proxy: remove unused setting AuthorizeInternalAddr (#93)

- Added unit tests for policy validation. - Removed extraneous policy validation for URLs. - Add dependency caching to dockerfile.
2025-05-31 18:07:17 +02:00 · 2019-04-24 13:28:29 -07:00 · 2019-04-24 13:28:29 -07:00 · fbe1cae482
commit fbe1cae482
parent 96f4b8bd61
10 changed files with 61 additions and 56 deletions
--- a/docs/docs/config-reference.md
+++ b/docs/docs/config-reference.md
@ -12,7 +12,7 @@ Pomerium uses [environmental variables] to set configuration settings. If you ar

 ## Global settings

-Global settings are configuration variables that are shared by all services.
+These are configuration variables shared by all services, in all service modes.

 ### Service Mode

@ -21,7 +21,7 @@ Global settings are configuration variables that are shared by all services.
 - Default: `all`
 - Options: `all` `authenticate` `authorize` or `proxy`

-Service mode sets the pomerium service(s) to run. If testing, you may want to set to `all` and run pomerium in "all-in-one mode." In production, you'll likely want to spin of several instances of each service mode for high availability.
+Service mode sets the pomerium service(s) to run. If testing, you may want to set to `all` and run pomerium in "all-in-one mode." In production, you'll likely want to spin up several instances of each service mode for high availability.

 ### Address

@ -29,7 +29,7 @@ Service mode sets the pomerium service(s) to run. If testing, you may want to se
 - Type: `string`
 - Default: `:https`

-Address specifies the host and port to serve HTTPS and gRPC requests from. If empty, `:https` is used.
+Address specifies the host and port to serve HTTPS and gRPC requests from. If empty, `:https`/`:443` is used.

 ### Shared Secret

@ -194,25 +194,18 @@ Authenticate Service URL is the externally accessible URL for the authenticate s
 - Optional
 - Example: `pomerium-authenticate-service.pomerium.svc.cluster.local`

-Authenticate Internal Service URL is the internally routed dns name of the authenticate service. This setting is used to override the authenticate service url for when you need to do "behind-the-ingress" inter-service communication. This is typically required for ingresses and load balancers that do not support HTTP/2 or gRPC termination.
+Authenticate Internal Service URL is the internally routed dns name of the authenticate service. This setting is typically used with load balancers that do not gRPC, thus allowying you to specificy an internally routable name. 

 ### Authorize Service URL

 - Environmental Variable: `AUTHORIZE_SERVICE_URL`
 - Type: `URL`
 - Required
- Example: `https://access.corp.example.com`
+- Example: `https://access.corp.example.com` or `pomerium-authorize-service.pomerium.svc.cluster.local`

-Authorize Service URL is the externally accessible URL for the authorize service.
+Authorize Service URL is the location of the internally routable authorize service. NOTE: Unlike authenticate, authorize has no publically acccessible http handlers so this setting is purely for gRPC communicaiton. 

-### Authorize Internal Service URL
-
- Environmental Variable: `AUTHORIZE_INTERNAL_URL`
- Type: `string`
- Optional
- Example: `pomerium-authorize-service.pomerium.svc.cluster.local`
-
-Authorize Internal Service URL is the internally routed dns name of the authorize service. This setting is used to override the authorize service url for when you need to do "behind-the-ingress" inter-service communication. This is typically required for ingresses and load balancers that do not support HTTP/2 or gRPC termination.
+If your load balancer does not support gRPC passthrough you'll need to set this value to an internally routable location (`pomerium-authorize-service.pomerium.svc.cluster.local`) instead of an externally routable one (`https://access.corp.example.com`).  

 ### Override Certificate Name

--- a/docs/docs/examples.md
+++ b/docs/docs/examples.md
@ -60,8 +60,9 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp

 - Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]
 - HTTPS (TLS) between client, load balancer, and services
+- gRPC requests are routed behind the load balancer
 - Routes default to hosted version of httpbin.org
- Includes all-in-one script
+- Includes installer script

 #### helm_gke.sh

@ -71,8 +72,9 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp

 - Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]
 - HTTPS (TLS) between client, load balancer, and services
+- gRPC requests are routed behind the load balancer
 - Routes default to hosted version of httpbin.org
- Includes all-in-one script
+- Includes installer script

 #### kubernetes_gke

--- a/docs/docs/examples/docker/nginx.docker-compose.yml
+++ b/docs/docs/examples/docker/nginx.docker-compose.yml
@ -44,11 +44,10 @@ services:
      - SERVICES=proxy
      - POLICY_FILE=policy.yaml
      - AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
-      - AUTHORIZE_SERVICE_URL=https://authorize.corp.beyondperimeter.com
      # IMPORTANT! If you are running pomerium behind another ingress (loadbalancer/firewall/etc)
      # you must tell pomerium proxy how to communicate using an internal hostname for RPC
-      - AUTHENTICATE_INTERNAL_URL=pomerium-authenticate:443
-      - AUTHORIZE_INTERNAL_URL=pomerium-authorize:443
+      - AUTHENTICATE_INTERNAL_URL=pomerium-authenticate
+      - AUTHORIZE_SERVICE_URL=https://pomerium-authorize
      # When communicating internally, rPC is going to get a name conflict expecting an external
      # facing certificate name (i.e. authenticate-service.local vs *.corp.example.com).
      - OVERRIDE_CERTIFICATE_NAME=*.corp.beyondperimeter.com
--- a/docs/docs/examples/kubernetes/proxy.deploy.yml
+++ b/docs/docs/examples/kubernetes/proxy.deploy.yml
@ -26,9 +26,7 @@ spec:
            - name: SERVICES
              value: proxy
            - name: AUTHORIZE_SERVICE_URL
-              value: https://authorize.corp.beyondperimeter.com
-            - name: AUTHORIZE_INTERNAL_URL
-              value: "pomerium-authorize-service.pomerium.svc.cluster.local"
+              value: https://pomerium-authorize-service.pomerium.svc.cluster.local
            - name: AUTHENTICATE_SERVICE_URL
              value: https://authenticate.corp.beyondperimeter.com
            - name: AUTHENTICATE_INTERNAL_URL
--- a/docs/guide/synology.md
+++ b/docs/guide/synology.md
@ -175,10 +175,9 @@ IDP_CLIENT_ID             | Values from setting up your [identity provider]
 IDP_PROVIDER              | Values from setting up your [identity provider] (e.g. `google`)
 COOKIE_SECRET             | output of `head -c32 /dev/urandom | base64`
 SHARED_SECRET             | output of `head -c32 /dev/urandom | base64`
-AUTHORIZE_SERVICE_URL     | `https://authorize.int.nas.example.com`
+AUTHORIZE_SERVICE_URL     | `https://localhost`
 AUTHENTICATE_SERVICE_URL  | `https://authenticate.int.nas.example.com`
-AUTHORIZE_INTERNAL_URL    | `localhost:443`
-AUTHENTICATE_INTERNAL_URL | `localhost:443`
+AUTHENTICATE_INTERNAL_URL | `localhost`

 For a detailed explanation, and additional options, please refer to the [configuration variable docs].