.md#identity-provider-client-secret +[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable +[oauth2]: https://oauth.net/2/ +[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/docs/microsoft/azure-add-groups-claim.png b/docs/docs/microsoft/azure-add-groups-claim.png deleted file mode 100644 index 989fb4034..000000000 Binary files a/docs/docs/microsoft/azure-add-groups-claim.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-api-settings.png b/docs/docs/microsoft/azure-api-settings.png deleted file mode 100644 index b620d3749..000000000 Binary files a/docs/docs/microsoft/azure-api-settings.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-app-registrations.png b/docs/docs/microsoft/azure-app-registrations.png deleted file mode 100644 index 0f38b389d..000000000 Binary files a/docs/docs/microsoft/azure-app-registrations.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-application-dashbaord.png b/docs/docs/microsoft/azure-application-dashbaord.png deleted file mode 100644 index f90e5dab5..000000000 Binary files a/docs/docs/microsoft/azure-application-dashbaord.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-create-application.png b/docs/docs/microsoft/azure-create-application.png deleted file mode 100644 index 872a8ac64..000000000 Binary files a/docs/docs/microsoft/azure-create-application.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-create-key.png b/docs/docs/microsoft/azure-create-key.png deleted file mode 100644 index 0e700754f..000000000 Binary files a/docs/docs/microsoft/azure-create-key.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-dashboard.png b/docs/docs/microsoft/azure-dashboard.png deleted file mode 100644 index 2ec07b471..000000000 Binary files a/docs/docs/microsoft/azure-dashboard.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-endpoints.png b/docs/docs/microsoft/azure-endpoints.png deleted file mode 100644 index 97f84a6b8..000000000 Binary files a/docs/docs/microsoft/azure-endpoints.png and /dev/null differ diff --git a/docs/docs/microsoft/azure-redirect-url.png b/docs/docs/microsoft/azure-redirect-url.png deleted file mode 100644 index 8628d4978..000000000 Binary files a/docs/docs/microsoft/azure-redirect-url.png and /dev/null differ diff --git a/docs/docs/okta/okta-app-dashboard.png b/docs/docs/okta/okta-app-dashboard.png deleted file mode 100644 index 199f3439c..000000000 Binary files a/docs/docs/okta/okta-app-dashboard.png and /dev/null differ diff --git a/docs/docs/okta/okta-authorization-servers.png b/docs/docs/okta/okta-authorization-servers.png deleted file mode 100644 index 9ffb35e52..000000000 Binary files a/docs/docs/okta/okta-authorization-servers.png and /dev/null differ diff --git a/docs/docs/okta/okta-client-id-and-secret.png b/docs/docs/okta/okta-client-id-and-secret.png deleted file mode 100644 index 617099edc..000000000 Binary files a/docs/docs/okta/okta-client-id-and-secret.png and /dev/null differ diff --git a/docs/docs/okta/okta-configure-groups-claim.png b/docs/docs/okta/okta-configure-groups-claim.png deleted file mode 100644 index eaadca746..000000000 Binary files a/docs/docs/okta/okta-configure-groups-claim.png and /dev/null differ diff --git a/docs/docs/okta/okta-create-app-platform.png b/docs/docs/okta/okta-create-app-platform.png deleted file mode 100644 index e96683506..000000000 Binary files a/docs/docs/okta/okta-create-app-platform.png and /dev/null differ diff --git a/docs/docs/okta/okta-create-app-settings.png b/docs/docs/okta/okta-create-app-settings.png deleted file mode 100644 index 32a3d612e..000000000 Binary files a/docs/docs/okta/okta-create-app-settings.png and /dev/null differ diff --git a/docs/docs/okta/okta-list-groups-claim.png b/docs/docs/okta/okta-list-groups-claim.png deleted file mode 100644 index e26074db7..000000000 Binary files a/docs/docs/okta/okta-list-groups-claim.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-add-app.png b/docs/docs/one-login/one-login-add-app.png deleted file mode 100644 index bd4dd1bec..000000000 Binary files a/docs/docs/one-login/one-login-add-app.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-add-open-id.png b/docs/docs/one-login/one-login-add-open-id.png deleted file mode 100644 index 57ead684f..000000000 Binary files a/docs/docs/one-login/one-login-add-open-id.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-callback-url.png b/docs/docs/one-login/one-login-callback-url.png deleted file mode 100644 index 33c9469d9..000000000 Binary files a/docs/docs/one-login/one-login-callback-url.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-events.png b/docs/docs/one-login/one-login-events.png deleted file mode 100644 index d0b8add3a..000000000 Binary files a/docs/docs/one-login/one-login-events.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-oidc-groups-param.png b/docs/docs/one-login/one-login-oidc-groups-param.png deleted file mode 100644 index e3ebc8dd7..000000000 Binary files a/docs/docs/one-login/one-login-oidc-groups-param.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-oidc-params.png b/docs/docs/one-login/one-login-oidc-params.png deleted file mode 100644 index 4fd383056..000000000 Binary files a/docs/docs/one-login/one-login-oidc-params.