pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-07-23 19:49:13 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	5be322e2ef	config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers (#4219 ) * config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers * lint * Update authorize/evaluator/headers_evaluator_test.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> * fix spelling --------- Co-authored-by: Denis Mishin <dmishin@pomerium.com>	2023-06-01 16:00:02 -06:00
Caleb Doxsey	a741cce50e	config: simplify default set response headers (#4196 )	2023-05-30 17:44:06 -06:00
Caleb Doxsey	d315e68335	Merge pull request from GHSA-pvrc-wvj2-f59p * authorize: use route id from envoy for policy evaluation * authorize: normalize URL query params * config: enable envoy normalize_path option * fix tests --------- Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>	2023-05-26 13:34:21 -07:00
Caleb Doxsey	083dbea392	envoy: set re2 limits very high (#4187 ) * envoy: set re2 limits very high * fix test	2023-05-23 08:36:17 -06:00
Caleb Doxsey	e3b2b3994c	improve certificate matching performance (#4186 )	2023-05-23 07:39:02 -06:00
Denis Mishin	80ffefeafd	fix WillHaveCertificateForServerName check to be strict match for derived cert name (#4167 )	2023-05-09 18:54:50 -04:00
Caleb Doxsey	3325dac4af	envoyconfig: disable validation context when no client certificates are required (#4151 )	2023-05-04 15:32:14 -06:00
Caleb Doxsey	18bc86d632	config: add support for wildcard from addresses (#4131 ) * config: add support for wildcards * update policy matching, header generation * remove deprecated field * fix test	2023-04-25 13:34:38 -06:00
Caleb Doxsey	bbed421cd8	config: remove source, remove deadcode, fix linting issues (#4118 ) * remove source, remove deadcode, fix linting issues * use github action for lint * fix missing envoy	2023-04-21 17:25:11 -06:00
Denis Mishin	34c1e44c7e	tls: wildcard catch-all cert must be at the end of cert list (#4119 )	2023-04-21 12:37:32 -04:00
Caleb Doxsey	681cf6fa27	config: fix set_response_headers (#4026 ) * config: fix set_response_headers * fix disabling to support route headers when global headers are disabled	2023-04-20 17:07:23 -06:00
Caleb Doxsey	f63945c0ad	support loading route configuration via rds (#4098 ) * support loading route configuration via rds * fix any shadowing * fix test * add fully static option * support dynamically defined rds * fix build * downgrade opa	2023-04-17 11:20:12 -06:00
Caleb Doxsey	76a7ce3a6f	authorize: allow access to /.pomerium/webauthn when policy denies access (#4015 )	2023-02-27 09:49:06 -07:00
Caleb Doxsey	d2b732243a	cryptutil: generate certificates from deriveca (#3992 )	2023-02-23 08:38:56 -07:00
Denis Mishin	df54a0c603	authenticate: fix callback handler for split mode (#4008 ) fix auth handler for split mode	2023-02-23 10:01:24 -05:00
Denis Mishin	62ca7ffaa2	authenticate: fix authenticate_internal_service_url for all in one (#4003 )	2023-02-22 10:42:27 -05:00
Caleb Doxsey	513519e4be	lua: fix rewrite response headers to handle dashes in URLs (#3980 ) * lua: fix rewrite response headers to handle dashes in URLs * fix test	2023-02-16 08:51:53 -07:00
Denis Mishin	d0e7b88b64	envoy: optimize listener (#3952 )	2023-02-11 22:44:57 -05:00
Caleb Doxsey	b50d5f3203	config: add additional dns lookup families, default to V4_PREFERRED (#3957 )	2023-02-10 16:29:23 -07:00
Caleb Doxsey	e66c26c9ad	envoyconfig: preserve case of HTTP headers when using HTTP/1 (#3956 )	2023-02-10 16:29:10 -07:00
Denis Mishin	04a82813f3	explicitly list gRPC services accessible via the gRPC listener (#3879 )	2023-01-11 12:38:34 -05:00
Caleb Doxsey	3f1a87727f	config: generate derived certificates instead of self-signed certificates (#3860 )	2023-01-06 12:50:40 -07:00
Denis Mishin	488bcd6f72	auto tls (#3856 )	2023-01-05 16:35:58 -05:00
Denis Mishin	e019885218	mTLS: allow gRPC TLS for all in one (#3854 ) * make grpc_insecure an optional bool * use internal addresses for all in one databroker and tls	2023-01-03 12:45:04 -05:00
Caleb Doxsey	271b0787a8	config: add support for extended TCP route URLs (#3845 ) * config: add support for extended TCP route URLs * nevermind, add duplicate names	2022-12-27 12:50:33 -07:00
