5332a752d0
* install VuePress Plugin Tabs https://www.npmjs.com/package/vuepress-plugin-tabs * init Enterprise documentation section * replace Vuepress tab plugin now using https://github.com/superbiger/vuepress-plugin-tabs * init Enterprise Quickstart * block of enterprise doc updates * Helm Quickstart Update (#2380) * removed/fixed redundant or incorrect config And some small copy edits * Update docs/docs/quick-start/helm.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * init console with helm doc * squash me * codeblock fix * init about page * updates to Enterprise section * consolidate on Postgres * WIP helm updates * update and align OS and Enterprise helm docs * Enterprise settings docs (#2397) * init console-specific reference docs files * remove shortdoc for name * init Enterprise Reference doc * expanding Enterprise Reference * init JS script for reference subpages When reviewing please remember that I'm not a developer, be kind * update script and apply * remove errant dep * document script and expand for CLI help output * import pomerium-console_serve.yaml In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo * init new output file * update script call and output * fix anchor links * BROKEN - import content from settings.yaml when dupe is true * filtering WiP * fix dupe script, more content * replace if dupe with if not docs * squash me * squash me! * add docs about PPL (#2404) * squash meeeeee * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * symlink img dir from docs/reference * squash mee * update install reqs * Fixed links throughout * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * remove internal note * - format python with black - format js with prettier Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * optimize images with imageOptim Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * run prettier on config.js Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * concepts.md Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * update concepts Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * copy edits * typo * symlink img dir from docs/reference * modify TLS section in quick-start * rm whitespace * add common links postamble * block of updates * block of updates * updates with @travisgroth * turtles all the way down * more content * import all the things * fill out reports * fill out reports * fix file extension * fix links * crosslink PPL ref * document embedded prometheus * expand example * update reqs * document non-directory users * typo fix * update metrics_address * fix broken links in example configs * update examples for route syntax * replaced required with deprecated Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link. * update enterprise/about * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * remove commented config lines * update non-domain user section in concepts * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/about.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * add console route to OSS conf * update enterprise settings copy from source file * Update docs/enterprise/concepts.md * Update reports reference * merge conflict resolution * update sourced doc content, fix whitespace Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com> Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
8.1 KiB
| title | lang | meta | |||||
|---|---|---|---|---|---|---|---|
| Synology | en-US |
|
Synology
Pomerium can be used to enable secure access to services on your Synology home server or network attached storage (NAS) device. Pomerium acting as an identity aware access proxy is particularly useful as many self-hosted apps lack or have insufficient built-in authentication mechanisms.
Using Pomerium on your Synology DSM device enables:
- Secure remote access to docker and synology web-applications without a VPN.
- Unified, multi-factor authentication with your identity provider of choice.
- Access to services by sub-domain (e.g.
plex.int.nas.exampleorwiki.int.nas.example) - TLS everywhere.
Pomerium is lightweight, can easily handle hundreds of concurrent requests, and a single instance typically uses <20MB of memory and very little CPU.
Prerequisites
- A docker-capable synology product
- A Google Cloud Account
- A configured identity provider
- TLS certificates
Though any supported identity provider would work, this guide uses google.
Port forwarding
This will vary depending on what type of router you have but the gist is you want to be forwarding all HTTPS/TLS traffic from port 443 to your NAS on some high port (in this case8443).
DSM
Diskstation manager uses nginx under-the-hood to proxy incoming requests. In the following steps, we'll configure DSM to handle incoming requests and certificates.
Configure DSM's Reverse Proxy
Go to Control Panel > Application Portal > Reverse Proxy.
Click Create.
Set the following Reverse Proxy Rules.
| Field | Description |
|---|---|
| Description | pomerium |
| Source Protocol | HTTPS |
| Source Hostname | * |
| Destination Port | 8443 |
| HTTP/2 | Enabled |
| HSTS | Enabled |
| Destination Protocol | HTTP |
| Destination Hostname | localhost |
| Destination Port | 32443 |
This will forward any incoming HTTPS traffic to the Pomerium service that is (not yet) running on port 32443.
Certificates
Though DSM does support getting LetsEncrypt certificates, they do not support wild-card subdomain certificates which require DNS validation. If you do not already have a wildcard certificate the certificate documentation or included [script] can help you generate one.
Go to Control Panel > Security > Certificate
Click add a new certificate > Import certificate.
Add the certificate chain for your wild-card subdomain certificates.
Once the certificate is showing on the list of certificates screen we need to tell DSM to use that certificate for all incoming traffic on port 8443.
Click configure
| Services | Certificate |
|---|---|
| *:8443 | *.int.nas.example |
Docker
Download
Download and install docker from the package manager.
Package manager > search > docker
Once installed open the docker app.
Docker > Registry > search > pomerium
Download the official Pomerium docker image.
We'll also need a test application to manage access to. For this guide we'll use the canonical test app httpbin but the this could be any self-hosted apps, wiki, download tool, etc.
Route
We will create an extremely basic route where httpbin.int.nas.example is replaced with the subdomain you want to use for the httpbin service, and your.email.address@gmail.com is replaced with your email address. All other users will be denied, and all other routes will be 404.
# route.yaml
- from: https://httpbin.int.nas.example
to: http://httpbin
policy:
- allow:
or:
- email:
is: your.email.address@gmail.com
Configure
Httpbin
First, we'll setup our test app httpbin.
Go to Docker > Image
Click httpbin
Set the Container Name to httpbin. Keep the rest of the settings the default.
Click apply
This will create a small python webserver on port 80. The container name we just used will be used as an alias to route requests as defined in our policy.
Pomerium
Go to Docker > Image
Click Pomerium
Click Launch
Set the Container Name to Pomerium.
Click Advanced Settings
Go to Port Settings tab.
Add an entry where the Local Port is 32443 and the container port is 443 and the type is TCP.
Go to Links tab.
Add an entry where the Container Name is httpbin and the alias is httpbin.
::: warning
The alias value must match the to DNS name from your policy.yaml configuration.
:::
These are the minimum set of configuration settings to get Pomerium running in this deployment environment.
Go to Environment tab.
| Field | Value |
|---|---|
| POLICY | output of base64 -i policy.yaml |
| INSECURE_SERVER | TRUE, internal routing within docker will not be encrypted. |
| IDP_CLIENT_SECRET | Values from setting up your identity provider |
| IDP_CLIENT_ID | Values from setting up your identity provider |
| IDP_PROVIDER | Values from setting up your identity provider (e.g. google) |
| COOKIE_SECRET | output of `head -c32 /dev/urandom |
| AUTHENTICATE_SERVICE_URL | https://authenticate.int.nas.example |
| SHARED_SECRET | output of `head -c32 /dev/urandom |
For a detailed explanation, and additional options, please refer to the configuration variable docs. Also note, though not covered in this guide, settings can be made via a mounted configuration file.
Click Launch.
If properly configured you should see something like the following when you see the container's details.
If something goes wrong, click the Logs tab.
Try it out
Navigate to your new service. https://httpbin.int.nas.example
You should be redirected to your identity provider.
If you've enabled multi-factor authentication you should see that too.
If that user is authorized to see the httpbin service, you should be redirected back to httpbin!
You can also navigate to the special pomerium endpoint httpbin.your.domain.example/.pomerium/ to see your current user details.
And just to be safe, try logging in from another google account to see what happens. You should be greeted with a 403 unauthorized access page.