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-select-logo.png b/docs/docs/one-login/one-login-select-logo.png deleted file mode 100644 index f93f753af..000000000 Binary files a/docs/docs/one-login/one-login-select-logo.png and /dev/null differ diff --git a/docs/docs/one-login/one-login-sso-settings.png b/docs/docs/one-login/one-login-sso-settings.png deleted file mode 100644 index ba7353ae0..000000000 Binary files a/docs/docs/one-login/one-login-sso-settings.png and /dev/null differ diff --git a/docs/guide/binary.md b/docs/docs/quick-start/binary.md similarity index 81% rename from docs/guide/binary.md rename to docs/docs/quick-start/binary.md index 2b6bc03ba..edfe6fbc4 100644 --- a/docs/guide/binary.md +++ b/docs/docs/quick-start/binary.md @@ -6,9 +6,9 @@ meta: content: pomerium identity-access-proxy oidc reverse-proxy --- -# Pomerium with Prebuilt Binaries +# Binaries -The following quick-start guide covers how to configure and run Pomerium using prebuilt binaries. +The following quick-start guide covers how to configure and run Pomerium using the official prebuilt binaries. ## Prerequisites @@ -27,13 +27,13 @@ Pomerium supports setting [configuration variables] using both environmental var Create a config file (`config.yaml`). This file will be used to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example: -<<< @/docs/docs/examples/config/config.minimal.yaml +<<< @/docs/docs/reference/examples/config/config.minimal.yaml ### Environmental Variables As mentioned above, Pomerium supports mixing and matching configuration. For example, we can specify our secret values and domains certificates as [environmental configuration variables], and set the rest as part of the configuration file. -<<< @/docs/docs/examples/config/config.minimal.env +<<< @/docs/docs/reference/examples/config/config.minimal.env ## Run @@ -48,10 +48,10 @@ source ./env Browse to `external-httpbin.your.domain.example`. Connections between you and [httpbin] will now be proxied and managed by Pomerium. -[configuration variables]: ../reference/readme.md +[configuration variables]: ../reference/reference.md [download]: https://github.com/pomerium/pomerium/releases [environmental configuration variables]: https://12factor.net/config [httpbin]: https://httpbin.org/ -[identity provider]: ../docs/identity-providers.md +[identity provider]: ../docs/identity-providers/ [make]: https://en.wikipedia.org/wiki/Make_(software) -[wild-card tls certificate]: ../docs/certificates.md +[wild-card tls certificate]: ../reference/certificates.md diff --git a/docs/guide/helm.md b/docs/docs/quick-start/helm.md similarity index 65% rename from docs/guide/helm.md rename to docs/docs/quick-start/helm.md index 4906faaac..8bf436b44 100644 --- a/docs/guide/helm.md +++ b/docs/docs/quick-start/helm.md @@ -8,9 +8,7 @@ meta: # Pomerium using Helm -This quickstart will show you how to deploy Pomerium with Kubernetes. Though there are [many ways](https://kubernetes.io/docs/setup/pick-right-solution/) to work with Kubernetes, for the purpose of this guide, we will be using Google's [Kubernetes Engine](https://cloud.google.com/kubernetes-engine/). That said, most of the following steps should be very similar using any other provider. - -In addition to sharing many of the same features as the Kubernetes quickstart guide, the default helm deployment script also includes a bootstrapped certificate authority enabling mutually authenticated and encrypted communication between services that does not depend on the external LetsEncrypt certificates. Having the external domain certificate de-coupled makes it easier to renew external certificates. +This quickstart will show you how to deploy Pomerium with Kubernetes. ## Prerequisites @@ -21,9 +19,15 @@ In addition to sharing many of the same features as the Kubernetes quickstart gu - Install [helm](https://helm.sh/docs/using_helm/) - A [wild-card TLS certificate] +Though there are [many ways](https://kubernetes.io/docs/setup/pick-right-solution/) to work with Kubernetes, for the purpose of this guide, we will be using Google's [Kubernetes Engine](https://cloud.google.com/kubernetes-engine/). That said, most of the following steps should be very similar using any other provider. + +In addition to sharing many of the same features as the Kubernetes quickstart guide, the default helm deployment script also includes a bootstrapped certificate authority enabling mutually authenticated and encrypted communication between services that does not depend on the external LetsEncrypt certificates. Having the external domain certificate de-coupled makes it easier to renew external certificates. + ## Configure -Download and modify the [helm_gke.sh script][./scripts/helm_gke.sh] to match your [identity provider] and [wild-card tls certificate] settings. +Download and modify the following [helm_gke.sh script][./scripts/helm_gke.sh] to match your [identity provider] and [wild-card tls certificate] settings. + +<<<@/scripts/helm_gke.sh ## Run @@ -42,10 +46,10 @@ Run [./scripts/helm_gke.sh] which will: Open a browser and navigate to `httpbin.your.domain.example`. -[./scripts/helm_gke.sh]: ../docs/examples.html#helm -[./scripts/kubernetes_gke.sh]: ../docs/examples.html#google-kubernetes-engine -[example kubernetes files]: ../docs/examples.html#google-kubernetes-engine -[identity provider]: ../docs/identity-providers.md +[./scripts/helm_gke.sh]: ../reference/examples.html#helm +[./scripts/kubernetes_gke.sh]: ../reference/examples.html#google-kubernetes-engine +[example kubernetes files]: ../reference/examples.html#google-kubernetes-engine +[identity provider]: ../identity-providers/readme.md [letsencrypt]: https://letsencrypt.org/ [script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh -[wild-card tls certificate]: ../docs/certificates.md +[wild-card tls certificate]: ../reference/certificates.md diff --git a/docs/docs/quick-start/img/kubernetes-gke.png b/docs/docs/quick-start/img/kubernetes-gke.png new file mode 100644 index 000000000..ee7aec9e2 Binary files /dev/null and b/docs/docs/quick-start/img/kubernetes-gke.png differ diff --git a/docs/guide/synology/synology-certifciate-assignment.png b/docs/docs/quick-start/img/synology-certifciate-assignment.png similarity index 100% rename from docs/guide/synology/synology-certifciate-assignment.png rename to docs/docs/quick-start/img/synology-certifciate-assignment.png diff --git a/docs/guide/synology/synology-docker-httpbin.png b/docs/docs/quick-start/img/synology-docker-httpbin.png similarity index 100% rename from docs/guide/synology/synology-docker-httpbin.png rename to docs/docs/quick-start/img/synology-docker-httpbin.png diff --git a/docs/docs/quick-start/img/synology-docker-package-center.png b/docs/docs/quick-start/img/synology-docker-package-center.png