mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
70b4497595
* rename cache folder * rename cache service everywhere * skip yaml in examples * Update docs/docs/topics/data-storage.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
70 lines
3.5 KiB
Bash
70 lines
3.5 KiB
Bash
#!/bin/bash
|
|
# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
|
|
|
|
# Main configuration flags
|
|
# export ADDRESS=":8443" # optional, default is 443
|
|
# export POMERIUM_DEBUG=true # optional, default is false
|
|
# export SERVICE="all" # optional, default is all
|
|
# export LOG_LEVEL="info" # optional, default is debug
|
|
|
|
export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
|
|
# AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode,
|
|
# otherwise it should be set to a "behind-the-ingress" routable url
|
|
# export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
|
|
# export DATABROKER_SERVICE_URL=https://pomerium-databroker-service.default.svc.cluster.local
|
|
|
|
# Certificates can be loaded as files or base64 encoded bytes.
|
|
# See : https://www.pomerium.io/docs/reference/certificates
|
|
export AUTOCERT=TRUE # Use Let's Encrypt to fetch certs. Port 80/443 must be internet accessible.
|
|
# export AUTOCERT_DIR="./certs" # The path where you want to place your certificates
|
|
# export CERTIFICATE_FILE="xxxx" # optional, defaults to `./cert.pem`
|
|
# export CERTIFICATE_KEY_FILE="xxx" # optional, defaults to `./certprivkey.pem`
|
|
# export CERTIFICATE="xxx" # base64 encoded cert, eg. `base64 -i cert.pem`
|
|
# export CERTIFICATE_KEY="xxx" # base64 encoded key, eg. `base64 -i privkey.pem`
|
|
|
|
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
|
|
export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
|
|
export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
|
|
# If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion`
|
|
# export SIGNING_KEY="Replace with base64'd private key from ./scripts/self-signed-sign-key.sh"
|
|
|
|
# Identity Provider Settings
|
|
|
|
# Auth0
|
|
# export IDP_PROVIDER="auth0"
|
|
# export IDP_PROVIDER_URL="https://REPLACEME.us.auth0.com"
|
|
# export IDP_CLIENT_ID="REPLACEME" # from the application the users login to
|
|
# export IDP_CLIENT_SECRET="REPLACEME" # from the application the users login to
|
|
# the following is optional and only needed if you want role (Auth0 calls groups roles) data
|
|
# export IDP_SERVICE_ACCOUNT="REPLACEME" # built from the machine-to-machine application which talks to the Auth0 Management API
|
|
|
|
# Azure
|
|
# export IDP_PROVIDER="azure"
|
|
# export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0"
|
|
# export IDP_CLIENT_ID="REPLACEME
|
|
# export IDP_CLIENT_SECRET="REPLACEME"
|
|
|
|
## GOOGLE
|
|
export IDP_PROVIDER="google"
|
|
export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
|
|
|
|
# OKTA
|
|
# export IDP_PROVIDER="okta"
|
|
# export IDP_CLIENT_ID="REPLACEME"
|
|
# export IDP_CLIENT_SECRET="REPLACEME"
|
|
# export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default"
|
|
|
|
# OneLogin
|
|
# export IDP_PROVIDER="onelogin"
|
|
# export IDP_CLIENT_ID="REPLACEME"
|
|
# export IDP_CLIENT_SECRET="REPLACEME"
|
|
# export IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc`
|
|
|
|
# Proxied routes and per-route policies are defined in a policy provided either
|
|
# directly as a base64 encoded yaml/json file, or as the policy key in the configuration
|
|
# file
|
|
export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"
|
|
|
|
# For Group data you must set an IDP_SERVICE_ACCOUNT
|
|
# https://www.pomerium.com/configuration/#identity-provider-service-account
|
|
# export IDP_SERVICE_ACCOUNT=$( echo YOUR_SERVICE_ACCOUNT | base64)
|