# Main configuration flags : https://www.pomerium.com/docs/reference/ # # address: ":8443" # optional, default is 443 # service: "all" # optional, default is all # log_level: info # optional, default is debug authenticate_service_url: https://authenticate.localhost.pomerium.io # authorize service url will default to localhost in all-in-one mode, otherwise # it should be set to a "behind-the-ingress" routable url # authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local # databroker_service_url: https://pomerium-databroker-service.default.svc.cluster.local # Certificates can be loaded as files or base64 encoded bytes. # certificate_file: "./cert.pem" # optional, defaults to `./cert.pem` # certificate_key_file: "./privkey.pem" # optional, defaults to `./certprivkey.pem` # certificate_authority_file: "./cert.pem" # alternatively, insecure mode can be used if behind a TLS terminating ingress, # or when using a sidecar proxy # insecure_server: true # base64 encoded cert, eg. `base64 -i cert.pem` / `base64 -i privkey.pem` # certificate: | # "xxxxxx" # certificate_key: | # "xxxx" # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` # shared_secret: hsJIQsx9KKx4qVlggg/T3AuLTmVu0uHhwTQgMPlVs7U= # cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg= # If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion` # signing_key: "Replace with base64'd private key from ./scripts/self-signed-sign-key.sh" # Identity Provider Settings # Auth0 # idp_provider: "auth0" # idp_provider_url: "https://REPLACEME.us.auth0.com" # idp_client_id: "REPLACEME" # from the application the users login to # idp_client_secret: "REPLACEME" # from the application the users login to # Azure # idp_provider: "azure" # idp_provider_url: "https://login.microsoftonline.com/REPLACEME/v2.0" # idp_client_id: "REPLACEME # idp_client_secret: "REPLACEME" ## GOOGLE # idp_provider: "google" # idp_client_id: "REPLACEME # idp_client_secret: "REPLACEME # OKTA # idp_provider: "okta" # idp_client_id: "REPLACEME" # idp_client_secret: "replaceme" # idp_provider_url: "https://REPLACEME.oktapreview.com/oauth2/default" # OneLogin # idp_provider: "onelogin" # idp_client_id: "REPLACEME" # idp_client_secret: "REPLACEME" # idp_provider_url: "https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc` # Proxied routes and per-route policies are defined in a routes block routes: - from: https://verify.localhost.pomerium.io to: http://localhost:8000 policy: - allow: or: - domain: is: pomerium.io cors_allow_preflight: true timeout: 30s - from: https://external-verify.localhost.pomerium.io to: https://verify.pomerium.com policy: - allow: or: - domain: is: gmail.com - from: https://weirdlyssl.localhost.pomerium.io to: http://neverssl.com policy: - allow: or: - email: is: user@example.com - groups: has: "admins" - groups: has: "developers" - from: https://hello.localhost.pomerium.io to: http://localhost:8080 policy: - allow: or: - groups: has: "admins@pomerium.io"