3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guide
History
Bobby DeSimone 90ab756de1
Added gif to the readme. 
Simplified, and de-duplicated many of the configuration settings.
Removed configuration settings that could be deduced from other settings.
Added some basic documentation.
Removed the (duplicate?) user email domain validation check in proxy.
Removed the ClientID middleware check.
Added a shared key option to be used as a PSK instead of using the IDPs ClientID and ClientSecret.
Removed the CookieSecure setting as we only support secure.
Added a letsencrypt script to generate a wildcard certificate.
Removed the argument in proxy's constructor that allowed arbitrary fucntions to be passed in as validators.
Updated proxy's authenticator client to match the server implementation of just using a PSK.
Moved debug-mode logging into the log package.
Removed unused approval prompt setting.
Fixed a bug where identity provider urls were hardcoded.
Removed a bunch of unit tests. There have been so many changes many of these tests don't make sense and will need to be re-thought.
2019-01-04 18:25:03 -08:00
..
google Added gif to the readme. 2019-01-04 18:25:03 -08:00
okta Added gif to the readme. 2019-01-04 18:25:03 -08:00
identity-providers.md Added gif to the readme. 2019-01-04 18:25:03 -08:00
readme.md Added gif to the readme. 2019-01-04 18:25:03 -08:00

readme.md

Quick start

  1. Download pre-built binaries or build Pomerium from source.

  2. Generate a wild-card certificate for a test domain like corp.example.com. For convenience, an included script can generate a free one using LetsEncrypt and certbot.

    Once complete, move the generated public and private keys (cert.pem/privkey.pem) next to the pomerium binary. Certificates can also be set as environmental variables or dynamically with a KMS.

  3. Next, set configure your identity provider by generating an OAuth Client ID and Client Secret as well as setting a Redirect URL endpoint. The Redirect URL endpoint will be called by the identity provider following user authentication.

  4. Pomerium is configured using environmental variables. A minimal configuration is as follows.

    # file : env
# The URL that the identity provider will call back after authenticating the user
export REDIRECT_URL="https://sso-auth.corp.example.com/oauth2/callback"
# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
export SHARED_SECRET=REPLACE_ME
export COOKIE_SECRET=REPLACE_ME
# Allow users with emails from the following domain post-fix (e.g. example.com)
export ALLOWED_DOMAINS=*
## Identity Provider Settings
export IDP_PROVIDER="google"
export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
export IDP_CLIENT_ID="YOU_GOT_THIS_FROM_STEP-3.apps.googleusercontent.com"
export IDP_CLIENT_SECRET="YOU_GOT_THIS_FROM_STEP-3"
# key/value list of simple routes.
export ROUTES='http.corp.example.com':'httpbin.org'

    You can also view the env.example configuration file for a more comprehensive list of options.

  5. For a first run, I suggest setting the debug flag which provides user friendly logging.

    source ./env
./pomerium -debug