Caleb Doxsey	67e12101fa	envoyconfig: clean up filter chain construction (#3844 ) * cleanup filter chain construction * rename domains to server names * rename to hosts * fix tests * update function name * improved domaain matching	2022-12-27 10:07:26 -07:00
Caleb Doxsey	c86ca6f76f	webauthn: require session when accessing /.pomerium/webauthn (#3814 ) * webauthn: require session when accessing /.pomerium/webauthn * remove dead code * remove unusued PomeriumDomains field	2022-12-16 10:59:21 -07:00
Caleb Doxsey	cef6b355ae	config: add option for tls renegotiation (#3773 ) config: add option for tls renogotiation	2022-11-28 14:34:06 -07:00
Denis Mishin	fa0ba60aee	bump envoy to v1.24.0 (#3767 )	2022-11-28 09:32:31 -07:00
Caleb Doxsey	fa26587f19	remove forward auth (#3628 )	2022-11-23 15:59:28 -07:00
Caleb Doxsey	9413123c0f	config: generate cookie secret if not set in all-in-one mode (#3742 ) * config: generate cookie secret if not set in all-in-one mode * fix tests * config: add warning about cookie_secret * breakup lines	2022-11-11 14:14:30 -07:00
Caleb Doxsey	2c9087f5e7	config: disable Strict-Transport-Security when using a self-signed certificate (#3743 )	2022-11-10 16:01:06 -07:00
Eng Zer Jun	45ce6f693a	test: use `T.TempDir` to create temporary test directory (#3725 ) Prior to this commit, temporary directories in tests were created using `filepath.Join` and `os.MkdirAll`. This commit replaces `os.MkdirAll` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests complete. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2022-11-08 09:16:32 -07:00
Caleb Doxsey	3f7a482815	envoyconfig: fix databroker health checks (#3706 )	2022-10-25 12:37:46 -06:00
Caleb Doxsey	daed2d260c	config: disable envoy admin by default, expose stats via envoy route (#3677 )	2022-10-18 16:25:03 -06:00
Caleb Doxsey	71b1bcfac5	config: default to http2 (#3660 ) * config: default to http2 * fix test	2022-10-12 14:46:06 -06:00
Caleb Doxsey	8d7db85737	envoyconfig: add all routes to all filter chains (#3596 )	2022-09-07 09:55:03 -06:00
Caleb Doxsey	33794ff316	envoyconfig: add virtual host domains for certificates in addition to routes (#3593 ) * envoyconfig: add virtual host domains for certificates in addition to routes * Update pkg/cryptutil/certificates.go Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update pkg/cryptutil/tls.go Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * comments Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>	2022-08-31 10:35:45 -06:00
Caleb Doxsey	e5ac784cf4	autocert: add support for ACME TLS-ALPN (#3590 ) * autocert: add support for ACME TLS-ALPN * always re-create acme tls server	2022-08-29 16:19:20 -06:00
Caleb Doxsey	ce818b3be6	envoyconfig: add authority header to outbound gRPC requests (#3545 )	2022-08-24 15:18:31 -06:00
Caleb Doxsey	4d38da94dd	envoy: upgrade to 1.23.0 (#3560 ) * envoy: upgrade to 1.23.0 * only set ipv4_compat if :: or an ipv4in6 address * fix tests	2022-08-22 15:03:29 -06:00
Caleb Doxsey	b5ac7dbc76	sets: convert set types to generics (#3519 ) * sets: convert set types to generics * sets: use internal sets package	2022-07-29 12:32:17 -06:00
cfanbo	d9097b44ea	replace fmt.Sprintf with net.JoinHostPort (#3407 )	2022-06-07 13:04:13 -06:00
Denis Mishin	51e716ef54	add x-request-id in responses (#3366 )	2022-05-16 18:22:20 -04:00
Denis Mishin	a15106ebe2	avoid null reproxy handler (#3345 )	2022-05-11 12:16:59 -04:00
Caleb Doxsey	9ae5c26f42	envoy: use typed extension protocol options for static bootstrap cluster (#3268 )	2022-04-12 13:13:32 -06:00
Caleb Doxsey	b79f1e379f	config: add support for downstream TLS server name (#3243 ) * config: add support for downstream TLS server name * fix whitespace * fix whitespace * add docs * add tls_upstream_server_name and tls_downstream_server_name to config * Update docs/reference/settings.yaml Co-authored-by: Alex Fornuto <afornuto@pomerium.com> * Update docs/reference/readme.md Co-authored-by: Alex Fornuto <afornuto@pomerium.com> * add deprecation notice Co-authored-by: Alex Fornuto <afornuto@pomerium.com>	2022-04-06 06:48:45 -07:00
Caleb Doxsey	b435f73e2b	authenticate: fix debug and metrics endpoints (#3212 )	2022-03-30 09:37:37 -06:00
Caleb Doxsey	d6bd2d06ef	envoy: upgrade to 1.21.1 (#3186 ) * envoy: upgrade to 1.21.1 * envoy: upgrade to 1.21.1	2022-03-24 10:16:07 -06:00
Caleb Doxsey	1342523cda	grpc: remove ptypes references (#3078 )	2022-02-24 08:37:59 -07:00

1 2

94 commits