new file mode 100644 index 000000000..2f53ab206 Binary files /dev/null and b/docs/docs/quick-start/img/synology-docker-package-center.png differ diff --git a/docs/guide/synology/synology-docker-pomerium-alias.png b/docs/docs/quick-start/img/synology-docker-pomerium-alias.png similarity index 100% rename from docs/guide/synology/synology-docker-pomerium-alias.png rename to docs/docs/quick-start/img/synology-docker-pomerium-alias.png diff --git a/docs/guide/synology/synology-docker-pomerium-create-container.png b/docs/docs/quick-start/img/synology-docker-pomerium-create-container.png similarity index 100% rename from docs/guide/synology/synology-docker-pomerium-create-container.png rename to docs/docs/quick-start/img/synology-docker-pomerium-create-container.png diff --git a/docs/guide/synology/synology-docker-pomerium-done.png b/docs/docs/quick-start/img/synology-docker-pomerium-done.png similarity index 100% rename from docs/guide/synology/synology-docker-pomerium-done.png rename to docs/docs/quick-start/img/synology-docker-pomerium-done.png diff --git a/docs/guide/synology/synology-docker-pomerium-package.png b/docs/docs/quick-start/img/synology-docker-pomerium-package.png similarity index 100% rename from docs/guide/synology/synology-docker-pomerium-package.png rename to docs/docs/quick-start/img/synology-docker-pomerium-package.png diff --git a/docs/guide/synology/synology-docker-port-settings.png b/docs/docs/quick-start/img/synology-docker-port-settings.png similarity index 100% rename from docs/guide/synology/synology-docker-port-settings.png rename to docs/docs/quick-start/img/synology-docker-port-settings.png diff --git a/docs/guide/synology/synology-firewall-rules.png b/docs/docs/quick-start/img/synology-firewall-rules.png similarity index 100% rename from docs/guide/synology/synology-firewall-rules.png rename to docs/docs/quick-start/img/synology-firewall-rules.png diff --git a/docs/guide/synology/synology-httpbin.png b/docs/docs/quick-start/img/synology-httpbin.png similarity index 100% rename from docs/guide/synology/synology-httpbin.png rename to docs/docs/quick-start/img/synology-httpbin.png diff --git a/docs/guide/synology/synology-reverse-proxy-rules.png b/docs/docs/quick-start/img/synology-reverse-proxy-rules.png similarity index 100% rename from docs/guide/synology/synology-reverse-proxy-rules.png rename to docs/docs/quick-start/img/synology-reverse-proxy-rules.png diff --git a/docs/guide/synology/synology-reverse-proxy.png b/docs/docs/quick-start/img/synology-reverse-proxy.png similarity index 100% rename from docs/guide/synology/synology-reverse-proxy.png rename to docs/docs/quick-start/img/synology-reverse-proxy.png diff --git a/docs/docs/quick-start/img/synology-step-1-redirect.png b/docs/docs/quick-start/img/synology-step-1-redirect.png new file mode 100644 index 000000000..6af917140 Binary files /dev/null and b/docs/docs/quick-start/img/synology-step-1-redirect.png differ diff --git a/docs/docs/quick-start/img/synology-step-2-mfa.png b/docs/docs/quick-start/img/synology-step-2-mfa.png new file mode 100644 index 000000000..12f826fdb Binary files /dev/null and b/docs/docs/quick-start/img/synology-step-2-mfa.png differ diff --git a/docs/docs/quick-start/img/synology-step-3-validate-header.png b/docs/docs/quick-start/img/synology-step-3-validate-header.png new file mode 100644 index 000000000..45d792fec Binary files /dev/null and b/docs/docs/quick-start/img/synology-step-3-validate-header.png differ diff --git a/docs/guide/synology/synology-step-4-unauthorized.png b/docs/docs/quick-start/img/synology-step-4-unauthorized.png similarity index 100% rename from docs/guide/synology/synology-step-4-unauthorized.png rename to docs/docs/quick-start/img/synology-step-4-unauthorized.png diff --git a/docs/guide/kubernetes.md b/docs/docs/quick-start/kubernetes.md similarity index 86% rename from docs/guide/kubernetes.md rename to docs/docs/quick-start/kubernetes.md index faefe0a8d..c10a3b1d3 100644 --- a/docs/guide/kubernetes.md +++ b/docs/docs/quick-start/kubernetes.md @@ -30,6 +30,8 @@ git clone https://github.com/pomerium/pomerium.git $HOME/pomerium Edit [./scripts/kubernetes_gke.sh] making sure to change the identity provider secret value to match your [identity provider] and [wild-card tls certificate] settings. +<<<@/scripts/kubernetes_gke.sh + ## Run Run [./scripts/kubernetes_gke.sh] which will: @@ -49,16 +51,15 @@ You should see roughly the following in your terminal. Note, provisioning does t And if you check out Google's Kubernetes Engine dashboard you'll see something like: -![Google's Kubernetes Engine dashboard](./kubernetes-gke.png) +![Google's Kubernetes Engine dashboard](./img/kubernetes-gke.png) ## Navigate Open a browser and navigate to `httpbin.your.domain.example`. - -[./scripts/kubernetes_gke.sh]: ../docs/examples.html#google-kubernetes-engine -[example kubernetes files]: ../docs/examples.html#google-kubernetes-engine -[identity provider]: ../docs/identity-providers.md +[./scripts/kubernetes_gke.sh]: ../reference/examples#google-kubernetes-engine +[example kubernetes files]: ../reference/examples#google-kubernetes-engine +[identity provider]: ../identity-providers/readme.md [letsencrypt]: https://letsencrypt.org/ [script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh -[wild-card tls certificate]: ../docs/certificates.md +[wild-card tls certificate]: ../reference/certificates.md diff --git a/docs/guide/readme.md b/docs/docs/quick-start/readme.md similarity index 66% rename from docs/guide/readme.md rename to docs/docs/quick-start/readme.md index 2a220689c..fe2a98079 100644 --- a/docs/guide/readme.md +++ b/docs/docs/quick-start/readme.md @@ -8,7 +8,7 @@ meta: # Pomerium using Docker -[Docker] is a straightforward way to start using Pomerium. In the following quick-start, we'll create a minimal but complete environment for running Pomerium with containers. +In the following quick-start, we'll create a minimal but