mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 02:46:30 +02:00
57 lines
2.6 KiB
Bash
57 lines
2.6 KiB
Bash
#!/bin/bash
|
|
|
|
# Main configuration flags
|
|
# export ADDRESS=":8443" # optional, default is 443
|
|
# export POMERIUM_DEBUG=true # optional, default is false
|
|
# export SERVICE="all" # optional, default is all.
|
|
|
|
# Certificates can be loaded as files or base64 encoded bytes. If neither is set, a
|
|
# pomerium will attempt to locate a pair in the root directory
|
|
export CERTIFICATE_FILE="./cert.pem" # optional, defaults to `./cert.pem`
|
|
export CERTIFICATE_KEY_FILE="./privkey.pem" # optional, defaults to `./certprivkey.pem`
|
|
# export CERTIFICATE="xxxxxx" # base64 encoded cert, eg. `base64 -i cert.pem`
|
|
# export CERTIFICATE_KEY="xxxx" # base64 encoded key, eg. `base64 -i privkey.pem`
|
|
|
|
# The URL that the identity provider will call back after authenticating the user
|
|
export REDIRECT_URL="https://sso-auth.corp.example.com/oauth2/callback"
|
|
# Allow users with emails from the following domain post-fix (e.g. example.com)
|
|
export ALLOWED_DOMAINS=*
|
|
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
|
|
export SHARED_SECRET=9wiTZq4qvmS/plYQyvzGKWPlH/UBy0DMYMA2x/zngrM=
|
|
export COOKIE_SECRET=uPGHo1ujND/k3B9V6yr52Gweq3RRYfFho98jxDG5Br8=
|
|
# If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion`
|
|
# export SIGNING_KEY="Replace with base64'd private key from ./scripts/self-signed-sign-key.sh"
|
|
|
|
# Identity Provider Settings
|
|
|
|
# Azure
|
|
# export IDP_PROVIDER="azure"
|
|
# export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0"
|
|
# export IDP_CLIENT_ID="REPLACEME
|
|
# export IDP_CLIENT_SECRET="REPLACEME"
|
|
|
|
# Gitlab
|
|
# export IDP_PROVIDER="gitlab"
|
|
# export IDP_PROVIDER_URL="https://gitlab.onprem.example.com" # optional, defaults to `https://gitlab.com`
|
|
# export IDP_CLIENT_ID="REPLACEME
|
|
# export IDP_CLIENT_SECRET="REPLACEME"
|
|
|
|
## GOOGLE
|
|
export IDP_PROVIDER="google"
|
|
export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
|
|
export IDP_CLIENT_ID="REPLACE-ME.googleusercontent.com"
|
|
export IDP_CLIENT_SECRET="REPLACEME"
|
|
|
|
# OKTA
|
|
# export IDP_PROVIDER="okta
|
|
# export IDP_CLIENT_ID="REPLACEME"
|
|
# export IDP_CLIENT_SECRET="REPLACEME"
|
|
# export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default"
|
|
|
|
# export SCOPE="openid email" # generally, you want the default OIDC scopes
|
|
|
|
# k/v seperated list of simple routes. If no scheme is set, HTTPS will be used.
|
|
# Currently set to httpbin which is a handy utility letting you inspect requests recieved by
|
|
# a client application
|
|
export ROUTES="httpbin.corp.example.com=httpbin.org"
|
|
# export ROUTES="https://weirdlyssl.corp.example.com=http://neverssl.com" #https to http!
|