2.4 KiB
Quick start
-
Download pre-built binaries or build Pomerium from source.
-
Generate a wild-card certificate for a test domain like
corp.example.com
. For convenience, an included script can generate a free one using LetsEncrypt and certbot.Once complete, move the generated public and private keys (
cert.pem
/privkey.pem
) next to the pomerium binary. Certificates can also be set as environmental variables or dynamically with a KMS. -
Next, set configure your identity provider by generating an OAuth Client ID and Client Secret as well as setting a Redirect URL endpoint. The Redirect URL endpoint will be called by the identity provider following user authentication.
-
Pomerium is configured using environmental variables. A minimal configuration is as follows.
# file : env # The URL that the identity provider will call back after authenticating the user export REDIRECT_URL="https://sso-auth.corp.example.com/oauth2/callback" # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` export SHARED_SECRET=REPLACE_ME export COOKIE_SECRET=REPLACE_ME # Allow users with emails from the following domain post-fix (e.g. example.com) export ALLOWED_DOMAINS=* ## Identity Provider Settings export IDP_PROVIDER="google" export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google export IDP_CLIENT_ID="YOU_GOT_THIS_FROM_STEP-3.apps.googleusercontent.com" export IDP_CLIENT_SECRET="YOU_GOT_THIS_FROM_STEP-3" # key/value list of simple routes. export ROUTES='http.corp.example.com':'httpbin.org'
You can also view the env.example configuration file for a more comprehensive list of options.
-
For a first run, I suggest setting the debug flag which provides user friendly logging.
```bash source ./env ./pomerium -debug ```
-
You should now get the following when you try to access one of your
corp
routes.