version: "3" services: # NGINX routes to pomerium's services depending on the request. nginx: image: jwilder/nginx-proxy:latest ports: - "443:443" volumes: # NOTE!!! : nginx must be supplied with your wildcard certificates. And it expects # it in the format of whatever your wildcard domain name is in. # see : https://github.com/jwilder/nginx-proxy#wildcard-certificates # So, if your subdomain is corp.beyondperimeter.com, you'd have the following : - ./cert.pem:/etc/nginx/certs/corp.beyondperimeter.com.crt:ro - ./privkey.pem:/etc/nginx/certs/corp.beyondperimeter.com.key:ro - /var/run/docker.sock:/tmp/docker.sock:ro pomerium-authenticate: build: . restart: always depends_on: - "gitlab" environment: - POMERIUM_DEBUG=true - SERVICES=authenticate # auth settings - REDIRECT_URL=https://sso-auth.corp.beyondperimeter.com/oauth2/callback - IDP_PROVIDER="gitlab" - IDP_PROVIDER_URL=https://gitlab.corp.beyondperimeter.com - IDP_CLIENT_ID=022dbbd09402441dc7af1924b679bc5e6f5bf0d7a555e55b38c51e2e4e6cee76 - IDP_CLIENT_SECRET=fb7598c520c346915ee369eee57688938fe4f31329a308c4669074da562714b2 - PROXY_ROOT_DOMAIN=beyondperimeter.com - ALLOWED_DOMAINS=* - SKIP_PROVIDER_BUTTON=false # shared service settings # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI= - VIRTUAL_PROTO=https - VIRTUAL_HOST=sso-auth.corp.beyondperimeter.com - VIRTUAL_PORT=443 volumes: # volumes is optional; used if passing certificates as files - ./cert.pem:/pomerium/cert.pem:ro - ./privkey.pem:/pomerium/privkey.pem:ro expose: - 443 pomerium-proxy: build: . restart: always environment: - POMERIUM_DEBUG=true - SERVICES=proxy # proxy settings - AUTHENTICATE_SERVICE_URL=https://sso-auth.corp.beyondperimeter.com - ROUTES=https://httpbin.corp.beyondperimeter.com=http://httpbin,https://hello.corp.beyondperimeter.com=http://hello-world/ # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI= - SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU0zbXBaSVdYQ1g5eUVneFU2czU3Q2J0YlVOREJTQ0VBdFFGNWZVV0hwY1FvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFaFBRditMQUNQVk5tQlRLMHhTVHpicEVQa1JyazFlVXQxQk9hMzJTRWZVUHpOaTRJV2VaLwpLS0lUdDJxMUlxcFYyS01TYlZEeXI5aWp2L1hoOThpeUV3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= # nginx settings - VIRTUAL_PROTO=https - VIRTUAL_HOST=*.corp.beyondperimeter.com - VIRTUAL_PORT=443 volumes: # volumes is optional; used if passing certificates as files - ./cert.pem:/pomerium/cert.pem:ro - ./privkey.pem:/pomerium/privkey.pem:ro expose: - 443 # https://httpbin.corp.beyondperimeter.com httpbin: image: kennethreitz/httpbin:latest expose: - 80 # https://hello.corp.beyondperimeter.com hello-world: image: tutum/hello-world:latest expose: - 80 gitlab: hostname: gitlab.corp.beyondperimeter.com image: gitlab/gitlab-ce:latest restart: always expose: - 443 - 80 - 22 environment: GITLAB_OMNIBUS_CONFIG: | external_url 'https://gitlab.corp.beyondperimeter.com' nginx['ssl_certificate'] = '/etc/gitlab/trusted-certs/corp.beyondperimeter.com.crt' nginx['ssl_certificate_key'] = '/etc/gitlab/trusted-certs/corp.beyondperimeter.com.key' VIRTUAL_PROTO: https VIRTUAL_HOST: gitlab.corp.beyondperimeter.com VIRTUAL_PORT: 443 volumes: - ./cert.pem:/etc/gitlab/trusted-certs/corp.beyondperimeter.com.crt - ./privkey.pem:/etc/gitlab/trusted-certs/corp.beyondperimeter.com.key - $HOME/gitlab/config:/etc/gitlab - $HOME/gitlab/logs:/var/log/gitlab - $HOME/gitlab/data:/var/opt/gitlab