complete environment for running Pomerium with containers. ## Prerequisites @@ -18,6 +18,14 @@ meta: ## Configure +### Configuration file + +Create a [configuration file] (e.g `config.yaml`) for defining Pomerium's configuration settings, routes, and access-policies. Consider the following example: + +<<< @/docs/docs/reference/examples/config/config.minimal.yaml + +Ensure the `docker-compose.yml` contains the correct path to your `config.yaml`. + ### Docker-compose Download the following `docker-compose.yml` file and modify it to: @@ -26,15 +34,7 @@ Download the following `docker-compose.yml` file and modify it to: - mount your [wild-card TLS certificate] - mount your `config.yaml` [configuration file] -<<< @/docs/docs/examples/docker/basic.docker-compose.yml - -### Configuration file - -Create a [configuration file] (`config.yaml`) for defining Pomerium's configuration settings, routes, and access-policies. Consider the following example: - -<<< @/docs/docs/examples/config/config.minimal.yaml - -Ensure the `docker-compose.yml` contains the correct path to your `config.yaml`. +<<< @/docs/docs/reference/examples/docker/basic.docker-compose.yml ## Run @@ -48,10 +48,10 @@ Docker will automatically download the required [container images] for Pomerium You should now be able access to the routes (e.g. `https://httpbin.corp.yourdomain.example`) as specified in your policy file. -[configuration file]: ../reference/readme.md +[configuration file]: ../reference/reference.md [container images]: https://hub.docker.com/r/pomerium/pomerium [docker]: https://docs.docker.com/install/ [docker-compose]: https://docs.docker.com/compose/install/ [httpbin]: https://httpbin.org/ -[identity provider]: ../docs/identity-providers.md -[wild-card tls certificate]: ../docs/certificates.md +[identity provider]: ../identity-providers/readme.md +[wild-card tls certificate]: ../reference/certificates.md diff --git a/docs/guide/synology.md b/docs/docs/quick-start/synology.md similarity index 59% rename from docs/guide/synology.md rename to docs/docs/quick-start/synology.md index 77b61f17c..a2a68af76 100644 --- a/docs/guide/synology.md +++ b/docs/docs/quick-start/synology.md @@ -24,7 +24,7 @@ Though any supported identity provider would work, this guide uses google. This will vary depending on what type of router you have but the gist is you want to be forwarding all HTTPS/TLS traffic from port `443` to your NAS on some high port (in this case`8443`). -![Synology configure firewall rules](./synology/synology-firewall-rules.png) +![Synology configure firewall rules](./img/synology-firewall-rules.png) ## DSM @@ -38,19 +38,19 @@ Click **Create**. Set the following **Reverse Proxy Rules**. -Field | Description --------------------- | ----------- -Description | pomerium -Source Protocol | HTTPS -Source Hostname | * -Destination Port | 8443 -HTTP/2 | Enabled -HSTS | Enabled -Destination Protocol | HTTPS -Destination Hostname | localhost -Destination Port | 32443 +| Field | Description | +| -------------------- | ----------- | +| Description | pomerium | +| Source Protocol | HTTPS | +| Source Hostname | \* | +| Destination Port | 8443 | +| HTTP/2 | Enabled | +| HSTS | Enabled | +| Destination Protocol | HTTPS | +| Destination Hostname | localhost | +| Destination Port | 32443 | -![Synology setup nginx reverse proxy](./synology/synology-reverse-proxy.png) +![Synology setup nginx reverse proxy](./img/synology-reverse-proxy.png) This will forward any incoming HTTPS traffic to the Pomerium service that is (not yet) running on port **32443**. @@ -68,11 +68,11 @@ Once the certificate is showing on the list of certificates screen we need to te **Click configure** -Services | Certificate --------- | ------------------- -*:8443 | `*.int.nas.example` +| Services | Certificate | +| -------- | ------------------- | +| \*:8443 | `*.int.nas.example` | -![Synology assign wildcard certificate](./synology/synology-certifciate-assignment.png) +![Synology assign wildcard certificate](./img/synology-certifciate-assignment.png) ## Docker @@ -82,7 +82,7 @@ Download and install docker from the package manager. **Package manager** > **search** > **docker** -![Synology download pomerium docker image](./synology/synology-docker-package-center.png) +![Synology download pomerium docker image](./img/synology-docker-package-center.png) Once installed open the docker app. @@ -90,11 +90,11 @@ Once installed open the docker app. **Download** the official Pomerium docker image. -![Synology download pomerium docker image](./synology/synology-docker-pomerium-package.png) +![Synology download pomerium docker image](./img/synology-docker-pomerium-package.png) We'll also need a test application to manage access to. For this guide we'll use the canonical test app [httpbin] but the this could be any [self-hosted apps], wiki, download tool, etc. -![Synology download httpbin docker image](./synology/synology-httpbin.png) +![Synology download httpbin docker image](./img/synology-httpbin.png) ### Policy @@ -105,7 +105,7 @@ We will create an extremely basic policy where `httpbin.int.nas.example` is repl - from: https://httpbin.int.nas.example to: http://httpbin allowed_users: - - your.email.address@gmail.com + - your.email.address@gmail.com ``` ### Configure @@ -122,7 +122,7 @@ Set the **Container Name** to `httpbin`. Keep the rest of the settings the defau Click **apply** -![Synology launch httpbin](./synology/synology-docker-httpbin.png) +![Synology launch httpbin](./img/synology-docker-httpbin.png) This will create a small python webserver on port 80\. The container name we just used will be used as an alias to route requests as defined in our policy. @@ -136,7 +136,7 @@ Click **Launch** Set the **Container Name** to `Pomerium`. -![Synology pomerium create container](./synology/synology-docker-pomerium-create-container.png) +![Synology pomerium create container](./img/synology-docker-pomerium-create-container.png) Click **Advanced Settings** @@ -144,7 +144,7 @@ Go to **Port Settings** tab. Add an entry where the **Local Port** is **32443** and the container port is **443** and the type is **TCP**. -![Synology pomerium port settings docker](./synology/synology-docker-port-settings.png) +![Synology pomerium port settings docker](./img/synology-docker-port-settings.png) Go to **Links** tab. @@ -156,27 +156,27 @@ The alias value must match the `to` DNS name from your policy.yaml configuration ::: -![Synology pomerium set alias to app](./synology/synology-docker-pomerium-alias.png) +![Synology pomerium set alias to app](./img/synology-docker-pomerium-alias.png) These are the minimum set of configuration settings to get Pomerium running in this deployment environment. Go to **Environment** tab. -Field | Value -------------------------- | ---------------------------------------------------------------------------------------- -POLICY | output of `base64 -i policy.yaml` -CERTIFICATE | output of `base64 -i "$HOME/.acme.sh/*.int.nas.example.io_ecc/fullchain.cer"` -CERTIFICATE_KEY | output of `base64 -i "$HOME/.acme.sh/*.int.nas.example.io_ecc/*.int.nas.example.io.key"` -CERTIFICATE_AUTHORITY | output of `base64 -i "$HOME/.acme.sh/*.int.nas.example.io_ecc/ca.cer"` -OVERRIDE_CERTIFICATE_NAME | `*.int.nas.example` -IDP_CLIENT_SECRET | Values from setting up your [identity provider] -IDP_CLIENT_ID | Values from setting up your [identity provider] -IDP_PROVIDER | Values from setting up your [identity provider] (e.g. `google`) -COOKIE_SECRET | output of `head -c32 /dev/urandom | base64` -SHARED_SECRET | output of `head -c32 /dev/urandom | base64` -AUTHORIZE_SERVICE_URL | `https://localhost` -AUTHENTICATE_SERVICE_URL | `https://authenticate.int.nas.example` -AUTHENTICATE_INTERNAL_URL | `https://localhost` +| Field | Value | +| ------------------------- | ---------------------------------------------------------------------------------------- | +| POLICY | output of `base64 -i policy.yaml` | +| CERTIFICATE | output of `base64 -i "$HOME/.acme.sh/*.int.nas.example.io_ecc/fullchain.cer"` | +| CERTIFICATE_KEY | output of `base64 -i "$HOME/.acme.sh/*.int.nas.example.io_ecc/*.int.nas.example.io.key"` | +| CERTIFICATE_AUTHORITY | output of `base64 -i "$HOME/.acme.sh/*.int.nas.example.io_ecc/ca.cer"` | +| OVERRIDE_CERTIFICATE_NAME | `*.int.nas.example` | +| IDP_CLIENT_SECRET | Values from setting up your [identity provider] | +| IDP_CLIENT_ID | Values from setting up your [identity provider] | +| IDP_PROVIDER | Values from setting up your [identity provider] (e.g. `google`) | +| COOKIE_SECRET | output of `head -c32 /dev/urandom | base64` | +| SHARED_SECRET | output of `head -c32 /dev/urandom | base64` | +| AUTHORIZE_SERVICE_URL | `https://localhost` | +| AUTHENTICATE_SERVICE_URL | `https://authenticate.int.nas.example` | +| AUTHENTICATE_INTERNAL_URL | `https://localhost` | For a detailed explanation, and additional options, please refer to the [configuration variable docs]. Also note, though not covered in this guide, settings can be made via a mounted configuration file. @@ -184,7 +184,7 @@ Click **Launch**. If properly configured you should see something like the following when you see the container's details. -![Synology pomerium all setup](./synology/synology-docker-pomerium-done.png) +![Synology pomerium all setup](./img/synology-docker-pomerium-done.png) If something goes wrong, click the **Logs** tab. @@ -194,26 +194,26 @@ Navigate to your new service. `https://httpbin.int.nas.example` You should be redirected to your identity provider. -![Synology redirected login](./synology/synology-step-1-redirect.png) +![Synology redirected login](./img/synology-step-1-redirect.png) If you've enabled multi-factor authentication you should see that too. -![Synology multi-factor authentication](./synology/synology-step-2-mfa.png) +![Synology multi-factor authentication](./img/synology-step-2-mfa.png) If that user is authorized to see the httpbin service, you should be redirected back to httpbin! -![Synology done](./synology/synology-step-3-validate-header.png) +![Synology done](./img/synology-step-3-validate-header.png) And just to be safe, try logging in from another google account to see what happens. You should be greeted with a `403` unauthorized access page. -![Synology done](./synology/synology-step-4-unauthorized.png) +![Synology done](./img/synology-step-4-unauthorized.png) -[certificate documentation]: ../docs/certificates.md -[configuration variable docs]: ../docs/config-reference.html +[certificate documentation]: ../reference/certificates.md +[configuration variable docs]: ../reference/reference.md [diskstation manager]: https://www.synology.com/en-us/dsm [docker-capable]: https://www.synology.com/en-us/dsm/packages/Docker [httpbin]: https://httpbin.org -[identity provider]: ../docs/identity-providers.md#google +[identity provider]: ../identity-providers/readme.md [letsencrypt]: https://letsencrypt.org/ [nginx]: https://www.nginx.com [self-hosted apps]: https://github.com/Kickball/awesome-selfhosted diff --git a/docs/docs/readme.md b/docs/docs/readme.md index 0ab72de18..9371832f3 100644 --- a/docs/docs/readme.md +++ b/docs/docs/readme.md @@ -1,84 +1,40 @@ --- title: Overview lang: en-US +sidebarDepth: 0 meta: - name: keywords - content: pomerium identity-access-proxy beyondcorp zero-trust reverse-proxy ztn + content: pomerium overview identity-access-proxy beyondcorp zero-trust reverse-proxy ztn zero-trust-networks --- # Overview -## What +## What is Pomerium? -Pomerium is an identity-aware access proxy. Pomerium can be used to: +Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked-in. Pomerium gateways both internal and external requests, and can be used in situations where you'd typically reach for a VPN. -- enable secure remote access to internal websites, without a VPN. -- provide unified authentication ([SSO]) using the [identity provider] of your choice. -- enforce dynamic access policy based on context, identity, and device state. +Pomerium