mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-28 18:06:34 +02:00
| .. | ||
| out | ||
| scripts | ||
| docker-compose.yaml | ||
| Dockerfile | ||
| example.config.yaml | ||
| main.go | ||
| README.md | ||
Mutual Authenticated TLS Example
A tiny go http server that enforces client certificates and can be used to test mutual TLS with Pomerium.
TL;DR
Pomerium config
# See detailed configuration settings : https://www.pomerium.com/docs/reference
authenticate_service_url: https://authenticate.corp.domain.example
authorize_service_url: https://authorize.corp.domain.example
# identity provider settings : https://www.pomerium.com/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME
routes:
- from: https://mtls.corp.domain.example
to: https://localhost:8443
policy:
- allow:
or:
- domain:
is: domain.example
tls_custom_ca_file: "/Users/bdd/examples/mutual-tls/out/good-ca.crt"
tls_client_cert_file: "/Users/bdd/examples/mutual-tls/out/pomerium.crt"
tls_client_key_file: "/Users/bdd/examples/mutual-tls/out/pomerium.key"
- from: https://verify.corp.domain.example
to: https://verify.pomerium.com
allow_public_unauthenticated_access: true
Docker-compose
version: "3"
services:
pomerium:
image: pomerium/pomerium:latest
environment:
- CERTIFICATE
- CERTIFICATE_KEY
- COOKIE_SECRET
volumes:
# Mount your config file : https://www.pomerium.com/docs/reference
# be sure to change the default values :)
- ./example.config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
mtls:
image: pomerium/examples:mtls
environment:
- TLS_CERT
- TLS_KEY
- CLIENT_CA
ports:
- 8443:8443
Generate some certificates
This can be done a myriad of ways. The easiest for testing is probably using certstrap.
Run the server
Certificates can be set using the following base 64 encoded environmental variables. For example,
source ./env && go run main.go
Test the server with curl
See scripts/curl.sh
Docker
Pull pomerium/examples:mtls or see Dockerfile