3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-27 15:08:14 +02:00
Code Issues Projects Releases Packages Wiki Activity
2450 commits 171 branches 127 tags 108 MiB
Commit graph

257 commits

Author SHA1 Message Date
Caleb Doxsey
ca48052551
tls: fallback to self-signed certificate (#2760) 
* tls: fallback to self-signed certificate

* remove unknown domain because certs are no longer valid

* update multi-deployment to use service-specific certificates
 2021-11-15 14:11:53 -07:00
Herman Slatman
7812c6985d
Add additional ACME options (#2695) 
The `autocert_ca` and `autocert_email` options have been added to be
able to configure CAs that support the ACME protocol as an alternative
to Let's Encrypt.

Fix ProtoBuf definition for additional autocert options

Fix PR comments and add ACME EAB configuration

Add configuration option for trusted CAs when talking ACME

Fix linter issues

copy edits

render updated reference to docs

Add test for autocert manager configuration

Add tests for autocert configuration options

Fix CI build issues

Don't set empty acme.EAB struct if configuration not set

Remove required email when setting custom CA

When using a non-default CA it's no longer required
to specify an email address. I required this before,
because it seemed to cause an issue in which no certificate
was issued. The root cause was something different,
rendering the hard email requirement pointless. It's
still beneficial to specify an email, though. I changed
the text in the docs to explain that.

Update generated docs

Fix failing tests by recreation of a new ACMEManager

The default ACMEManager object was reused in multiple tests,
resulting in unexpected states when tests run in parallel.
By using a new instance for every test, this is no longer
an issue.
 2021-11-02 14:44:27 -07:00
Caleb Doxsey
6e48627b4d
ppl: add support for additional data (#2696) 
* ppl: add support for additional data

* remove unused NewCriterionDeviceRule
 2021-10-22 12:32:20 -06:00
Denis Mishin
55fec9b51b
add host-rewrite options to config.proto (#2668) 2021-10-08 11:50:56 -04:00
bobby
45ce2027b2
config/envoyconfig: better duplicate message (#2661) 
Fixes #2655
 2021-10-04 19:37:03 -04:00
Caleb Doxsey
efffe57bf0
ppl: pass contextual information through policy (#2612) 
* ppl: pass contextual information through policy

* maybe fix nginx

* fix nginx

* pr comments

* go mod tidy
 2021-09-20 16:02:26 -06:00
Caleb Doxsey
eca2fc62d8
ppl: use session.user_id instead of user.id for user criterion (#2562) 
* ppl: use session.user_id instead of user.id for user criterion

* fix test
 2021-09-03 07:53:00 -06:00
Caleb Doxsey
33f5190572
config: remove signature_key_algorithm (#2557) 
* config: remove signature_key_algorithm

* typo

* add more tests
 2021-09-02 11:36:43 -06:00
Denis Mishin
951d20ad52
fix: allow pomerium to start without certs (#2555) 2021-08-31 11:06:48 -04:00
Caleb Doxsey
1cbcb8335d
config: remove headers (#2522) 
* config: remove headers

* Update docs/docs/upgrading.md

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
 2021-08-25 09:20:17 -06:00
Caleb Doxsey
db43014d78
envoy: remove deprecated access_log_path (#2523) 2021-08-25 09:19:35 -06:00
Caleb Doxsey
bbec2cae9f
grpc: send client traffic through envoy (#2469) 
* wip

* wip

* handle wildcards in override name

* remove wait for ready, add comment about sync, force initial sync complete in test

* address comments
 2021-08-16 16:12:22 -06:00
bobby
87c3c675d2
all: remove unused handler code (#2439) 
* - Remove unused middleware

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* remove unused func weightedStrings

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* remove unused func getJWTSetCookieHeaders

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* Fix test name
 2021-08-16 16:04:39 -04:00
Caleb Doxsey
6af0655206
protoutil: add NewAny method for deterministic serialization (#2462) 2021-08-09 17:51:57 -06:00
Caleb Doxsey
63ee30d69c
options: remove refresh_cooldown, add allow_spdy to proto (#2446) 2021-08-06 10:06:57 -06:00
Caleb Doxsey
94eb3c1149
config: remove grpc server max connection age options (#2427) 
* config: remove grpc server max connection age options

* remove docs
 2021-08-03 09:39:48 -06:00
Caleb Doxsey
1a95036b8c
sessions: add impersonate_session_id, remove legacy impersonation (#2407) 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
 2021-07-30 08:42:36 -06:00
Caleb Doxsey
3026efb5af
envoyconfig: improvements (#2402) 
* add alpn function