can be used to: + +- provide a **single-sign-on gateway** to internal applications. +- enforce **dynamic access policy** based on **context**, **identity**, and **device state**. - aggregate access logs and telemetry data. +- a **VPN alternative**. -## Why +## Architecture -### Perimeter security's shortcomings +pomerium architecture diagram -For years, secure remote access meant firewalls, network segmentation, and VPNs. However, several [high-profile](https://en.wikipedia.org/wiki/Operation_Aurora) [security](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/) breaches have shown the limitations of [perimeter](https://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf) [security](https://en.wikipedia.org/wiki/Perimeter_Security), namely: +## In action -- Perimeter security does a poor job of addressing the insider-threat and 28% percent of breaches are [by internal actors](http://www.documentwereld.nl/files/2018/Verizon-DBIR_2018-Main_report.pdf). -- The _impenetrable fortress_ theory of perimeter security is anything but in practice; most corporate networks have multiple entry points, lots of firewall rules, and constant pressure to expand network segmentation boundaries. -- Even defining "what" a perimeter is is difficult as corporate networks have come to consist of an increasingly [heterogeneous](https://youtu.be/bDJb8WOJYdA?t=532) mix of on-premise, public, and private clouds. -- VPNs frustrate end-users, give a false sense of security, and often fail to provide defense-in-depth. +To make this a bit more concrete, see the following short video which demonstrates: -Or for the visually inclined. +1. An **unauthorized** user authenticating with their corporate single-sign-on provider (in this case Google) +2. The **unauthorized** user being blocked from a protected resource. +3. The **unauthorized** user signing out from their session. +4. An **authorized** user authenticating with their corporate single-sign-on provider. +5. Pomerium delegating and grating access to the requested resource. +6. The **authorized** user inspecting their user details including group membership. -![NSA exploiting google's SSL termination](./google-cloud-exploitation620x466.jpg) - -> SSL added and removed here :^) - [NSA](https://www.zdnet.com/article/google-the-nsa-and-the-need-for-locking-down-datacenter-traffic/) - -### Zero-trust - -Pomerium attempts to mitigate these shortcomings by adopting principles like: - -- Trust flows from identity, device-state, and context; not network location. -- Treat both internal and external networks as completely untrusted. -- Act like you are already breached, because you probably are. -- Every device, user, and application's communication should be authenticated, authorized, and encrypted. -- Access policy should be dynamic, and built from multiple sources. - -This security model has typically been referred to as *zero-trust* or *BeyondCorp*-inspired. - -## Resources - -Pomerium was inspired by the security model originally articulated by [John Kindervag](http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf) in 2010, and by Google in 2011 as a result of the [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) breach. - - -### Books - -- [Zero Trust Networks](http://shop.oreilly.com/product/0636920052265.do) by Gilman and Barth - -### Papers - -- Forrester [Build Security Into Your Network's DNA: The Zero Trust Network Architecture](http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf) -- Google BeyondCorp 1 [An overview: "A New Approach to Enterprise Security"](https://research.google.com/pubs/pub43231.html) -- Google BeyondCorp 2 [How Google did it: "Design to Deployment at Google"](https://research.google.com/pubs/pub44860.html) -- Google BeyondCorp 3 [Google's front-end infrastructure: "The Access Proxy"](https://research.google.com/pubs/pub45728.html) -- Google BeyondCorp 4 [Migrating to BeyondCorp: Maintaining Productivity While Improving Security](https://research.google.com/pubs/pub46134.html) -- Google BeyondCorp 5 [The human element: "The User Experience"](https://research.google.com/pubs/pub46366.html) -- Google BeyondCorp 6 [Secure your endpoints: "Building a Healthy Fleet"](https://ai.google/research/pubs/pub47356) - -### Posts - -- Google [Securing your business and securing your fleet the BeyondCorp way](https://cloud.google.com/blog/products/identity-security/securing-your-business-and-securing-your-fleet-the-beyondcorp-way) -- Google [Preparing for a BeyondCorp world: Understanding your device inventory](https://cloud.google.com/blog/products/identity-security/preparing-beyondcorp-world-understanding-your-device-inventory) -- Google [How BeyondCorp can help businesses be more productive](https://www.blog.google/products/google-cloud/how-beyondcorp-can-help-businesses-be-more-productive/) -- Google [How to use BeyondCorp to ditch your VPN, improve security and go to the cloud](https://www.blog.google/products/google-cloud/how-use-beyondcorp-ditch-your-vpn-improve-security-and-go-cloud/) -- Wall Street Journal [Google Moves Its Corporate Applications to the Internet](https://blogs.wsj.com/cio/2015/05/11/google-moves-its-corporate-applications-to-the-internet/) - -### Videos - -- [USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers](https://youtu.be/bDJb8WOJYdA?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) -- [What, Why, and How of Zero Trust Networking](https://youtu.be/eDVHIfVSdIo?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Armon Dadgar, Hashicorp -- [O'Reilly Security 2017 NYC Beyondcorp: Beyond Fortress Security](https://youtu.be/oAvDASLehpY?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Neal Muller, Google -- [Be Ready for BeyondCorp: enterprise identity, perimeters and your application](https://youtu.be/5UiWAlwok1s?