3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-03 04:16:03 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/examples/config/config.example.yaml
Caleb Doxsey 0d3ef4564e
doc updates (#2433) 
* remove reference to EdDSA, fix numbering, typo

* fix ppl example

* update jwt verification routes

* update kubernetes route

* update local oidc routes

* update mtls routes

* fix transmission policy

* policy -> routes

* update settings

* fix has

* update numbering
2021-08-04 15:00:31 -07:00

112 lines
3.9 KiB
YAML
Raw Permalink Blame History

# Main configuration flags : https://www.pomerium.com/docs/reference/
#
# address: ":8443" # optional, default is 443
# pomerium_debug: true # optional, default is false
# service: "all" # optional, default is all
# log_level: info # optional, default is debug
authenticate_service_url: https://authenticate.localhost.pomerium.io
# authorize service url will default to localhost in all-in-one mode, otherwise
# it should be set to a "behind-the-ingress" routable url
# authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
# databroker_service_url: https://pomerium-databroker-service.default.svc.cluster.local
# Certificates can be loaded as files or base64 encoded bytes.
# certificate_file: "./cert.pem" # optional, defaults to `./cert.pem`
# certificate_key_file: "./privkey.pem" # optional, defaults to `./certprivkey.pem`
# certificate_authority_file: "./cert.pem"
# alternatively, insecure mode can be used if behind a TLS terminating ingress,
# or when using a sidecar proxy
# insecure_server: true
# base64 encoded cert, eg. `base64 -i cert.pem` / `base64 -i privkey.pem`
# certificate: |
# "xxxxxx"
# certificate_key: |
# "xxxx"
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
# shared_secret: hsJIQsx9KKx4qVlggg/T3AuLTmVu0uHhwTQgMPlVs7U=
# cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
# If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion`
# signing_key: "Replace with base64'd private key from ./scripts/self-signed-sign-key.sh"
# Identity Provider Settings
# Auth0
# idp_provider: "auth0"
# idp_provider_url: "https://REPLACEME.us.auth0.com"
# idp_client_id: "REPLACEME" # from the application the users login to
# idp_client_secret: "REPLACEME" # from the application the users login to
# the following is optional and only needed if you want role (Auth0 calls groups roles) data
# idp_service_account: "REPLACEME" # built from the machine-to-machine application which talks to the Auth0 Management API
# Azure
# idp_provider: "azure"
# idp_provider_url: "https://login.microsoftonline.com/REPLACEME/v2.0"
# idp_client_id: "REPLACEME
# idp_client_secret: "REPLACEME"
## GOOGLE
# idp_provider: "google"
# idp_provider_url: "https://accounts.google.com" # optional for google
# idp_client_id: "REPLACEME
# idp_client_secret: "REPLACEME
# IF GSUITE and you want to get user groups you will need to set a service account
# see identity provider docs for gooogle for more info :
# idp_service_account: $(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
# OKTA
# idp_provider: "okta"
# idp_client_id: "REPLACEME"
# idp_client_secret: "replaceme"
# idp_provider_url: "https://REPLACEME.oktapreview.com/oauth2/default"
# OneLogin
# idp_provider: "onelogin"
# idp_client_id: "REPLACEME"
# idp_client_secret: "REPLACEME"
# idp_provider_url: "https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc`
# For Group data you must set an IDP_SERVICE_ACCOUNT
# idp_service_account: YOUR_SERVICE_ACCOUNT
# Proxied routes and per-route policies are defined in a routes block
routes:
- from: https://verify.localhost.pomerium.io
to: http://localhost:8000
policy:
- allow:
or:
- domain:
is: pomerium.io
cors_allow_preflight: true
timeout: 30s
- from: https://external-verify.localhost.pomerium.io
to: https://verify.pomerium.com
policy:
- allow:
or:
- domain:
is: gmail.com
- from: https://weirdlyssl.localhost.pomerium.io
to: http://neverssl.com
policy:
- allow:
or:
- email:
is: bdd@pomerium.io
- groups:
has: "admins"
- groups:
has: "developers"
- from: https://hello.localhost.pomerium.io
to: http://localhost:8080
policy:
- allow:
or:
- groups:
has: "admins@pomerium.io"
Reference in a new issue View git blame Copy permalink