* add comment

* address PR feedback
 2021-07-27 16:44:15 -06:00
Caleb Doxsey
0620cfdc50
config: add support for embedded PPL policy (#2401) 2021-07-27 13:44:10 -06:00
Caleb Doxsey
c34118360d
ppl: remove support for aliases (#2400) 2021-07-27 12:29:42 -06:00
Caleb Doxsey
1c627e5724
disable http/2 for websockets (#2399) 2021-07-26 20:09:18 -06:00
Caleb Doxsey
8a74fae2e7
urlutil: improve error message for urls with port in path (#2377) 2021-07-20 11:08:50 -06:00
Caleb Doxsey
ca8205f0b4
config: add warning about http URLs (#2358) 2021-07-13 11:12:03 -06:00
Caleb Doxsey
a9ba3ffff5
envoyconfig: default zipkin path to / when empty (#2359) 2021-07-13 11:11:49 -06:00
Caleb Doxsey
23552cfc1c
envoyconfig: only delete cached files, ignore noisy error (#2356) 2021-07-13 09:58:25 -06:00
Caleb Doxsey
cb09aa4199
envoyconfig: add bootstrap layered runtime configuration (#2343) 2021-07-07 15:18:02 -06:00
wasaga
3073146ff2
fix: timeout field in protobuf, add websocket tests 2021-07-07 12:06:56 -04:00
wasaga
134ca74ec9
proxy: add idle timeout (#2319) 2021-07-02 10:29:53 -04:00
wasaga
41a2622736
certs: reject certs from databroker if they conflict with local (#2309) 2021-06-24 18:40:59 -04:00
Caleb Doxsey
fcb33966e2
config: add enable_google_cloud_serverless_authentication to config protobuf (#2306) 
* config: add enable_google_cloud_serverless_authentication to config protobuf

* use dependency injection for embedded envoy provider

* Revert "use dependency injection for embedded envoy provider"

This reverts commit 5c08990501.

* config: attach envoy version to Config to avoid metrics depending on envoy/files
 2021-06-21 18:00:29 -06:00
Caleb Doxsey
9bce8314ba
envoy: refactor envoy embedding (#2296) 
* envoy: add full version

* remove unused import

* envoy: refactor envoy embedding

* fix lint

* commit ignored files

* maybe fix test
 2021-06-15 08:18:30 -06:00
Caleb Doxsey
02d9460765
envoy: fix usage of codec_type with alpn (#2277) 2021-06-07 14:26:20 -06:00
Caleb Doxsey
2156dbc553
envoy: always set jwt claim headers even if no value is available (#2261) 
* envoy: always set jwt claim headers even if no value is available

* add test
 2021-06-04 10:01:00 -07:00
Caleb Doxsey
c3286aa355
envoyconfig: use zipkin tracer (#2265) 2021-06-03 09:28:00 -06:00
Caleb Doxsey
513859665a
tracing: support dynamic reloading, more aggressive envoy restart (#2262) 
* tracing: support dynamic reloading, more aggressive envoy restart

* set exporter to nil

* actually register tracer
 2021-06-02 09:58:07 -06:00
wasaga
12c8bb2da4
authorize: preserve original context (#2247) 2021-06-01 11:10:35 -04:00
wasaga
96d6005639
config: warn about unrecognized keys (#2256) 2021-05-31 23:35:38 -04:00
bobby
c5f90e40f3
options: s/shared-key/shared secret (#2257) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-05-31 12:55:11 -07:00
Caleb Doxsey
9b61d04dd8
envoyconfig: fallback to global custom ca when no policy ca is defined (#2235) 
* envoyconfig: fallback to global custom ca when no policy ca is defined

* update upgrading

* combine custom ca with root cas
 2021-05-28 09:36:15 -06:00
Caleb Doxsey
91dd937468
policy: fix allowed idp claims PPL generation (#2243) 2021-05-27 15:12:12 -06:00
Caleb Doxsey
96b9702ee3
ppl: add data type, implement string and list matchers (#2228) 
* ppl: add data type, implement string and list matchers

* update policy converter
 2021-05-21 11:28:41 -06:00
Caleb Doxsey
a1061c5c03
envoy: add global response headers to local replies (#2217) 2021-05-20 08:56:43 -06:00
Caleb Doxsey
c489391bbf
ppl: convert config policy to ppl (#2218) 2021-05-19 12:42:36 -06:00
wasaga
c71f7dca5b
authorize: grpc health check (#2200) 2021-05-13 15:00:10 -04:00
bobby
27c8cd9bd8
proxy / controplane: use old upstream cipher suite (#2196) 2021-05-12 15:37:20 -07:00
Caleb Doxsey
da01082797
envoy: disable timeouts for kubernetes (#2189) 2021-05-11 14:42:49 -06:00
Caleb Doxsey
69576cffe4
config: add support for set_response_headers in a policy (#2171) 
* config: add support for set_response_headers in a policy

* docs: add note about precedence
 2021-05-04 09:43:52 -06:00
Caleb Doxsey
b5b1013947
config: add client_crl (#2157) 
* config: add client_crl

* address comments

* add ignored file
 2021-04-30 14:36:32 -06:00
Caleb Doxsey
699ebf061a
config: add support for codec_type (#2156) 
* config: add support for codec_type

* add comma

* fix warning block

* fix docs
 2021-04-30 07:21:40 -06:00
Caleb Doxsey
636b3d6846
databroker: add options for maximum capacity (#2095) 
* databroker: add options

* implement redis

* add trace for enforce options
 2021-04-26 17:14:54 -06:00