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Jason Kent - -[identity provider]: ../docs/identity-providers.md -[sso]: https://en.wikipedia.org/wiki/Single_sign-on + diff --git a/docs/docs/certificates.md b/docs/docs/reference/certificates.md similarity index 94% rename from docs/docs/certificates.md rename to docs/docs/reference/certificates.md index 43c7168b8..b2b5aa579 100644 --- a/docs/docs/certificates.md +++ b/docs/docs/reference/certificates.md @@ -36,7 +36,7 @@ Since one of Pomerium's core [principles] is to treat internal and external traf First, you'll want to set a [CNAME](https://en.wikipedia.org/wiki/CNAME_record) record for wild-card domain name you will be using with Pomerium. -![pomerium add a text entry to your dns records](./certificates/certificate-wildcard-domain.png) +![pomerium add a text entry to your dns records](./img/certificate-wildcard-domain.png) Once you've setup your wildcard domain, we can use acme.sh to create a certificate-signing request with LetsEncrypt. @@ -69,7 +69,7 @@ Not Found domain api file: LetsEncrypt will respond with the corresponding `TXT` record needed to verify our domain. -![pomerium add a text entry to your dns records](./certificates/certificate-domain-challenge.png) +![pomerium add a text entry to your dns records](./img/certificate-domain-challenge.png) It may take a few minutes for the DNS records to propagate. Once it does, you can run the following command to complete the certificate request process. @@ -110,9 +110,9 @@ Pomerium Config | Certificate file Your end users will see a valid certificate for all domains delegated by Pomerium. -![pomerium valid certificate](./certificates/certificates-valid-secure-certificate.png) +![pomerium valid certificate](./img/certificates-valid-secure-certificate.png) -![pomerium certificates A+ ssl labs rating](./certificates/certificates-ssl-report.png) +![pomerium certificates A+ ssl labs rating](./img/certificates-ssl-report.png) ## Resources diff --git a/docs/docs/examples.md b/docs/docs/reference/examples.md similarity index 78% rename from docs/docs/examples.md rename to docs/docs/reference/examples.md index bdec12f61..38dd4b19a 100644 --- a/docs/docs/examples.md +++ b/docs/docs/reference/examples.md @@ -2,7 +2,7 @@ sidebarDepth: 2 --- -# Example configs +# Config Examples A collection of copy-and-paste-able configurations for various types of clouds, use-cases, and deployments. These files can also be found in the git repository in the `docs/docs/examples/` directory. @@ -12,15 +12,17 @@ Remember to set your identity provider settings and to generate new secret keys! ::: +[[toc]] + ## Configurations #### Configuration File -<<< @/docs/docs/examples/config/config.example.yaml +<<< @/docs/docs/reference/examples/config/config.example.yaml #### Environmental Variables -<<< @/docs/docs/examples/config/config.example.env +<<< @/docs/docs/reference/examples/config/config.example.env ## Binary @@ -34,7 +36,6 @@ Remember to set your identity provider settings and to generate new secret keys! Customize for your identity provider and run `./bin/pomerium -config config.yaml` - ## Docker Uses the [latest pomerium build](https://hub.docker.com/r/pomerium/pomerium) from docker hub. Docker and docker-compose are great tools for standing up and testing multiple service, and containers without having to stand-up a full on cluster. @@ -50,7 +51,7 @@ Customize for your identity provider run `docker-compose up -f basic.docker-comp #### basic.docker-compose.yml -<<< @/docs/docs/examples/docker/basic.docker-compose.yml +<<< @/docs/docs/reference/examples/docker/basic.docker-compose.yml #### NGINX micro-services @@ -63,7 +64,7 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp #### nginx.docker-compose.yml -<<< @/docs/docs/examples/docker/nginx.docker-compose.yml +<<< @/docs/docs/reference/examples/docker/nginx.docker-compose.yml ## Helm @@ -98,31 +99,31 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp #### authenticate.deploy.yml -<<< @/docs/docs/examples/kubernetes/authenticate.deploy.yml +<<< @/docs/docs/reference/examples/kubernetes/authenticate.deploy.yml #### authenticate.service.yml -<<< @/docs/docs/examples/kubernetes/authenticate.service.yml +<<< @/docs/docs/reference/examples/kubernetes/authenticate.service.yml #### authorize.deploy.yml -<<< @/docs/docs/examples/kubernetes/authorize.deploy.yml +<<< @/docs/docs/reference/examples/kubernetes/authorize.deploy.yml #### authorize.service.yml -<<< @/docs/docs/examples/kubernetes/authorize.service.yml +<<< @/docs/docs/reference/examples/kubernetes/authorize.service.yml #### proxy.deploy.yml -<<< @/docs/docs/examples/kubernetes/proxy.deploy.yml +<<< @/docs/docs/reference/examples/kubernetes/proxy.deploy.yml #### proxy.service.yml -<<< @/docs/docs/examples/kubernetes/proxy.service.yml +<<< @/docs/docs/reference/examples/kubernetes/proxy.service.yml #### ingress.yml -<<< @/docs/docs/examples/kubernetes/ingress.yml +<<< @/docs/docs/reference/examples/kubernetes/ingress.yml [helloworld]: https://hub.docker.com/r/tutum/hello-world [httpbin]: https://httpbin.org/ diff --git a/docs/docs/examples/config/config.example.env b/docs/docs/reference/examples/config/config.example.env similarity index 100% rename from docs/docs/examples/config/config.example.env rename to docs/docs/reference/examples/config/config.example.env diff --git a/docs/docs/examples/config/config.example.yaml b/docs/docs/reference/examples/config/config.example.yaml similarity index 100% rename from docs/docs/examples/config/config.example.yaml rename to docs/docs/reference/examples/config/config.example.yaml diff --git a/docs/docs/examples/config/config.minimal.env b/docs/docs/reference/examples/config/config.minimal.env similarity index 100% rename from docs/docs/examples/config/config.minimal.env rename to docs/docs/reference/examples/config/config.minimal.env diff --git a/docs/docs/examples/config/config.minimal.yaml b/docs/docs/reference/examples/config/config.minimal.yaml similarity index 100% rename from docs/docs/examples/config/config.minimal.yaml rename to docs/docs/reference/examples/config/config.minimal.yaml diff --git a/docs/docs/examples/config/policy.example.yaml b/docs/docs/reference/examples/config/policy.example.yaml similarity index 100% rename from docs/docs/examples/config/policy.example.yaml rename to docs/docs/reference/examples/config/policy.example.yaml diff --git a/docs/docs/examples/docker/basic.docker-compose.yml b/docs/docs/reference/examples/docker/basic.docker-compose.yml similarity index 100% rename from docs/docs/examples/docker/basic.docker-compose.yml rename to docs/docs/reference/examples/docker/basic.docker-compose.yml diff --git a/docs/docs/examples/docker/nginx.docker-compose.yml b/docs/docs/reference/examples/docker/nginx.docker-compose.yml similarity index 100% rename from docs/docs/examples/docker/nginx.docker-compose.yml rename to docs/docs/reference/examples/docker/nginx.docker-compose.yml diff --git a/docs/docs/examples/kubernetes/authenticate.deploy.yml b/docs/docs/reference/examples/kubernetes/authenticate.deploy.yml similarity index 100% rename from docs/docs/examples/kubernetes/authenticate.deploy.yml rename to docs/docs/reference/examples/kubernetes/authenticate.deploy.yml diff --git a/docs/docs/examples/kubernetes/authenticate.service.yml b/docs/docs/reference/examples/kubernetes/authenticate.service.yml similarity index 100% rename from docs/docs/examples/kubernetes/authenticate.service.yml rename to docs/docs/reference/examples/kubernetes/authenticate.service.yml diff --git a/docs/docs/examples/kubernetes/authorize.deploy.yml b/docs/docs/reference/examples/kubernetes/authorize.deploy.yml similarity index 100% rename from docs/docs/examples/kubernetes/authorize.deploy.yml rename to docs/docs/reference/examples/kubernetes/authorize.deploy.yml diff --git a/docs/docs/examples/kubernetes/authorize.service.yml b/docs/docs/reference/examples/kubernetes/authorize.service.yml similarity index 100% rename from docs/docs/examples/kubernetes/authorize.service.yml rename to docs/docs/reference/examples/kubernetes/authorize.service.yml diff --git a/docs/docs/examples/kubernetes/ingress.nginx.yml b/docs/docs/reference/examples/kubernetes/ingress.nginx.yml similarity index 100% rename from docs/docs/examples/kubernetes/ingress.nginx.yml rename to docs/docs/reference/examples/kubernetes/ingress.nginx.yml diff --git a/docs/docs/examples/kubernetes/ingress.yml b/docs/docs/reference/examples/kubernetes/ingress.yml similarity index 100% rename from docs/docs/examples/kubernetes/ingress.yml rename to docs/docs/reference/examples/kubernetes/ingress.yml diff --git a/docs/docs/examples/kubernetes/proxy.deploy.yml b/docs/docs/reference/examples/kubernetes/proxy.deploy.yml similarity index 100% rename from docs/docs/examples/kubernetes/proxy.deploy.yml rename to docs/docs/reference/examples/kubernetes/proxy.deploy.yml diff --git a/docs/docs/examples/kubernetes/proxy.service.yml b/docs/docs/reference/examples/kubernetes/proxy.service.yml similarity index 100% rename from docs/docs/examples/kubernetes/proxy.service.yml rename to docs/docs/reference/examples/kubernetes/proxy.service.yml diff --git a/docs/docs/reference/img/certificate-domain-challenge.png b/docs/docs/reference/img/certificate-domain-challenge.png new file mode 100644 index 000000000..7f0dcc71c Binary files /dev/null and b/docs/docs/reference/img/certificate-domain-challenge.png differ diff --git a/docs/docs/reference/img/certificate-wildcard-domain.png b/docs/docs/reference/img/certificate-wildcard-domain.png new file mode 100644 index 000000000..bf7b8c395 Binary files /dev/null and b/docs/docs/reference/img/certificate-wildcard-domain.png differ diff --git a/docs/docs/reference/img/certificates-ssl-report.png b/docs/docs/reference/img/certificates-ssl-report.png new file mode 100644 index 000000000..a56663a8d Binary files /dev/null and b/docs/docs/reference/img/certificates-ssl-report.png differ diff --git a/docs/docs/reference/img/certificates-valid-secure-certificate.png b/docs/docs/reference/img/certificates-valid-secure-certificate.png new file mode 100644 index 000000000..68fc6275e Binary files /dev/null and b/docs/docs/reference/img/certificates-valid-secure-certificate.png differ diff --git a/docs/docs/reference/img/inspect-headers.png b/docs/docs/reference/img/inspect-headers.png new file mode 100644 index 000000000..09c5bbf49 Binary files /dev/null and b/docs/docs/reference/img/inspect-headers.png differ diff --git a/docs/docs/reference/img/jaeger.png b/docs/docs/reference/img/jaeger.png new file mode 100644 index 000000000..ea1b1b53d Binary files /dev/null and b/docs/docs/reference/img/jaeger.png differ diff --git a/docs/docs/impersonation/pomerium-user-impersonation.mp4 b/docs/docs/reference/img/pomerium-user-impersonation.mp4 similarity index 100% rename from docs/docs/impersonation/pomerium-user-impersonation.mp4 rename to docs/docs/reference/img/pomerium-user-impersonation.mp4 diff --git a/docs/docs/reference/img/security-headers.png b/docs/docs/reference/img/security-headers.png new file mode 100644 index 000000000..d8833385a Binary files /dev/null and b/docs/docs/reference/img/security-headers.png differ diff --git a/docs/docs/reference/img/verifying-headers-1.png b/docs/docs/reference/img/verifying-headers-1.png new file mode 100644 index 000000000..087de50cd Binary files /dev/null and b/docs/docs/reference/img/verifying-headers-1.png differ diff --git a/docs/docs/reference/img/verifying-headers-2.png b/docs/docs/reference/img/verifying-headers-2.png new file mode 100644 index 000000000..67883ef7a Binary files /dev/null and b/docs/docs/reference/img/verifying-headers-2.png differ diff --git a/docs/docs/impersonation.md b/docs/docs/reference/impersonation.md similarity index 92% rename from docs/docs/impersonation.md rename to docs/docs/reference/impersonation.md index ebc62a938..a7e1f10e0 100644 --- a/docs/docs/impersonation.md +++ b/docs/docs/reference/impersonation.md @@ -36,7 +36,7 @@ In certain circumstances, it's useful for an administrative user to impersonate Here's what it looks like. -